The implementation of the NIS2 Directive presents organisations with new cyber security challenges. To facilitate this process and enable the first steps towards compliance, a mapping table has been created that links the requirements of the NIS2 Directive to the ISO/IEC 27001:2022 standard.
The table uses ISO/IEC 27001:2022 as a starting point for implementing best practices, policies and controls to minimise risk. Particular attention is given to Appendix A, which defines essential security measures for compliance with ISO/IEC 27001.
The following main areas are addressed:
Governance (Article 20 NIS2)
Cybersecurity risk management (Article 21 NIS2)
Reporting obligations (Article 23 NIS2)
European cybersecurity certification schemes (Article 24 NIS2)
The key aspects include:
Guidelines for risk analysis and information system security
Incident management
Business continuity and crisis management
Security in the supply chain
Network and information system security
Assessing the effectiveness of cybersecurity measures
Basic cyber hygiene and training
Cryptography and encryption
Personnel security and access control
It is important to stress that the mapping table alone is not sufficient to achieve full NIS2 compliance. Rather, it is an aid to the compliance process. The practical, rather than paper-based, implementation of NIS2 is a demanding process that typically takes 1 to 3 years. This underlines the need to start implementing the necessary measures at an early stage.
If you want to prepare for NIS2, we offer our Audit Coaching, which is specifically designed to support organisations that are in the early stages of implementing information security measures. If you are just starting to implement information security in your organisation and still have many questions about processes, specifications and best practices, this coaching is ideal to provide you with comprehensive support and clarify any outstanding issues.
For organisations that are further along in the implementation process, we recommend a Pre-Audit or Internal Audit. These audits will help you to assess the current state of your information security, identify weaknesses and make targeted improvements. Both the Pre-Audit and Internal Audit for NIS2 are based on the mapping table provided here, which ensures a structured and efficient approach to meeting the requirements of the EU Directive.
With these three approaches - Audit Coaching for beginners and Pre-Audit and Internal Audit for advanced users - we can now offer you tailor-made solutions to efficiently increase information security in your organisation and successfully implement NIS2 compliance.
EU-NIS 2 (EU 2022/2555) Requirement | ISO/IEC 27001:2022 M=Main A=Annex |
Article 20: Governance | M.5.1; M.5.2; M.5.3; A.5.1; A.5.31; A.5.34; A.5.35; A.5.36; A.6.3 |
Article 21: Cyber security risk management measure - (A) Policies on risk analysis and information system security | M.4.1; M.4.2; M.4.3; M4.4; M.5.2; M.6.1.2; M.6.1.3; M.8.2; M.8.3; A.5.1 |
Article 21: Cyber security risk management measures - (B) Incident handling | A.5.24; A.5.25; A.5.26; A.5.27; A.5.28; A.6.8; A.8.16 |
Article 21: Cyber security risk management measures - (C) Business continuity, such as backup managemen and disaster recovery, and crisis management | M.8.1; M.10.1; A.5.29; A.5.30; A.8.13; A.8.14; A.8.15; A.8.16 |
Article 21: Cyber security risk management measures - (D) Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | A.5.8; A.5.19; A.5.20; A.5.21; A.5.22; A.5.23; A.8.21 |
Article 21: Cyber security risk management measures - (E) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure | A.5.20; A.5.24; A.5.37; A.6.8; A.8.8; A.8.9; A.8.20; A.8.21; A.8.25; A.8.26; A.8.27; A.8.28; A.8.29; A.8.30; A.8.31; A.8.32; A.8.33; A.8.34 |
Article 21: Cyber security risk management measures - (F) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | M.9.1; M.9.2; M.9.3; A.5.35; A.5.36 |
Article 21: Cyber security risk management measures - (G) Basic cyber hygiene practices and cybersecurity training | M.7.3; M.7.4; A.5.15; A.5.16; A.5.18; A.5.24; A.6.3; A.6.5; A.6.8; A.8.2; A.8.3; A.8.5; A.8.7; A.8.9; A.8.13; A.8.15; A.8.19; A.8.22 |
Article 21: Cyber security risk management measures - (H) Policies and procedures regarding the use of cryptography and, where appropriate, encryption | A.8.24 |
Article 21: Cyber security risk management measures - (I) Human resources security, access control policies and asset management | A.5.9; A.5.10; A.5.11; A.5.12; A.5.13; A.5.14; A.5.15; A.5.16; A.5.17; A.5.18; A.6.1; A.6.2; A.6.4; A.6.5; A.6.6 |
Article 21: Cyber security risk management measures - (J) The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications 5and secured emergency communication systems within the entity, where appropriate | A.5.14; A.5.16; A.5.17; A.8.5 |
Article 23: Reporting obligations | A.5.14; A.5.25; A.5.26; A.5.27; A.6.8 |
Article 24: Use of European cybersecurity certification schemes | A.5.20; A.5.31; A.5.36 |
Comments