In an era of increasing cyber threats, the importance of network and information security is paramount. NIS2 Directive (Network and Information Systems Directive) represents a significant step in enhancing the resilience of EU member states to cybersecurity threats. But for many businesses, understanding and complying with NIS2 can seem like a daunting task. Fortunately, there’s a simplified approach—leveraging aspects of ISO 27001 to ensure compliance with NIS2.

What is NIS2?

NIS2 Directive, replacing the original NIS Directive, extends the scope of cybersecurity requirements to a broader range of sectors and introduces stricter measures to improve the resilience and incident response capacities of entities. It mandates that critical infrastructure operators—such as healthcare, energy, transportation, and digital services—ensure robust security for their systems, report incidents, and manage risks efficiently.

NIS2 places special emphasis on managing risks to network and information systems used in critical infrastructure and key services. The directive is structured around core principles such as risk management, incident reporting, and cross-border cooperation to safeguard the EU’s digital infrastructure.

NIS2 Directive + ISO27001

NIS2 Directive + ISO27001

Simplifying NIS2 Compliance with ISO 27001

One of the easiest ways to prepare your business for NIS2 compliance is by adopting the ISO 27001 standard. ISO 27001 offers a systematic framework for managing sensitive company information, ensuring it remains secure. 

Alternatively, you can use individual parts of ISO27001 and arrange compliance with NIS2.

By implementing key articles from ISO 27001, you can address many of the NIS2’s cybersecurity requirements. 

Here’s how ISO 27001 can help:

Risk Management (ISO 27001, Clause 6.1): One of NIS2’s core requirements is having effective risk management measures. ISO 27001’s structured risk management approach helps identify and mitigate risks associated with your information systems.

Incident Response (ISO 27001, Annex A.16): NIS2 mandates that organizations report significant incidents within 24 to 72 hours. By following ISO 27001’s guidelines on incident management, businesses can establish efficient reporting mechanisms, making compliance seamless.

Information Security Policies (ISO 27001, Clause 5.1): A well-documented set of security policies, as required by both ISO 27001 and NIS2, ensures that all staff and stakeholders understand their roles in maintaining cybersecurity.

Security of Supply Chains (ISO 27001, Annex A.15): NIS2 emphasizes the security of not only internal systems but also third-party vendors. ISO 27001 guides organizations in managing supply chain risks, ensuring that external partners comply with cybersecurity standards.

Business Continuity (ISO 27001, Clause 17): NIS2 highlights the importance of maintaining services in the event of a disruption. ISO 27001’s business continuity planning enables organizations to recover from incidents and continue operations without significant downtime.

Below are the mandatory articles from the ISO27701 standard for editing. Please contact us for a final list of the specific paragraphs you need to edit. This will help you prepare for NIS2.

Doument code Document name Mandatory
1) Management Support Project Launch Decision  
2) Project Plan Project Plan  
3) Initial Training Plan Initial Training Plan  
4) Top-level Policy Policy on Information System Security YES
5) Risk Management Methodology Risk Assessment Methodology YES
6) Risk Assessment and Treatment Risk Assessment Table YES
6) Risk Assessment and Treatment Risk Treatment Table YES
6) Risk Assessment and Treatment Acceptance of Residual Risks  
6) Risk Assessment and Treatment Risk Assessment and Treatment Report YES
7) Risk Treatment Plan Risk Treatment Plan YES
8) Cybersecurity Policies and Procedures IT Security Policy YES
8) Cybersecurity Policies and Procedures Clear Desk and Clear Screen Policy  
8) Cybersecurity Policies and Procedures Mobile Device and Remote Work Policy  
8) Cybersecurity Policies and Procedures Bring Your Own Device (BYOD) Policy  
8) Cybersecurity Policies and Procedures Mobile Device and Remote Work Policy  
8) Cybersecurity Policies and Procedures Procedures for Working in Secure Areas  
8) Cybersecurity Policies and Procedures Information Classification Policy  
8) Cybersecurity Policies and Procedures Asset Management Procedure YES
8) Cybersecurity Policies and Procedures IT Asset Register YES
8) Cybersecurity Policies and Procedures Security Procedures for IT Department YES
8) Cybersecurity Policies and Procedures Change Management Policy  
8) Cybersecurity Policies and Procedures Backup Policy YES
8) Cybersecurity Policies and Procedures Information Transfer Policy YES
8) Cybersecurity Policies and Procedures Secure Communication Policy YES
8) Cybersecurity Policies and Procedures Disposal and Destruction Policy  
8) Cybersecurity Policies and Procedures Policy on the Use of Encryption YES
8) Cybersecurity Policies and Procedures Access Control Policy YES
8) Cybersecurity Policies and Procedures Authentication Policy YES
8) Cybersecurity Policies and Procedures Password Policy  
8) Cybersecurity Policies and Procedures Secure Development Policy YES
8) Cybersecurity Policies and Procedures Appendix 1 – Specification of Information System Requirements YES
8) Cybersecurity Policies and Procedures Security Policy for Human Resources YES
8) Cybersecurity Policies and Procedures Statement of Acceptance of Cybersecurity Documents  
9) Business Continuity and Crisis   Management Business Impact Analysis Methodology  
9) Business Continuity and Crisis   Management Business Impact Analysis Questionnaire  
9) Business Continuity and Crisis   Management Business Continuity Strategy  
9) Business Continuity and Crisis   Management Appendix 1 – Recovery Time Objectives for Activities  
9) Business Continuity and Crisis   Management Appendix 2 – Examples of Disruptive Incident Scenarios  
9) Business Continuity and Crisis   Management Appendix 3 – Preparation Plan for Business Continuity  
9) Business Continuity and Crisis   Management Appendix 4 – Activity Recovery Strategy for (activity name)  
9) Business Continuity and Crisis   Management Crisis Management Plan YES
9) Business Continuity and Crisis   Management Business Continuity Plan YES
9) Business Continuity and Crisis   Management Appendix 1 – Incident Response Plan  
9) Business Continuity and Crisis   Management 9.11 Appendix 2 – List of Business Continuity Sites  
9) Business Continuity and Crisis   Management 9.12 Appendix 3 – Transportation Plan  
9) Business Continuity and Crisis   Management Appendix 4 – Key Contacts  
9) Business Continuity and Crisis   Management Appendix 5 – Disaster Recovery Plan YES
9) Business Continuity and Crisis   Management Appendix 6 – Activity Recovery Plan for (activity name)  
9) Business Continuity and Crisis   Management Exercising and Testing Plan  
9) Business Continuity and Crisis   Management Appendix 1 – Exercising and Testing Report  
10) Supply Chain Security Supplier Security Policy YES
10) Supply Chain Security Security Clauses for Suppliers and Partners YES
10) Supply Chain Security Confidentiality Statement YES
11) Assessment of Cybersecurity   Effectiveness Measurement Methodology YES
11) Assessment of Cybersecurity   Effectiveness Measurement Report YES
12) Incident Management and Reporting Incident Management Procedure YES
12) Incident Management and Reporting Incident Log  
12) Incident Management and Reporting Post Incident Review Form  
12) Incident Management and Reporting Significant Incident Notification for Recipients of Services YES
12) Incident Management and Reporting Significant Incident Early Warning YES
12) Incident Management and Reporting Significant Incident Notification YES
12) Incident Management and Reporting Significant Incident Intermediate Report YES
12) Incident Management and Reporting Significant Incident Final Report YES
12) Incident Management and Reporting Significant Incident Progress Report YES
13) Cybersecurity Training &   Awareness Training and Awareness Plan YES
14) Internal Audit Internal Audit Procedure YES
14) Internal Audit Annual Internal Audit Program YES
14) Internal Audit Internal Audit Report YES
14) Internal Audit Internal Audit Checklist YES
15) Management Review Procedure for Management Review YES
15) Management Review Management Review Minutes YES
16) Corrective Actions Procedure for Corrective Actions YES
16) Corrective Actions Appendix 1 – Corrective Action Form YES

Get Full Support for NIS2 and ISO 27001 Integration

While NIS2 brings new challenges, leveraging ISO 27001 to meet its requirements can significantly reduce the burden. At Marcelino, we provide comprehensive support to help your business comply with NIS2. We offer expert guidance and software solutions tailored to manage your ISO standards and cybersecurity efforts. Our tools simplify the process, helping you integrate NIS2 principles efficiently into your daily operations.

Together with our partners, we offer:

Samples of ISO27001 and selected NIS2 documents;

NIS2 cyber security training and awareness raising;

– Webinar What is NIS2 and how to ensure compliance with it? 

– Articles and tips How to organise DORA compliant training and awareness raising;

– A comprehensive guide to DORA.

If you need a NIS2 template book or other content, please contact us: [email protected]

Contact:
Jurij Cvikl
Tel: +386 31 324 100
E-mail: [email protected]
 

For more details and a full list of how ISO 27001 helps with NIS2 compliance, contact us todayWe will provide you with samples and materials and connect you with the right partners.

Contact Us!

Leave a Reply