NIS2 checklist

 

NIS2 checklist

NIS2 checklist. The NIS2directive asks organizations to demonstrably take their cyber resilience to the next level—and a powerful NIS2 checklist is the accelerator. For organizations that operate in essential and important sectors, this is not an option, but a strategic necessity to ensure continuity and trust. A professionally designed checklist translates complex legislation directly into concrete, actionable actions within the organization.

Companies that already work with ISO/IEC 27001 have a significant advantage in this respect, because they have a proven and structured control framework. This existing foundation makes it possible to integrate NIS2 requirements quickly and efficiently without costly reimplementations. The overlap between ISO 27001 and NIS2 ensures that core components such as risk management, incident response and monitoring can be used immediately.

A smart NIS2 checklist fits in seamlessly with this and provides a single overview of where your organization stands and what steps are needed.
At the same time, the checklist provides insight into where additional attention is required, such as stricter reporting obligations and broader governance requirements. This enables organizations to make targeted investments in measures that directly contribute to compliance and risk reduction.
This structured approach makes compliance not an administrative burden, but a strategic tool for digital resilience.
Organisations that organise this well position themselves more strongly towards regulators, customers and chain partners.

In short, an integrated approach with ISO 27001 as a foundation and a powerful NIS2 checklist as a compass provides an efficient, scalable and future-proof route to full NIS2 compliance.

 

What is NIS2

The NIS2 Directive (Network and Information Security 2, successor to NIS1) was adopted by the European Union to strengthen cybersecurity and digital resilience in EU member states. NIS2 goes further than its predecessor: more sectors, stricter security standards and incident reporting requirements. Duty of care and duty of care is an important element. From 2024, this directive will enter into force as legislation.

Our business partner Quality-in-Motion has explained everything neatly:

 

What is ISO27001

ISO 27001 is a globally recognized standard in the field of information security. The standard describes how the security of information can be handled in a process-oriented way, with the aim of ensuring the confidentiality, availability and integrity of information within one's own organization. This ISO 27001 standard contains a system of control measures to take cybersecurity and privacy protection to a higher level.

 

NIS2 and ISO27001 - similarities and differences

If the IT environment is set up in accordance with ISO27001 then an important step has already been taken. There is an information security policy, logical access security is in place, employees are aware of information security risks, an incident management process has been implemented, etc. There is already a head start on the NIS2, especially if the ISO 27001 management system is certified.
However, there are some differences. There is a duty of care and a duty to report significant cyber incidents. The organization is also supervised by a competent authority.

 

NIS2 checklist - obligations

The measures that must be taken to comply with the duty of care of NIS2:

 
  • A risk analysis and security of information systems
  • (Policy and procedures on) incident handling
  • Business continuity measures, such as maintenance management and contingency plans
  • Supply chain security
  • Security in the processing, development and maintenance of network and information systems, including vulnerability response and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk controls
  • Basic cyber hygiene and cybersecurity training 
  • Policies and procedures on the use of cryptography and encryption
  • Security aspects in the areas of personnel, access policies and asset management
  • The use of multi-factor authentication, secure voice, video, and text communications, and secure emergency communications systems within the entity

 

ISO27001 Annex A

In addition to the risk analysis that forms an integral part of this management system standard, a large number of additional measures apply, the so-called Annex A. These are much more comprehensive than the NIS2 obligations indicated above.

 

         5 Organizational measures    

 5.1     Information Security     Policy

 5.2     Information Security Roles and Responsibilities

 5.3     Segregation     of duties

 5.4     Management responsibilities      

 5.5     Contact with authorities     

 5.6     Contact with special interest groups      

 5.7     Threat Intelligence      

 5.8     Information Security in Project Management     

 5.9     Inventory of information and other associated assets      

 5.10    Acceptable Use of Information and Other Related Assets     

 5.11   Return of assets     

 5.12   Classification of Information      

 5.13   Labelling of information     

 5.14    Transfer of     Information

 5.15   Access security     

 5.16   Identity management      

 5.17   Authentication Information      

 5.18   Access rights      

 5.19   Information security in supplier relationships      

 5.20   Approach to information security within supplier agreements      

 5.21    Information security management in the ICT supply chain     

 5.22    Monitoring, Assessment, and Change Management of Vendor Services      

 5.23    Information security when using cloud services      

 5.24   Planning and Preparation of Information Security Incidents      

 5.25   Assessment and decision on information security events     

 5.26   Response to Information Security Incidents     

 5.27   Learning from Information Security Incidents     

 5.28   Collection of evidence      

 5.29    Information Security During Disruption      

 5.30    ICT readiness for business continuity     

 5.31   Identification of legal, statutory, regulatory and contractual requirements      

 5.32   Intellectual Property Rights     

 5.33   Data protection     

 5.34   Privacy and Protection of PII      

 5.35    Independent Information Security     Assessment

 5.36    Compliance with Information Security      Policies and Standards

 5.37   Documented Operating Procedures     

           

 6.       Measures with regard to people     

 6.1    Screening       

 6.2     Working conditions     

 6.3     Information Security     Awareness, Education and Training

 6.4     Disciplinary process      

 6.5     Responsibilities after termination or change of employment     

 6.6     Non-disclosure or non-disclosure agreements     

 6.7     Remote      Work

 6.8     Reporting of Information Security Events     

           

 7.       Physical measures      

 7.1     Physical Protection Zone     

 7.2     Physical Access Controls      

 7.3     Securing offices, rooms and facilities      

 7.4     Physical Security Monitoring      

 7.5     Protection against Physical and Environmental Threats     

 7.6     Working in secure areas     

 7.7     Clear desk, clear screen     

 7.8     Equipment Placement and Protection      

 7.9     Securing assets outside the premises     

 7.10   Storage Media      

 7.11   Supporting Systems     

 7.12   Cabling Protection      

 7.13   Equipment Maintenance      

 7.14   Safe disposal or reuse of equipment     

           

 8.       Technical measures     

 8.1     End-user equipment      

 8.2     Special access rights     

 8.3     Restriction of Access to Information      

 8.4     Access to source code     

 8.5     Secure Authentication      

 8.6     Capacity Management      

 8.7     Malware      Protection

 8.8     Technical Vulnerability      Management

 8.9     Configuration Management      

 8.10   Deleting     Information

 8.11   Data Masking      

 8.12    Data Breach     Prevention

 8.13   Backup      Information

 8.14    Redundancy of Information Processing Facilities      

 8.15  Logging       

 8.16   Monitoring of activities     

 8.17    Clock Synchronization     

 8.18   Use of Privileged Utilities      

 8.19    Installation of Software on Operational Systems      

 8.20   Network Operation     

 8.21    Security of Network Services      

 8.22    Segregation in networks     

 8.23   Web Filtering      

 8.24    Use of cryptography      

 8.25    Safe Development Lifecycle      

 8.26   Application Security Requirements     

 8.27    Secure System Architecture and Engineering Principles     

 8.28   Secure Programming      

 8.29    Security Testing in Development and Adoption      

 8.30   Outsourced development     

 8.31   Separation of Development, Test, and Production Environments      

 8.32   Change Management      

 8.33   Test Information      

 8.34    Protection of information systems during audit and testing     

 

ISMS for ISO27001, practical example

Even if you set up an ISO 27001 management system as a cloud solution in 60 seconds , working step by step towards an implemented and certifiable ISMS requires the necessary attention. Below is an example of the basic setup of an ISMS - Information Security Management System. For the required 'controls' (measures), our business partner Meta-audit.nl with some overviews and the mandatory documents. (For their digital list or starter pack, click here.) Their knowledge has been incorporated into the demo environments below. 'Better to borrow well than to think badly' .... :=)
 

NIS2 checklist

 

NIS2 checklist

 

 

Start your free trial now

We don't have 'shiny leaflets'. Get behind the buttons right away and experience the convenience, overview and productivity improvement.
We help you online and enrich you with the experience and best practices of other users.

Start Now