How to implement NIS 2 cybersecurity measures: Mapping with ISO 27001

By Matjaz Marin

How to implement NIS 2 cybersecurity measures: Mapping with ISO 27001

If you need to comply with NIS 2, you might be wondering how to go about it. The directive outlines what you need to achieve but doesn’t provide guidance on how to do it.

One of the best ways to tackle this compliance task is to follow an established cybersecurity framework. In this article, I’ll explore whether ISO 27001, the leading international cybersecurity standard, can help meet these requirements.

ISO 27001 can cover most of the cybersecurity requirements from NIS 2, except for incident reporting.

What cybersecurity and reporting requirements are in NIS 2?

Let’s examine what companies must implement. Interestingly, only three articles in the entire NIS 2 Directive are particularly relevant for essential and important organizations that need to become compliant.

Article 20 – Governance

Article 21 – Cybersecurity risk-management measures

Article 23 – Reporting obligations

All other NIS 2 articles are basically intended for government bodies that need to enforce NIS 2.

You’ll find a detailed breakdown of the requirements from Articles 20 and 21 in the table below.

Is ISO 27001 Relevant for NIS 2?

While NIS 2 does not explicitly mention ISO 27001, it does encourage the use of “relevant European and international standards.” Additionally, the preamble of NIS 2 suggests utilizing the ISO/IEC 27000 series of standards for implementing cybersecurity measures.

ISO 27001 is well-regarded by ENISA, the European Union Agency for Cybersecurity:

ENISA’s Mapping Tool: ENISA has developed a tool that maps ISO 27001 clauses and controls to the original NIS Directive requirements (the predecessor of NIS 2).

2017 Report: In the report “Mapping of OES Security Requirements to Specific Sectors,” ENISA identified ISO 27001 as the most commonly followed standard by operators of essential services (OES) needing to comply with the old NIS Directive.

2021 Report: The “NIS Investments” report noted that a majority of organizations (51.1%) complying with the old NIS Directive certified their systems and processes based on ISO 27001 certification.

Given these points, along with the global acceptance of ISO 27001 as an ISO standard and its prominence in the ISO 27000 series, ISO 27001 is a logical choice for achieving NIS 2 compliance.

Map of NIS 2 articles with ISO 27001 clauses and controls

NIS 2 requirement	NIS 2 article	ISO 27001 clause or control	Suggested document
Management bodies must approve the cybersecurity risk-management measures	Article 20, paragraph 1	6.1.3 Information security risk treatment	Risk Treatment Plan
Management bodies must oversee the implementation of cybersecurity risk-management measures	Article 20, paragraph 1	9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review	Measurement Report + Internal Audit Report + Management Review Minutes
Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis	Article 20, paragraph 2	7.2 Competence A.6.3 Information security awareness, education and training	Training and Awareness Plan
Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks	Article 21, paragraph 1	6.1.3 Information security risk treatment 6.2 Information security objectives and planning to achieve them 8.1 Operational planning and control	Risk Treatment Table + Risk Treatment Plan + various policies and procedures mentioned below
When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact	Article 21, paragraph 1	6.1.2 Information security risk assessment	Risk Assessment Methodology + Risk Assessment Table
Policy on risk analysis	Article 21, paragraph 2, point (a)	6.1.2 Information security risk assessment	Risk Assessment Methodology
Policy on information system security	Article 21, paragraph 2, point (a)	5.2 Policy	Policy on information system security
Incident handling	Article 21, paragraph 2, point (b)	A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents	Incident Management Procedure + Incident Log
Business continuity	Article 21, paragraph 2, point (c)	A.5.29 Information security during disruption	Business Continuity Plan
Backup management	Article 21, paragraph 2, point (c)	A.8.13 Information backup	Backup Policy
Disaster recovery	Article 21, paragraph 2, point (c)	A.5.30 ICT readiness for business continuity A.8.14 Redundancy of information processing facilities	Disaster Recovery Plan
Crisis management	Article 21, paragraph 2, point (c)	(does not have a directly relevant clause nor control in ISO 27001)	Crisis Management Plan
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers	Article 21, paragraph 2, point (d)	A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services	Supplier Security Policy + Security Clauses for Suppliers and Partners + Confidentiality Statement
Security in network and information systems acquisition, development and maintenance	Article 21, paragraph 2, point (e)	A.8.6 Capacity management A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.9 Configuration management A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.32 Change management A.8.33 Test information	Secure Development Policy + Specification of Information System Requirements
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures	Article 21, paragraph 2, point (f)	9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review	Measurement Methodology + Measurement Report + Internal Audit Procedure + Internal Audit Checklist + Internal Audit Report + Management Review Procedure
Basic cyber hygiene practices	Article 21, paragraph 2, point (g)	A.6.8 Information security event reporting A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.8.1 User endpoint devices A.8.5 Secure authentication A.8.7 Protection against malware A.8.13 Information backup A.8.19 Installation of software on operational systems A.8.24 Use of cryptography	IT Security Policy
Cybersecurity training	Article 21, paragraph 2, point (g)	7.2 Competence A.6.3 Information security awareness, education and training	Training and Awareness Plan
Policies and procedures regarding the use of cryptography and encryption	Article 21, paragraph 2, point (h)	A.8.24 Use of cryptography	Policy on the Use of Encryption
Human resources security	Article 21, paragraph 2, point (i)	A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment	Security Policy for Human Resources
Access control policies	Article 21, paragraph 2, point (i)	A.5.15 Access control	Access Control Policy
Asset management	Article 21, paragraph 2, point (i)	A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.7.9 Security of assets off-premises	Asset Management Procedure + Inventory of Assets
The use of multi-factor authentication or continuous authentication solutions	Article 21, paragraph 2, point (j)	A.5.16 Identity management A.5.17 Authentication information A.8.5 Secure authentication	Authentication Policy
Secured voice, video and text communications	Article 21, paragraph 2, point (j)	A.5.14 Information transfer A.8.21 Security of network services	Information Transfer Policy + Secure Communication Policy
Secured emergency communication systems within the entity	Article 21, paragraph 2, point (j)	A.8.20 Networks security	Secure Communication Policy
Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures	Article 21, paragraph 3	A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier service A.5.23 Information security for use of cloud services	Supplier Security Policy + Risk Assessment and Treatment Report
Take appropriate and proportionate corrective measures	Article 21, paragraph 4	10.2 Nonconformity and corrective action	Procedure for Corrective Action + Corrective Action Form

ISO 27001 and NIS 2: Coverage and Implementation

Out of the 26 cybersecurity requirements specified by NIS 2, ISO 27001 can address 25. The only exception is Crisis Management, which is not thoroughly covered by ISO 27001.

Addressing Reporting Obligations

NIS 2 Article 23 mandates specific reporting requirements that cannot be fully addressed using ISO 27001.

Using ISO 27001 for NIS 2 Compliance

Based on the mapping, here are the steps that can be implemented using ISO 27001:

Perform initial training
Write a top-level policy on information system security
Define the Risk Management Methodology
Perform risk assessment and treatment
Write and approve the Risk Treatment Plan
Implement cybersecurity measures
Set up supply chain security
Set up the assessment of cybersecurity effectiveness
Set up continual cybersecurity training
Conduct periodic internal audits
Conduct periodic management review
Execute corrective actions

Steps 1 and 2 are not listed here because they focus on project management. Step 11, “Set up incident notifications,” is excluded for reasons discussed earlier.

Wrapping Up: NIS 2 vs. ISO 27001

To summarize how ISO 27001 can be used for NIS 2 compliance:

ISO 27001 can address most of the cybersecurity requirements from NIS 2, except for reporting incidents.
12 out of 15 implementation steps can be achieved using ISO 27001.

This is a strong alignment, indicating that ISO 27001 is a robust choice for NIS 2 compliance, especially given that NIS 2 and ENISA encourage the use of established cybersecurity standards.