NIS2 and ISO27001

From Metaware's knowledge center .
Keywords: nis2 compliance, iso 27001 certification, nis2 implementation, iso 27001 audit, nis2 directive netherlands, information security policy, cyber security compliance, iso 27001 consultancy, nis2 obligations, risk management information security, governance risk compliance, information security management system, iso 27001 gap analysis, nis2 readiness assessment, cybersecurity legislation europe

NIS2. Starting this year, more organisations will have to deal with the new European directive NIS2 - Network and Information Systems. A Directive in the field of ybersecurity. Organisations that fall under this include managers of ICT services, digital providers, digital infrastructure, financial market infrastructure, banking, energy, government services, transport, food, waste management.
ISO27001. The international management system standard for information security is ISO27001. If the organization already works according to ISO27001 or is even certified against ISO27001, that gives a big advantage over NIS2.

What is NIS2

The NIS2 Directive (Network and Information Security 2, successor to NIS1) was adopted by the European Union to strengthen cybersecurity and digital resilience in EU member states. NIS2 goes further than its predecessor: more sectors, stricter security standards and incident reporting requirements. Duty of care and duty of care is an important element. From 2024, this directive will enter into force as legislation.

What is ISO27001

ISO 27001 is a globally recognized standard in the field of information security. The standard describes how the security of information can be handled in a process-oriented way, with the aim of ensuring the confidentiality, availability and integrity of information within one's own organization. This ISO 27001 standard contains a system of control measures to take cybersecurity and privacy protection to a higher level.

NIS2 and ISO27001 - similarities and differences

If the IT environment is set up in accordance with ISO27001 then a (very) important step has already been taken. There is an information security policy, logical access security is in place, employees are aware of information security risks, an incident management process has been implemented, etc. There is already a head start on the NIS2, especially if the ISO 27001 management system is certified.
However, there are some differences. There is a duty of care and a duty to report significant cyber incidents with specific reporting periods. The organization is also supervised by a competent authority. And also remember that ISO27001 is focused on information security and that NIS2 looks at broader operational and supply chain risks.

ISMS for ISO27001, practical example

An Information Security Management System (ISMS) based on the ISO/IEC 27001 standard provides organizations with a structured and internationally recognized approach to information security. By using a control framework, security measures are systematically set up, managed and continuously improved. This fits in seamlessly with the requirements of the NIS2 directive, which requires organizations to demonstrably manage risks. Pay attention to the few differences. See above.

An ISMS helps companies to organize governance, risk management and compliance in an integrated way, which is essential within NIS2.
ISO 27001's risk-based approach allows organizations to prioritize their security measures in a targeted manner.
The control framework acts as a concrete instrument to make these measures measurable and verifiable.
This creates transparency towards regulators and stakeholders, which is an important aspect within NIS2.
In addition, an ISMS supports the structural recording of processes, responsibilities and incident management.
This not only increases resilience to cyber threats, but also accelerates the reporting obligations from NIS2.
Organizations also benefit from reusable controls, making implementation more efficient and scalable.

In short, an ISMS with a strong control framework not only offers compliance, but also a strategic advantage in the professional management of digital risks.

Below is an example of the basic setup of an ISMS - Information Security Management System. For the required 'controls' (measures), our business partner again Meta-audit.nl with some overviews and the mandatory documents. (For their digital list, click here.) Their knowledge has been incorporated into the demo environments below.