MISSM @ University of Luxembourg
Abstract #
This two-session lecture provides an integrated exploration of the European cybersecurity policy ecosystem and its operational translation through ISO/IEC standards. It guides participants from the conceptual foundations of cybersecurity policy and governance to the applied mechanisms of incident management and resilience building.
Session 1 establishes the policy context, introducing the EU cybersecurity regulatory landscape (NIS2, DORA, CRA, AI Act) and the ENISA threat outlook 2025, emphasizing the interplay between regulation, governance, and technological dependency. It frames cybersecurity as both a public value (trust, safety, resilience) and a policy system, explaining the policy cycle—from agenda setting to evaluation—through real-world examples. The session maps ISO/IEC 27000-family standards (27001–27006) as the operational backbone of policy implementation, connecting EU laws to practical governance tools, risk management, and certification processes. Interactive exercises engage participants in mapping regulations to industries and analyzing the stages of the ISO-based PDCA (Plan–Do–Check–Act) cycle.
Session 2 advances from compliance to operational resilience, focusing on incident response, supply-chain security, privacy, AI, and business continuity. It explores ISO/IEC 27002 and 27035 controls for incident management, linking them to EU mandates (NIS2 72-hour reporting, DORA classification, CRA’s secure-by-design principles). Participants examine the lifecycle of incident handling and the role of Software Bills of Materials (SBOMs) in securing digital supply chains. Further modules address privacy and AI governance (ISO/IEC 27701, 42001, 23894, 38507) and continuity frameworks (ISO/IEC 22301, 22320, 27031), distinguishing between maintaining business functions and disaster recovery.
The lecture concludes with a synthesis of the policy–standards–law nexus, emphasizing trade-offs between security, innovation, and regulatory compliance. Participants apply these concepts in group case studies and a final Policy Brief assignment, articulating the lifecycle of policy adoption, stakeholder engagement, and continuous improvement under the ISO/IEC 27001 PDCA model.
Course material #
- Session 1 - Policy Framework, EU regulations & ISO Foundations
- Session 2 - From Incident Response to Resilience
References and further reading #
European / Regulatory References #
-
Directive (EU) 2022/2555 — NIS 2 (Cybersecurity of network and information systems)
-
Regulation (EU) 2022/2554 — DORA (Digital Operational Resilience Act)
-
Cyber Resilience Act (CRA)
-
Artificial Intelligence Act (AI Act, EU)
ISO / IEC Standards & Related References #
-
ISO/IEC 27001:2022 – Information Security Management Systems (Requirements)
-
ISO/IEC 27000 – Overview and Vocabulary
-
ISO/IEC 27035‑1:2023 – Information Security Incident Management
-
ISO/IEC 27701:2019 – Privacy Information Management System (PIMS)
-
Additional ISO Standards Mentioned
- ISO/IEC 27002 – Information Security Controls
- ISO/IEC 27003 – Implementation Guidance
- ISO/IEC 27005 – Information Security Risk Management
- ISO/IEC 22301 – Business Continuity Management Systems
- ISO/IEC 22320 – Emergency Management and Incident Response
- ISO/IEC 27031 – ICT Readiness for Business Continuity
Public Policy Theory & Analysis References #
- Bardach. E., & Patashnik, E. (2024), A practical guide for policy analysis. The eightfold path to more effective problem solving, University of California, Berkeley, Brown University, USA
- CDC (2013), CDC’s Policy Analytical Framework
- European Training Foundation (2018), Guide to policy analysis
- Patton, C. V., & Sawicki, D. S, (2016), Basic Methods of Policy Analysis and Planning, 3dt edition
- Weimer, D. (2017), Policy analysis, 6th edition, Routledge
- WWF (2018), Policy analysis and engagement toolkit, A guide for Pacific Non-government Organizations in the Fisheries Sector