DNS Belgium renewed its ISO 27001 certification in 2019 and this year we will launch an update of the CENTR security maturity model. Both need to be seen in a European long-term cybersecurity strategy.
European regulations
Europe has a long-term information security and cybersecurity strategy. A first part of this strategy was GDPR which came into force in 2018. In 2019, the Directive on Security of Network and Information Systems (the so-called NIS directive) and the EU Cybersecurity Act were added to this.
The NIS directive lays down legal measures to raise the general cybersecurity level in the EU. The directive does this, among other things, by:
- ensuring member states work together,
- fostering a culture of security in sectors that are vital for our economy and society and are furthermore strongly dependent on ICT.
In turn, the EU Cybersecurity Act launched a certification framework for the cybersecurity of digital products, services and processes.
The Cybersecurity Act creates a framework for cybersecurity certification. However, we want to avoid every country going its own way or for organisations to go certificate shopping. This is why CENTR wants to be a pioneer in a European context and recommend good procedures. DNS Belgium and DENIC, the .de registry in Germany, have a leading role in the project.
The same rules apply to all EU member states for GDPR and the Cybersecurity Act. This is not the case for the NIS directive. In other words, member states can give the European directive their own twist. ‘The Cybersecurity Act creates a framework for cybersecurity certification. However, we want to avoid every country going its own way or for organisations to go certificate shopping’, says Kristof Tuyteleers, Security Officer at DNS Belgium. ‘This is why CENTR wants to be a pioneer in a European context and recommend good procedures. DNS Belgium and DENIC, the .de registry in Germany, have a leading role in the project.’
Security Maturity Model
In 2017, CENTR developed a security maturity model, at DNS Belgium's initiative, which allows companies to monitor their maturity level in the field of information security in five areas. An update of the maturity model will be published this year. When you have gone through the model, the statistics of your company are shown and compared to the anonymised results of other companies. 'The intention is to give people in charge of information security in organisations some extra 'ammunition' when they go to their management to ask if more can be done in the field of security,' says Kristof. 'In addition, we want to use these results to grow as a community in terms of cybersecurity and to make each other stronger.’
Renewed ISO certification
Our cybersecurity efforts are also apparent from our renewed ISO certification. DNS Belgium's information security management system (ISMS) is officially ISO 27001 certified since the beginning of July 2016 and was recertified in 2019. This ISMS is aligned with the data security risks in our organisation. It is a process-based approach of planning, implementation, evaluation and continuous improvement of the information security management. The certification was subject to a strict audit.
We have been ISO certified more than four years. We have no commercial interest in this whatsoever. But we already wanted to have the certificate to show the outside world how strongly we feel about information security by having an independent, external entity determine our efforts in that area. We want to show that we work on the services we provide in a responsible and secure way, regardless of, or on top of, legal obligations.
European puzzle
It seems logical to link the security maturity model to the ISO certification audit and European legislation in the field of cybersecurity. But we are not there yet. Organisations that do not fall under the NIS directive, currently implement certification schemes developed under the European Cybersecurity Act on a voluntary basis. In 2023, Europe will decide what will be compulsory for which sectors and services. ‘In other words, Europe has not been idle, but we do want to be more proactive and progressive. Anticipating gives you time to properly reflect on something. Our initiatives, and the 54 CENTR members' initiatives, are providing some of the pieces of the puzzle. Europe, on its part, is doing this as well. And in the end, all these pieces of the puzzle will fit, but it requires time and consultation.’