NIS2-Konformität mittels Framework NIST CSF-2.0 core für die Risikoanalyse

  • Gerhard Wagner

Student thesis: Master's Thesis

Abstract

The present work deals with the requirements of NIS-2 [3] to „risk analysis”
[3, Art. 21, Abs. 2 Lit. a)] and „evaluation of the effectiveness of risk analysis” [3,
Art. 21, Abs. 2 Lit. f)]. This work developed a RM-framework based on the TOM
(sub-categories of the CSF-2.0 framework). It will assess whether the specific requirements of NIS-2 can be met or whether additional measures are needed.
All technical and organizational measures of the CSF-2.0 framework have been
analysed and in this RM-framework the areas „Risk analysis” and „the effectiveness of cybersecurity risk-management measures” have been assigned. Risk management measures are set out in Article 21(2)(a) and (f) of NIS-2. These assignments were represented by a list of assignments. This list has been submitted to
several experts who are currently working as NIS auditors and will be NIS-2 auditors in the future. The aim was to conduct a thorough assessment of whether the allocations of this RM-framework are considered incomplete and/or inadequate to
meet the requirements of the NIS-2 Directive.
Their suitability for day-to-day practice and the question of whether all necessary measures are covered to meet the requirements of NIS-2 were assessed by the
experts.
The clear result of this assessment, which the experts found, was that no reasons were found or missing TOMs identified that would be necessary to meet the
requirements of NIS-2 in the areas „Risk analysis” and „Evaluation of the effectiveness of risk analysis”. This means that the RM-framework developed in this
work and based on the CSF-2.0 framework meets the requirements of the NIS-2
Directive with regard to risk assessment and no additional TOM is required.
These results may be relevant for organizations that have to comply with the
NIS-2 directive. You point out that this RM-framework is complete and thus provides a stable basis for carrying out the necessary „risk analysis” and „evaluation
of the effectiveness of risk analysis”.
Date of Award2024
Original languageGerman (Austria)
SupervisorHarald Lampesberger (Supervisor)

Cite this

'