Posted by Reading time: 3 minutes
NIS2
The Network and Information Security Directive (2) is an EU directive aimed at enhancing the cyber resilience of enterprises. In this blog, I won’t go into the details of this directive, that will come into effect in 2024. Instead, I will look at the Microsoft Compliance Manager. This platform already has the controls for this directive and in this short blog, you’ll learn how to add this.
Compliance Manager
The Microsoft Purview Compliance Manager is part of the compliance monitoring offerings from Microsoft Purview. You can access it easily by going to https://compliance.microsoft.com/compliancemanager
Or from the new https://purview.microsoft.com, which is the location for the screenshot above.
The Compliance Manager offers different types of functions. For one, you can use it as an Information Security Management System or ISMS. You can track your progress in addressing specific controls and you can download this progress and any evidence of this.
Secondly, you can use it to get an insight into many international and national regulations. The Compliance Manager has an up-to-date overview of many (300+) regulations, including all controls and the measures Microsoft has taken to address these controls. Want an overview? Here it is: https://learn.microsoft.com/en-us/purview/compliance-manager-templates-list
And thirdly, the Compliance Manager offers a compliance score. This score is determined by the controls that have been addressed. And many of the technical controls are scored automatically. For Microsoft 365 (but also in multi-cloud scenarios), the platforms is able to determine if a control is met. For example: has MFA been enabled or are you using sensitivity labels?
In order to use this score, you will need to create an assessment. And this is where the NIS2 comes into play. Assessments are created using the built-in regulations. Examples include the NIST 800-53, CIS Benchmark, and GDPR. But NIS2 is available as well.
This NIS2 assessment can be helpful and I will explain how to add this in the Compliance Manager. However, as you can also read in the afterthought (below), this assessment is somewhat limited and does not offer automated checks. Many others do have this feature, and therefore I have included this in this article.
Creating an assessment is very straightforward. Go to the Compliance Manager | Assessments section. Here you will select the Add assessment option. The standard service this assessment will be activated for is Microsoft 365. Select the group (I would advise creating a new one for this) and finish the wizard.
Now you have created the assessment, you will need to wait. It will take some time (48 hours to be sure) before the automatically detected controls will show up in the portal.
As noted earlier: the NIS2 assessment does not have automated checks, but many others do.
You can start with your improvement actions right away. In addition to your actions, you are also able to see the Microsoft actions, as part of the Shared Responsibility model. For example, this control mentions:
The organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.
Afterthought
The NIS2 assessment is somewhat limited (for Microsoft 365) and focuses a lot on Microsoft actions and non-technical controls. For a more complete overview, also add the ISO27001 (and GDPR if in the EU) assessments template to your assessment. This will give a complete overview and many of the technical controls will be automatically detected.
And if you have not yet looked at the Compliance Manager, time to do so 🙂
Information security and compliance 