Fejléc

ISO 27001:2022 and NIS2 requirements and applicability of SIEM solutions

Szerző ikon Tamás Tóth

Dátum ikon 2024.11.28

In the past 1.5-2 years, information security compliance has seen significant updates with the introduction of the new ISO 27001:2022 standard, the NIS2 directive, and the Cyber Act. These new requirements have introduced changes that affect most information security professionals. This article presents the need and benefits of Security Information and Event Management (SIEM) solutions in light of the NIS2 directive, Cyber Act, and ISO 27001:2022. And in next week’s article, we will link this to the SIEM solution itself.

ISO 27001:2022 Standard Updates

ISO 27001:2013

The ISO 27001 standard, first introduced in 2005, sets requirements for information security management systems (ISMS). The latest version, ISO 27001:2022, introduces significant changes to Annex “A,” including categorizing controls by topics like People, Physical, Technological, and Organizational aspects, and by cybersecurity concepts such as Identify, Protect, Detect, Respond, and Recover. The new controls emphasize a more proactive approach, focusing on monitoring and response capabilities. 2

Changes in Logging and Monitoring

In ISO 27001:2022, logging and monitoring controls have been updated to be more integrated and proactive. Controls like event logging, protection of log information, and clock synchronization have been merged and restructured under new sections (e.g., 8.15 Logging, 8.16 Monitoring Activities). Monitoring activities now require networks, systems, and applications to be watched for anomalous behavior, supporting the proactive detection of potential security incidents. The ISO 27002:2022 standard provides practical recommendations for implementing these updated controls.
Organizations transitioning from ISO 27001:2013 may face challenges if they have relied on static logging rather than proactive monitoring. Adopting the updated standard requires not only technological changes but also improved processes and trained personnel.

NIS2 Directive – Cyber Act – Decree no. 7/2024 MK

The NIS2 directive[2] establishes high-level cybersecurity risk management measures, with each EU member state deciding on specific implementation details. Incident handling is a core component, requiring incidents to be reported to national CSIRTs, similar to GDPR. Incident management includes preventing, detecting, analyzing, and responding to incidents to restore operations.
The NIS2 directive was implemented by Hungary with the Cyber Act,[3] which stipulates measures for the prevention, detection, treatment and reduction of the effects of security incidents. The decree[4] on implementing the Cyber Act based on the NIST SP 800-53 Rev.5 standard dedicated a specific chapter to the topic in the catalogue of protective measures under the title Logging and accountability. Main controls (in the case of significant security class):

  • 4.2 Loggable events
  • 4.3 Contents of log entries,
  • 4.4 Contents of log entries – Additional log information
  • 4.5 Logging storage capacity
  • 4.7 Handling logging errors
  • 4.13 Reviewing, analyzing and reporting log entries,
  • 4.14 Reviewing, analyzing and reporting log entries – Automated process integration,
  • 4.15 Reviewing, analyzing and reporting log entries – Linking log repositories
  • 4.22 Reduction of log entries and reporting,
  • 4.23 Reduction of log entries and reporting – Automatic processing
  • 4.24 Timestamps
  • 4.25 Protection of log information,
  • 4.29 Protection of log information – Privileged user access
  • 4.38 Retention of log entries
  • 4.40 Creating log entries


In the application guide prepared by the National Cyber Security Centre,[5] SIEM was mentioned as an applicable technology for several protection measures:

  • 4.14 Log entry review, analysis and reporting – Automated process integration (significant security class):
    • The organization must implement automatic mechanisms for the review, analysis and reporting processes of log entries. This may include the use of log analysis tools such as SIEM systems.
  • 4.15 Log entry review, analysis and reporting – Linking log repositories (Significant security class):
    • The organization must implement a log analysis tool or service (e.g.: SIEM system) that can collect, analyze and link log entries.
  • 4.16 Log entry review, analysis and reporting – Central test and analysis (Optional control):
    • Automated systems for central reviews and analyses include security information and event management (SIEM) tools. SIEM can collect and compare log entries from different EIRs, allowing the relevant organization to get a comprehensive view of the status of the EIRs and their activities. This feature can be particularly useful in dealing with cybersecurity incidents as it allows an organization to quickly identify and respond to potential security threats. For example, if a particular EIR shows abnormal activity based on log entries, it can centrally detect this with the help of SIEM and can notify the affected individuals or roles. The point here is that all events related to the incident are available in one place and the connection can be understood.
  • 4.17 Reviewing, analyzing and reporting log entries – Integration of supervisory capabilities (high security class):
    • Security information and event management (SIEM) tools can help collect or consolidate log entries from multiple system components as well as correlate and analyze log entries.
  • 18.15 EIR monitoring – Automated tools and mechanisms for real-time analysis (significant security class):
    • The organization must acquire the automated tools and mechanisms that support near-real-time analysis of events. These include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of EIR-generated alerts and notifications.


Read the full article on our International subsidiary’s website by clicking on the image.

[1] https://www.iso.org/the-iso-survey.html
[2] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (14 December 2022) on measures to ensure a uniformly high level of cyber security throughout the Union, and on the amendment of Regulation (EU) 910/2014 and Directive (EU) 2018/1972 and the repeal of Directive (EU) 2016/1148 (NIS 2 Directive)
[3] Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision
[4] Decree 7/2024. (VI. 24.) MK on the requirements for security classification as well as on specific protection measures to be applied in the case of each security class
[5] https://nki.gov.hu/intezet/kozlemenyek/elektronikus-informacios-rendszerek-es-szervezetek-kiberbiztonsagi-kovetelmenykatalogusanak-alkalmazasi-utmutatoja/