ISO 27001: The Gateway to NIS2 Compliance
The European Union is raising its bar for compliance with the roll out of NIS2, but what exactly is it and how can companies ensure they comply? We’re here to break down this regulation and share the best way for organizations to achieve compliance by following the ISO/IEC 27001:2022 framework.
What is NIS2?
Replacing the original NIS Directive, NIS2 sets out to redefine minimum security requirements for operators of essential services and digital service providers. This update drives broader applicability across more industries, introduces new methods for onboarding companies, establishes stricter requirements for reporting incidents, and enforces harsher penalties for non-compliance. It’s intended to strengthen cybersecurity in the EU, ensuring all companies in the scope of the NIS2 directive that provide services or carry out activities within the EU take proactive measures to create a more secure operating environment.
Check out our article NIS2 Directive: What You Need to Know to take a deeper dive into the updates and requirements for this regulation.
What is ISO 27001?
ISO 27001 is an internationally recognized standard that focuses on the implementation, management, and maintenance of information security within a company. It’s a powerful framework for governance because it gives organizations flexibility to ensure that what they’re implementing aligns with their business goals. It builds a strong foundation for security practices, focusing not just on controls but on a robust management system.
To learn more about ISO 27001, check out our article ISO 27001 Certification: Everything You Need to Know
Using ISO 27001 as a tool for NIS2 compliance
The NIS2 Directive does not provide a clear roadmap for how to achieve compliance, which leaves many organizations wondering how they can meet the guidelines of the directive and avoid penalties for non-compliance. While ISO 27001 is not specifically mentioned, the directive does allude to “relevant European and international standards.” Our team of experts at A-LIGN believe that NIS2 compliance can be achieved with the ISO 27001 framework, incorporating additional requirements for business continuity and incident management.
Mapping the Overlap
There are ten minimum security measures for NIS2 that build on and align closely with ISO 27001, adding specific business continuity requirements to enhance organizational resilience. Certifying against ISO 27001 and mapping to NIS2 controls demonstrates conformity of your Information Security Management System (ISMS) with the documented standards and provides your customers with assurance regarding the security of your systems and data. If you are already ISO 27001 compliant, mapping to NIS2 controls enhances compliance by aligning with EU-specific requirements and emphasizes incident reporting. It also gives you a competitive edge by demonstrating a robust commitment to cybersecurity.
NIS 2 article
ISO 27001 clause or control
Article 21.2 a) Policies on risk analysis and information system security
- 5.2 Policy
- 6.1.2 Information security risk assessment
- 6.1.3 Information security risk treatment
- 8.2 Information security risk assessment
- 8.3 information security risk treatment
- A.5.1 Policies for information security
Article 21.2 b) Incident handling
- A.5.24 Information security incident management planning and preparation
- A.5.25 Assessments and decision on information security events
- 5.26 Response to information security incidents
- 5.27 Learning from information security incidents
- 5.28 Collection of evidence
- 6.8 Information security event reporting
Article 21.2 c) Business continuity, such as backup management and disaster recovery, and crisis management
- A.5.29 Information security during disruption
- A.5.30 ICT readiness for business continuity
- 8.13 Information backup
- 8.14 Redundancy of information processing facilities
Article 21.2 d) Supply chain security, including security-related aspects concerning the relationship between each entity and its direct suppliers or service providers
- A.5.19 Information security in supplier relationships
- A.5.20 Addressing information security within supplier agreements
- A.5.21 Managing information security in the ICT supply chain
- A.5.22 Monitoring, review and change management of supplier services
- A.5.23 Information security for use of cloud services
Article 21.2 e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- A.5.37 Documented operating procedures
- A.8.8 Management of technical vulnerabilities
- A.8.9 Configuration management
- A.8.20 Network Security
- A.8.21 Security of network services
Article 21.2 f) Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- A.5.35 Independent review of information security
Article 21.2 g) Basic computer hygiene practices and cybersecurity training
- 7.3 Awareness
- 7.4 Communication
- A.6.3 Information security awareness, education and training
Article 21.2 i) Human resources security, access control policies and asset management
- A.6.1 Screening
- A.6.2 Terms and conditions of employment
- A.6.4 Disciplinary process
- A.6.5 Responsibilities after termination or change of employment
- A.6.6 Confidentiality or non-disclosure agreements
- A.5.15 Access control
- A.5.16 Identity Management
- A.5.17 Authentication information
- A.5.18 Access Rights
- A.5.9 Inventory of information and other associated assets
- A.5.10 Acceptable use of information and other associates assets
Article 21.2 j) The use of multifactor authentication or continuous authentication solutions, secured voice, video, and text communications and emergency communication systems within the entity, where appropriate
- A.5.16 Identity Management
- A.5.17 Authentication information
- A.5.14 Information transfer
- ◆A.5.16 Identity Management
- ◆A.5.17 Authentication information
- ◆A.5.18 Access Rights
- ◆A.5.9 Inventory of information and other associated assets
- ◆A.5.10 Acceptable use of information and other associates assets
A-LIGN is at the forefront of ISO 27001 certification and has a team of experts ready to help you navigate the audit process and achieve compliance. Reach out to us today to get started with ISO 27001 certification for 2025.
