NIS2 step-by-step plan

Organizations that invest in cyber resilience today (must - view the NIS2 self-evaluation) cannot ignore a structured approach. An effective NIS2 roadmap provides exactly that structure by bringing compliance and risk management together. It helps companies to systematically meet both NIS2 requirements and using the ISO 27001 standard through an integrated approach. Clear phasing creates an overview of complex compliance processes. After the self-evaluation, this includes performing a gap analysis, identifying risks and implementing appropriate measures. An important advantage is that a good NIS2 step-by-step plan guides organizations from current situation to demonstrable compliance. This often uses a mapping between NIS2 and ISO 27001, which avoids duplication of effort and increases efficiency. This means that existing management systems can be used optimally.

In addition, this approach stimulates collaboration between IT, risk and management, which removes internal silos. This makes it possible to make targeted adjustments and set priorities. In addition, a structured approach makes it easier to operate audits and supervisors. It not only increases compliance, but also the trust of stakeholders and customers. With a well-designed NIS2 step-by-step plan, information security becomes a strategic advantage instead of an obligation.
Organizations that embrace this approach position themselves more strongly in an increasingly strict and digital market and have a higher and necessary cyber resilience.

This requires a step-by-step plan. Thanks to our colleagues at Meta-audit.nl, a step-by-step plan has been developed that provides a control framework for NIS2 combined with ISO 27001:2022. More in a hurry? Request Meta-audit's ISO 27001:2022 QuickStart directly (including an explanation of 11 new measures and conversion tables).

NIS2 ISMS

An ISMS is an Information Security Management System: a structured approach to organize, manage and improve information security. It brings together risks, measures, responsibilities, processes and controls in one manageable system. ISO 27001 is the international standard that describes what an effective ISMS must meet. With an ISMS, organizations can demonstrate that they do not approach information security ad hoc, but systematically.
NIS2 sets stricter requirements for cyber resilience, risk management, incident reporting and administrative responsibility. A well-designed ISMS helps organisations to translate these NIS2 obligations into policy, controls and actions in practice. This makes ISO 27001 a strong basis for demonstrably growing towards NIS2 compliance.
In short: an ISMS is the foundation with which organizations get a grip on information security, ISO 27001 certification and NIS2 compliance. But note some differences.

Take a look at an example of an ISMS platform.

NIS2 - ISO 27001 focus areas

In order to comply with the management system standard ISO27001 (and derived from it the NEN7510 for healthcare), an organization must have a complete management system (ISMS - Information Security Management System) with control measures with regard to information security.  

The control measures are divided into 4 focus areas:

• Organizational measures
• Measures with regard to people
• Physical measures
• Technical measures

If you want to know more, you can contact our colleagues at Meta-audit.nl. Click here for their full overview ISO27001:2022 .

NIS2 step-by-step plan implementation

Actualizing an ISMS is quite a job for which, as mentioned, a clear step-by-step plan is certainly needed, as well as good tooling.

The step-by-step plan can be divided into the following steps:

1. Preparation
2. What's There, What's Not – FitGap Analysis (click here for example)
3. Improving 'Gaps' and implementing new measures
4. Internal audit, in particular with regard to the new control measures
5. Let the external auditor come...  

NIS2 - ISO27001, FitGap analysis - the practical approach

A practical way to perform a FitGap analysis is to set up the management measures as a control framework. For each control measure or group of control measures, you determine whether they have been implemented and whether they are effective. A good tool is then practical, for example one that is workflow-driven. After all, you usually work together with several people and then a joint overview with individual workflow actions is useful. It monitors progress and it is demonstrable that the transition to the new standard version has been properly handled.

Click here for a demo of a workflow-driven control framework ISO27001:2022 or Declaration of Applicability (VvT) with points of attention per standard item.