In an era of increasing cyber threats, the importance of network and information security is paramount. NIS2 Directive (Network and Information Systems Directive) represents a significant step in enhancing the resilience of EU member states to cybersecurity threats. But for many businesses, understanding and complying with NIS2 can seem like a daunting task. Fortunately, there’s a simplified approach—leveraging aspects of ISO 27001 to ensure compliance with NIS2.
What is NIS2?
NIS2 Directive, replacing the original NIS Directive, extends the scope of cybersecurity requirements to a broader range of sectors and introduces stricter measures to improve the resilience and incident response capacities of entities. It mandates that critical infrastructure operators—such as healthcare, energy, transportation, and digital services—ensure robust security for their systems, report incidents, and manage risks efficiently.
NIS2 places special emphasis on managing risks to network and information systems used in critical infrastructure and key services. The directive is structured around core principles such as risk management, incident reporting, and cross-border cooperation to safeguard the EU’s digital infrastructure.
Simplifying NIS2 Compliance with ISO 27001
One of the easiest ways to prepare your business for NIS2 compliance is by adopting the ISO 27001 standard. ISO 27001 offers a systematic framework for managing sensitive company information, ensuring it remains secure.
Alternatively, you can use individual parts of ISO27001 and arrange compliance with NIS2.
By implementing key articles from ISO 27001, you can address many of the NIS2’s cybersecurity requirements.
Here’s how ISO 27001 can help:
Risk Management (ISO 27001, Clause 6.1): One of NIS2’s core requirements is having effective risk management measures. ISO 27001’s structured risk management approach helps identify and mitigate risks associated with your information systems.
Incident Response (ISO 27001, Annex A.16): NIS2 mandates that organizations report significant incidents within 24 to 72 hours. By following ISO 27001’s guidelines on incident management, businesses can establish efficient reporting mechanisms, making compliance seamless.
Information Security Policies (ISO 27001, Clause 5.1): A well-documented set of security policies, as required by both ISO 27001 and NIS2, ensures that all staff and stakeholders understand their roles in maintaining cybersecurity.
Security of Supply Chains (ISO 27001, Annex A.15): NIS2 emphasizes the security of not only internal systems but also third-party vendors. ISO 27001 guides organizations in managing supply chain risks, ensuring that external partners comply with cybersecurity standards.
Business Continuity (ISO 27001, Clause 17): NIS2 highlights the importance of maintaining services in the event of a disruption. ISO 27001’s business continuity planning enables organizations to recover from incidents and continue operations without significant downtime.
Below are the mandatory articles from the ISO27701 standard for editing. Please contact us for a final list of the specific paragraphs you need to edit. This will help you prepare for NIS2.
Doument code | Document name | Mandatory |
---|---|---|
1) Management Support | Project Launch Decision | |
2) Project Plan | Project Plan | |
3) Initial Training Plan | Initial Training Plan | |
4) Top-level Policy | Policy on Information System Security | YES |
5) Risk Management Methodology | Risk Assessment Methodology | YES |
6) Risk Assessment and Treatment | Risk Assessment Table | YES |
6) Risk Assessment and Treatment | Risk Treatment Table | YES |
6) Risk Assessment and Treatment | Acceptance of Residual Risks | |
6) Risk Assessment and Treatment | Risk Assessment and Treatment Report | YES |
7) Risk Treatment Plan | Risk Treatment Plan | YES |
8) Cybersecurity Policies and Procedures | IT Security Policy | YES |
8) Cybersecurity Policies and Procedures | Clear Desk and Clear Screen Policy | |
8) Cybersecurity Policies and Procedures | Mobile Device and Remote Work Policy | |
8) Cybersecurity Policies and Procedures | Bring Your Own Device (BYOD) Policy | |
8) Cybersecurity Policies and Procedures | Mobile Device and Remote Work Policy | |
8) Cybersecurity Policies and Procedures | Procedures for Working in Secure Areas | |
8) Cybersecurity Policies and Procedures | Information Classification Policy | |
8) Cybersecurity Policies and Procedures | Asset Management Procedure | YES |
8) Cybersecurity Policies and Procedures | IT Asset Register | YES |
8) Cybersecurity Policies and Procedures | Security Procedures for IT Department | YES |
8) Cybersecurity Policies and Procedures | Change Management Policy | |
8) Cybersecurity Policies and Procedures | Backup Policy | YES |
8) Cybersecurity Policies and Procedures | Information Transfer Policy | YES |
8) Cybersecurity Policies and Procedures | Secure Communication Policy | YES |
8) Cybersecurity Policies and Procedures | Disposal and Destruction Policy | |
8) Cybersecurity Policies and Procedures | Policy on the Use of Encryption | YES |
8) Cybersecurity Policies and Procedures | Access Control Policy | YES |
8) Cybersecurity Policies and Procedures | Authentication Policy | YES |
8) Cybersecurity Policies and Procedures | Password Policy | |
8) Cybersecurity Policies and Procedures | Secure Development Policy | YES |
8) Cybersecurity Policies and Procedures | Appendix 1 – Specification of Information System Requirements | YES |
8) Cybersecurity Policies and Procedures | Security Policy for Human Resources | YES |
8) Cybersecurity Policies and Procedures | Statement of Acceptance of Cybersecurity Documents | |
9) Business Continuity and Crisis Management | Business Impact Analysis Methodology | |
9) Business Continuity and Crisis Management | Business Impact Analysis Questionnaire | |
9) Business Continuity and Crisis Management | Business Continuity Strategy | |
9) Business Continuity and Crisis Management | Appendix 1 – Recovery Time Objectives for Activities | |
9) Business Continuity and Crisis Management | Appendix 2 – Examples of Disruptive Incident Scenarios | |
9) Business Continuity and Crisis Management | Appendix 3 – Preparation Plan for Business Continuity | |
9) Business Continuity and Crisis Management | Appendix 4 – Activity Recovery Strategy for (activity name) | |
9) Business Continuity and Crisis Management | Crisis Management Plan | YES |
9) Business Continuity and Crisis Management | Business Continuity Plan | YES |
9) Business Continuity and Crisis Management | Appendix 1 – Incident Response Plan | |
9) Business Continuity and Crisis Management | 9.11 Appendix 2 – List of Business Continuity Sites | |
9) Business Continuity and Crisis Management | 9.12 Appendix 3 – Transportation Plan | |
9) Business Continuity and Crisis Management | Appendix 4 – Key Contacts | |
9) Business Continuity and Crisis Management | Appendix 5 – Disaster Recovery Plan | YES |
9) Business Continuity and Crisis Management | Appendix 6 – Activity Recovery Plan for (activity name) | |
9) Business Continuity and Crisis Management | Exercising and Testing Plan | |
9) Business Continuity and Crisis Management | Appendix 1 – Exercising and Testing Report | |
10) Supply Chain Security | Supplier Security Policy | YES |
10) Supply Chain Security | Security Clauses for Suppliers and Partners | YES |
10) Supply Chain Security | Confidentiality Statement | YES |
11) Assessment of Cybersecurity Effectiveness | Measurement Methodology | YES |
11) Assessment of Cybersecurity Effectiveness | Measurement Report | YES |
12) Incident Management and Reporting | Incident Management Procedure | YES |
12) Incident Management and Reporting | Incident Log | |
12) Incident Management and Reporting | Post Incident Review Form | |
12) Incident Management and Reporting | Significant Incident Notification for Recipients of Services | YES |
12) Incident Management and Reporting | Significant Incident Early Warning | YES |
12) Incident Management and Reporting | Significant Incident Notification | YES |
12) Incident Management and Reporting | Significant Incident Intermediate Report | YES |
12) Incident Management and Reporting | Significant Incident Final Report | YES |
12) Incident Management and Reporting | Significant Incident Progress Report | YES |
13) Cybersecurity Training & Awareness | Training and Awareness Plan | YES |
14) Internal Audit | Internal Audit Procedure | YES |
14) Internal Audit | Annual Internal Audit Program | YES |
14) Internal Audit | Internal Audit Report | YES |
14) Internal Audit | Internal Audit Checklist | YES |
15) Management Review | Procedure for Management Review | YES |
15) Management Review | Management Review Minutes | YES |
16) Corrective Actions | Procedure for Corrective Actions | YES |
16) Corrective Actions | Appendix 1 – Corrective Action Form | YES |
Get Full Support for NIS2 and ISO 27001 Integration
While NIS2 brings new challenges, leveraging ISO 27001 to meet its requirements can significantly reduce the burden. At Marcelino, we provide comprehensive support to help your business comply with NIS2. We offer expert guidance and software solutions tailored to manage your ISO standards and cybersecurity efforts. Our tools simplify the process, helping you integrate NIS2 principles efficiently into your daily operations.
Together with our partners, we offer:
– Samples of ISO27001 and selected NIS2 documents;
– NIS2 cyber security training and awareness raising;
– Webinar What is NIS2 and how to ensure compliance with it?
– Articles and tips How to organise DORA compliant training and awareness raising;
– A comprehensive guide to DORA.
If you need a NIS2 template book or other content, please contact us: [email protected]
For more details and a full list of how ISO 27001 helps with NIS2 compliance, contact us today. We will provide you with samples and materials and connect you with the right partners.