Add concepts from ENISA SotA Tech/Org Measures

[coolharsh55]

ENISA has published a Guideline on State of the art for Technical and Organisational measures. Georg/Signatu have proposed these be integrated into DPV's TOMs concepts - see email with attached document.

1. harsh's reply with overview analysis of document and proposals for concepts in TOMs, RISK, and standards sections.
2. https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new/minimum-security-measures-for-operators-of-essentials-services - tool showing mapping between measures from ISO 27001, NIST CSF, and ISA/IEC 62443
3. https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new - measures for NIS2 directive implementations

[Jenni0608]

The attached document details the 48 NIS2V Terms, where there was no match to DPV. These are from both the ISO27001 controls and the ENISA Minimum Security Measures for Operators of Essentials Services. Any questions, please let me know.

NIS2V Terms - Jenni Parry.xlsx

[coolharsh55]

@Jenni0608 thanks for sharing. Would dpv:Policy be a broad match for something like Policy on risk etc. in these terms?

[Jenni0608]

Maybe for two of them (Control 5.1 & A.5.4) but looking at the definitions its nearly too broad: DPV Policy Definition - A guidance document outlining any of: procedures, plans, principles, decisions, intent, or protocols. Versus control: Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation.

[coolharsh55]

Maybe that's because DPV doesn't model controls but the concept representing the control (more accurately the information) e.g. procedure to apply/enforce policy vs policy itself? If so, then the matching process should check/include the concept for information, and state that it doesn't accurately reflect the intended control i.e. an action or procedure?