ISO 27001:2022 and NIS2 requirements and applicability of SIEM solutions

Tamás Tóth

This article explains the ISO 27001:2022 and NIS2 standards, highlighting why SIEM systems are crucial for meeting the requirements and ensuring effective cybersecurity.

The last 1.5-2 years were an important milestone from the viewpoint of information security compliance sources, in this case: standards and legislation. Just think of the "new" ISO 27001:2022 standard, the NIS2 directive. The listed sources of requirements brought with them, on the one hand, new or modified requirements and, on the other hand, an extended circle of stakeholders, which already affect or will affect most experts working in the field of information security.

In this article, we are presenting the need and the benefits of Security Information and Event Management (SIEM) solutions from the viewpoint of the requirements of the NIS2 directive and the ISO 27001:2022 standard. And in next week's article, we will link this to the SIEM solution itself.

ISO 27001 - new standard

ISO 27001:2013

The first version of the ISO 27001 international standard containing the elements and controls of the information security management system (IBIR-ISMS) was published in 2005, but its roots go back to the 1990s. The requirements of ISO 27001 have become unavoidable in the field of information security, which is also confirmed by the official statistics of the ISO, i.e. the International Organization for Standardization, prepared in 2022: more than 71,000 certificates have been issued internationally from the 2013 version of the standard, but many apply the regulations voluntarily, even without certification.^[1] The current version of the standard was published in October 2022, three years are available for the transition from the date of publication, so it will be due next year at the latest, but many organizations will already be switching to the new standard before the audits due this year to ensure that there is no need for an out-of-turn audit.

Annex "A" of the standard containing controls has undergone significant changes compared to the 2005 and 2013 versions. Controls have also been categorized, among other things, according to topics (People, Physical, Technological, Organizational), cybersecurity concepts known from the NIST CSF (Identify, Protect, Detect, Respond, Recover) and operational capabilities (e.g. Governance, Application security, Secure configuration, Identity and access management, System and network security, etc.).

The 2013 version of the standard defined the requirements for logging within the chapter Safety of Operation (A.12), in subsection A.12.4 Logging and monitoring:

A.12.4.1 Event logging: Event logs recording user activities, exceptions, errors and information security events must be created, maintained and regularly reviewed.
A.12.4.2 Protection of log information: Logging tools and log data must be protected against tampering and unauthorized access.
A.12.4.3 Administrator and operator logs: The activities of the system administrator and system operator must be logged, and the logs must be protected and regularly checked.
A.12.4.4 Clock synchronization: The clocks of all relevant information processing systems within the organization must be synchronized to a single reference time source.

Apart from the name of the sub-chapter, the referenced 2013 version lacks the now common continuous monitoring, the approach is reactive. During the regular review/inspection included in the listed controls, it may happen that the organization discovers signs of information security incidents late – even weeks or months later – and is therefore no longer able to react properly. The ISO 27002 standard, also published in 2013, provides implementation recommendations for the requirements of Annex "A" of the ISO 27001 standard. Here, in A.12.4.1 Event logging control, automated monitoring systems are already mentioned, which are able to generate consolidated reports and alerts about the security of the systems, but no further guidance is available.

ISO 27001:2022

For the ISO 27001:2022 standard, the location and structure of controls for logging and monitoring have changed. They have been assigned to the Information security event management operational capability, which also includes controls for managing information security incidents.

A.12.4.1 Event logging, A.12.4.2 Protection of log information as well as A.12.4.3 Administrator and operator log controls have been combined within 8.15 Logging control. 8.17 Clock synchronization and A.12.4.4 Clock synchronization controls are almost identical:

8.15 Logging: Logs recording activities, exceptions, errors and other relevant events must be created, stored, protected, and analyzed.
8.16 Monitoring activities: Networks, systems and applications should be monitored for anomalous behavior and appropriate measures should be taken to assess potential information security incidents.
8.17 Clock synchronization: The clocks of the information processing systems used by the organization must be synchronized with the approved time sources.

8.16 Monitoring activities control is completely new and already reflects the proactive approach. The related ISO 27002:2022 standard provides useful advice for implementation, including the tools to be used. They recommend using a monitoring tool that:

can perform supervision in real time or at periodic intervals depending on organizational needs and capabilities,
can handle large amounts of data,
is able to adapt to a constantly changing threat environment,
enables real-time notification,
recognizes unique signals and patterns of data or network or application behavior.

It must not be forgotten that monitoring requires not only technology but the necessary processes and human resources with the appropriate competence and experience must also be provided.

During the transition to the ISO 27001:2022 standard those organizations may face a challenge that have settled for relatively static logging required by the 2013 standard and whose technology, processes and human resources do not currently have the proactive security monitoring capability according to the new standard.

NIS2 Directive

The NIS2 directive^[2] defines high-level cybersecurity risk management measures for the organizations involved. Each member state decides for itself – within the framework of the EU – how and with what detailed requirements it implements the regulations. Incident handling appears among the cyber security risk management measures of the directive, and, similarly to the GDPR, they are required to be reported to the national CSIRTs. The related definitions can also be found in the interpretation provisions of the legislation:

incident: an event that threatens the availability, authenticity, integrity or confidentiality of data stored, transmitted or managed on network and information systems or the services offered by, or accessible through these systems.
incident handling: all activities and procedures aimed at preventing, detecting, analyzing and isolating the incident or responding to the incident and restoring operations after the incident.

In Germany strict regulations are expected for the transposition of the NIS2 Directive, and the implementation of SIEM technologies can provide strong support to the organizations concerned. Although the regulation does not prescribe specific technological solutions, critical infrastructure protection regulations often require log analysis, monitoring of system events and their integrated management, in which SIEM can be an essential tool.

[1] https://www.iso.org/the-iso-survey.html

[2] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (14 December 2022)
on measures to ensure a uniformly high level of cyber security throughout the Union, and on the amendment of Regulation (EU) 910/2014 and Directive (EU) 2018/1972 and the repeal of Directive (EU) 2016/1148 (NIS 2 Directive)