Dejan KosuticIf you have to comply with NIS 2, you’re probably wondering how to do it — NIS 2 only tells you what you must achieve; it doesn’t give any clues to how this needs to be done.
Probably the best way to approach such a compliance task is to follow the methodology of an existing cybersecurity framework — therefore, in this article I’ll analyze if ISO 27001, the leading international cybersecurity standard, is up to this task.
ISO 27001 can address a large majority of cybersecurity requirements from NIS 2, but not those for reporting incidents.
What cybersecurity and reporting requirements are in NIS 2?
Let’s start with analyzing what exactly companies have to implement. Surprisingly, out of the whole NIS 2 Directive, only three of its articles are really relevant for companies that need to become compliant, i.e., to essential and important organizations:
- Article 20 – Governance
- Article 21 – Cybersecurity risk-management measures
- Article 23 – Reporting obligations
All other NIS 2 articles are basically intended for government bodies that need to enforce NIS 2.
You’ll find a detailed breakdown of the requirements from Articles 20 and 21 in the table below. For Article 23, read this article: What are reporting obligations according to NIS 2?
Is ISO 27001 relevant for NIS 2?
NIS 2 does not directly mention ISO 27001; however, it encourages the use of “relevant European and international standards.” Further, in its preamble, NIS 2 suggests the use of the ISO/IEC 27000 series of standards for cybersecurity measures.
ISO 27001 is supported by ENISA, the European Union Agency for Cybersecurity:
- ENISA has made a tool where it maps ISO 27001 clauses and controls with the old NIS requirements (the predecessor of NIS 2).
- In its report called “Mapping of OES Security Requirements to Specific Sectors” published in 2017, ENISA stated that “ISO 27001 was emerged by the survey as the most commonly followed standard” by operators of essential services (OES), i.e., the companies that needed to comply with the old NIS.
- In its report called “NIS Investments” published in 2021, ENISA stated that from the companies that needed to comply with the old NIS, “a majority of organisations (51.1 %) certify their systems and processes, e.g. on the basis of ISO 27001 certification.”
All this, together with the fact that ISO 27001 is an ISO standard, and has therefore been accepted by all countries worldwide, and its being the most important standard in the ISO 27000 series, makes it a logical choice for NIS 2 compliance.
Map of NIS 2 articles with ISO 27001 clauses and controls
Let’s analyze in detail if ISO 27001 is really useful for NIS 2 compliance.
In the table below, I extracted all NIS 2 requirements from Articles 20 and 21, and compared them to ISO 27001 clauses or controls:
| NIS 2 requirement | NIS 2 article | ISO 27001 clause or control | Suggested document |
| Management bodies must approve the cybersecurity risk-management measures | Article 20, paragraph 1 | 6.1.3 Information security risk treatment | Risk Treatment Plan |
| Management bodies must oversee the implementation of cybersecurity risk-management measures | Article 20, paragraph 1 | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review | Measurement Report + Internal Audit Report + Management Review Minutes |
| Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis | Article 20, paragraph 2 | 7.2 Competence A.6.3 Information security awareness, education and training | Training and Awareness Plan |
| Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks | Article 21, paragraph 1 | 6.1.3 Information security risk treatment 6.2 Information security objectives and planning to achieve them 8.1 Operational planning and control | Risk Treatment Table + Risk Treatment Plan + various policies and procedures mentioned below |
| When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact | Article 21, paragraph 1 | 6.1.2 Information security risk assessment | Risk Assessment Methodology + Risk Assessment Table |
| Policy on risk analysis | Article 21, paragraph 2, point (a) | 6.1.2 Information security risk assessment | Risk Assessment Methodology |
| Policy on information system security | Article 21, paragraph 2, point (a) | 5.2 Policy | Policy on information system security |
| Incident handling | Article 21, paragraph 2, point (b) | A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents | Incident Management Procedure + Incident Log |
| Business continuity | Article 21, paragraph 2, point (c) | A.5.29 Information security during disruption | Business Continuity Plan |
| Backup management | Article 21, paragraph 2, point (c) | A.8.13 Information backup | Backup Policy |
| Disaster recovery | Article 21, paragraph 2, point (c) | A.5.30 ICT readiness for business continuity A.8.14 Redundancy of information processing facilities | Disaster Recovery Plan |
| Crisis management | Article 21, paragraph 2, point (c) | (does not have a directly relevant clause nor control in ISO 27001) | Crisis Management Plan |
| Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | Article 21, paragraph 2, point (d) | A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services | Supplier Security Policy + Security Clauses for Suppliers and Partners + Confidentiality Statement |
| Security in network and information systems acquisition, development and maintenance | Article 21, paragraph 2, point (e) | A.8.6 Capacity management A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.9 Configuration management A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.32 Change management A.8.33 Test information | Secure Development Policy + Specification of Information System Requirements |
| Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Article 21, paragraph 2, point (f) | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review | Measurement Methodology + Measurement Report + Internal Audit Procedure + Internal Audit Checklist + Internal Audit Report + Management Review Procedure |
| Basic cyber hygiene practices | Article 21, paragraph 2, point (g) | A.6.8 Information security event reporting A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.8.1 User endpoint devices A.8.5 Secure authentication A.8.7 Protection against malware A.8.13 Information backup A.8.19 Installation of software on operational systems A.8.24 Use of cryptography | IT Security Policy |
| Cybersecurity training | Article 21, paragraph 2, point (g) | 7.2 Competence A.6.3 Information security awareness, education and training | Training and Awareness Plan |
| Policies and procedures regarding the use of cryptography and encryption | Article 21, paragraph 2, point (h) | A.8.24 Use of cryptography | Policy on the Use of Encryption |
| Human resources security | Article 21, paragraph 2, point (i) | A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment | Security Policy for Human Resources |
| Access control policies | Article 21, paragraph 2, point (i) | A.5.15 Access control | Access Control Policy |
| Asset management | Article 21, paragraph 2, point (i) | A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.7.9 Security of assets off-premises | Asset Management Procedure + Inventory of Assets |
| The use of multi-factor authentication or continuous authentication solutions | Article 21, paragraph 2, point (j) | A.5.16 Identity management A.5.17 Authentication information A.8.5 Secure authentication | Authentication Policy |
| Secured voice, video and text communications | Article 21, paragraph 2, point (j) | A.5.14 Information transfer A.8.21 Security of network services | Information Transfer Policy + Secure Communication Policy |
| Secured emergency communication systems within the entity | Article 21, paragraph 2, point (j) | A.8.20 Networks security | Secure Communication Policy |
| Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures | Article 21, paragraph 3 | A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services | Supplier Security Policy + Risk Assessment and Treatment Report |
| Take appropriate and proportionate corrective measures | Article 21, paragraph 4 | 10.2 Nonconformity and corrective action | Procedure for Corrective Action + Corrective Action Form |
Therefore, out of 26 cybersecurity requirements specified by NIS 2, ISO 27001 can address 25 of them — only Crisis management is not really covered in ISO 27001.
Since NIS 2 Article 23 “Reporting obligations” mandates very specific reporting requirements, the fact is that they cannot be addressed using ISO 27001.
How to use ISO 27001 for NIS 2
In general, in order to comply with NIS 2, it is recommended to follow the steps described in this article: 15 implementation steps for NIS 2 cybersecurity risk management measures.
Based on the map above, let’s see which of these 15 steps can be implemented using ISO 27001:
- Perform initial training
- Write a top-level policy on information system security
- Define the Risk Management Methodology
- Perform risk assessment and treatment
- Write and approve the Risk Treatment Plan
- Implement cybersecurity measures
- Set up supply chain security
- Set up the assessment of cybersecurity effectiveness
- Set up continual cybersecurity training
- Conduct periodic internal audits
- Conduct periodic management review
- Execute corrective actions
The first two steps are not listed here because they are mainly about project management, while step 11 “Set up incident notifications” was excluded because of the reasons described in the previous section of this article.
Wrapping up: NIS 2 vs. ISO 27001
So, let’s summarize how ISO 27001 can be used for NIS 2:
- ISO 27001 can address a large majority of cybersecurity requirements from NIS 2, but not those for reporting incidents.
- 12 out of 15 steps can be implemented using ISO 27001.
A pretty good score, isn’t it?
Add to that the fact that NIS 2 and ENISA encourage the use of cybersecurity standards, and it’s clear that ISO 27001 is a safe choice for NIS 2 compliance.
For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.