NIS2 & ISO/IEC 27001:2022: the requirements
Blog

NIS2 & ISO/IEC 27001:2022: New controls to fulfill both standards

In 2022, the EU's NIS2 Directive and the new version of ISO/IEC 27001, according to which an ISMS certification can be obtained, were published in the same timeframe. Both frameworks, which provide important guidance for managing relevant cyber risks, have numerous overlaps. Orientation towards ISO/IEC 27001:2022 therefore helps significantly in meeting NIS2 requirements.
3 minutes
April 05, 2024

NIS2 Compliance through Implementation of ISO/IEC 27001:2022

NIS2 sets out numerous requirements for managing cyber risks. This is intended to protect network and information systems, their users and other persons within the EU from circumstances, events or actions that compromise the availability, authenticity, integrity and/or confidentiality of data or services. In order to achieve this, appropriate processes – called “cyber security practices” in the NIS2 context – and measures – called “cyber security hygiene” in the NIS context – must be effectively implemented.

Both the definition of the required processes and the implementation of suitable measures are best carried out as part of an information security management system (ISMS). The key standard for an ISMS, which applies throughout the EU in particular, is ISO/IEC 27001. Even when the NIS2 Directive was being drafted, a close reference to ISO/IEC 27001 was clearly evident from the requirement in Article 21 (1) in conjunction with Recital 79: Relevant international standards such as the ISO/IEC 27000 series must be included in the prevention of cyber risks!

New controls from Annex A of ISO/IEC 27001, which are described in more detail in the new version of ISO/IEC 27002, are even perfectly suited to implementing NIS2 requirements. When fulfilling NIS2 requirements, however, essential components from the part of ISO/IEC 27001:2022 to be fulfilled directly as part of certification are also required. It is worth taking a closer look here.

Alignment of Risk Management

Traditional information security primarily protects the security objectives of availability, integrity and confidentiality of data and services. In the NIS2 context, authenticity is added as an independent security objective.

In the usual risk analysis, only the impact on the direct operator of the network and information systems within the scope of their ISMS is considered. In the NIS2 context, this is extended to undesirable risks for society.

In contrast to its predecessor, the new version of ISO/IEC 27001 now requires the fulfillment of security objectives to be monitored and criteria for ISMS processes to be defined and managed in accordance with these criteria. This is where the two frameworks converge. A criterion for the quality to be implemented is specified by the desired manageability against undesired impairments, which can also affect users and other persons. At the same time, this noticeably and significantly increases the resilience achieved against existing cyber threats. So both sides win.

NIS2-specific controls from ISO/IEC 27001:2022:

  • The existing threat landscape must be explicitly analyzed (A.5.7)
  • Data to be protected must be classified according to all four security objectives (A.5.13)
  • The complete life cycle of identities must be considered when defining access rights (A.5.16)
  • Established cyber security practices in the supply chain must be explicitly monitored (A.5.19 – A.5.22)
  • Lessons learned from incidents must be used to improve cyber security (A.5.27)
  • Network and information systems must be aligned to meet business continuity objectives and serve resilience (A.5.30)
  • Deployed personnel and interested parties must be trained on specific cyber security requirements (A.6.3)
  • Maintaining physical security requires constant monitoring (A.7.4)
  • Network and information systems must be configured securely (A.8.9)
  • Unusual system behavior must be monitored (A.8.16)
  • Only secure networks and network devices are to be integrated (A.8.20)

The controls listed above are in fact closely related to NIS2 requirements as part of the new version of ISO/IEC 27001 and therefore actively contribute to NIS2 conformity.

Several birds with one stone

By consistently implementing NIS2 requirements as part of an ISMS aligned with ISO/IEC 27001:2022, not only NIS2 compliance is achieved, but a forward-looking ISMS is also implemented or enhanced. This is therefore more readily certifiable and in turn serves as proof of effectively implemented NIS2 compliance of cyber security practices in the supply chain.

The experts at SITS will help you to make your ISMS NIS2-compliant or in accordance with the new version of ISO/IEC 27001, as well as to establish suitable, target-oriented and effective measures for cyber security hygiene and implement them in practice.

The Cyber Chronicle Newsroom
We keep you posted with the latest news, data & trend topics
Microsoft Sentinel as Azure SIEM - Benefits & Costs
Learn more
AI
Fighting AI attacks: How to protect data and systems
Learn more
Assessment & Advisory
ISO 27001 Certification without delay
Learn more
Assessment & Advisory
Managed Services to counter the shortage of manpower
Learn more
Security & IT Solutions
Workload Security with SASE, this is how it works
Learn more
Cloud Platform Security
DevOps security: Stress test for culture and technology
Learn more
Identity & Access Management
Biometrics - better security without passwords?
Learn more
Cyber Defense
Threat Intelligence - Knowledge is power & security
Learn more
NIS2
NIS2 & ISO/IEC 27001:2022: New controls to fulfill both standards
Learn more
Identity & Access Management
How Privileged Access Management increases security
Learn more
Assessment & Advisory
vCISO - more IT Security through customizable support
Learn more
AI
Cloud Platform Security
AI from Microsoft: Is your company Copilot Ready?
Learn more
NIS2
NIS2 & Risk Management: Are cyber risks really manageable?
Learn more
Zero Trust
Zero Trust - more IT Security through less trust
Learn more
Cloud Platform Security
Protective shield for your cloud platforms: Tips, Tricks, Pitfalls
Learn more
Assessment & Advisory
Security all-rounder CISO: Outsource or hire yourself?
Learn more
We’re here for you
Fill in the form and our experts will get in touch.

You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information