9 min reading
Tue Feb 20 2024

Is ISO 27001 enough for NIS2 compliance?

Ceeyu UI

If you start reading this article, chances are high that you know what NIS2, the European Cybersecurity regulation for businesses that are important to society, effective October 17th 2024, entails.

In case you don’t, please have a look at the following resources:

Over the years, as cybersecurity has become an increasingly important area of focus in IT, many medium to large companies have obtained ISO 27001 certification.   The question on most corporate management's minds: is the certificate sufficient to meet the NIS2 requirements?  Keep in mind that in many countries the translation of EU legislation into national legislation has not yet been completed, so additional requirements may emerge.

More insights in DORA requirements and their mapping to ISO controls can be found in this article.

The scope of the ISO certificate

NIS2 emphasizes cybersecurity from a societal perspective.  The scope is the activities that are important for the continuity of the proper functioning of a country.   So first and foremost, you must ensure that the scope of activities that are ISO 27001 certified in your company are all activities that are important or essential to society.    

This is the very minimum, some countries may be more strict in accepting ISO 27001 certification for NIS2 compliance.   In Belgium, for example, the (current) position of the regulator is that the ISO 27001 certificate must cover the entire company, including subsidiaries that are not totally segregated.   Please check ISO 27001 scope requirements with your regulatory advisor or directly with the regulatory authority

ISO 27001:2013  vs ISO 27001:2022

ISO 27001:2022 is the latest version of the global standard for information security management systems (ISMS). Released by the International Organization for Standardization (ISO) on December 15, 2022, this version serves as an improvement and revision of its predecessor, ISO 27001:2013. Its primary purpose remains to establish a comprehensive framework of best practice policies, procedures and controls to mitigate the risks of security breaches.

The framework of ISO 27001:2022 mirrors that of ISO 27001:2013, with a similar cycle for developing, implementing, maintaining and improving an ISMS. In addition, the overarching structure remains consistent with other ISO standards such as ISO 9001 (quality management) and ISO 14001 (environmental management), streamlining the integration process.

Nevertheless, ISO 27001:2022 introduces notable changes and improvements over ISO 27001:2013, including:

  • Stressing the central role of top management providing guidance for the ISMS (also a NIS2 requirement).
  • Updating the controls in Appendix A to incorporate emerging technologies and changing threats.
  • Harmonization with relevant related standards such as ISO/IEC 27701 (privacy information management) and ISO/IEC 27018 (cloud computing).
  • Clarifying the requirements for conducting risk assessments and performing risk remediation.

The transition period begins on October 31, 2022 and ends on October 31, 2025. Certifications based on ISO 27001:2013 will expire or be revoked at the end of the transition period.

ISO 27001:2013 is a good start, but ISO 27001:2022 is a better basis given its enhancements, which are in line with NIS2 requirements.   In addition, ISO:2013 certifications are valid only until one year after the effective date of the NIS2 legislation.    If you have ISO 27001:2013 and have not yet started upgrading the certificate, now is a good time to start doing so.

ISO 27001:2022 vs NIS2 requirements

Overview

The below table provides a mapping between NIS2 requirements and ISO 27001:2022 (and ISO 27002:2022).

NIS2-area 

 
ISO 27001:2022 ControlsISO 27002:2022  Controls
Governance (Article 20) Annex A 5.1
 
Annex A 5.31
Annex A 5.34
Annex A 5.35
Annex A 5.36
Annex A 6.3 
5.1
5.31
5.34
5.35
5.36
6.3
Security risk measures (Article 21)
A. Policies on risk analysis and information system security
 5.2
6.1.2
6.1.3
8.2
8.3
Annex A 5.1
A 5.2
Security risk measures (Article 21)
C. Business Continuity

 
Annex A 5.29
Annex A 5.30
Annex A 8.13
Annex A 8.14
Annex A 8.15
Annex A 8.16
5.29
5.30
8.13
8.14
8.15
8.16
Security risk measures (Article 21)
D. Supply chain security
 
Annex A 5.19
Annex A 5.20
Annex A 5.21
Annex A 5.22
Annex A 5.23
 
5.19
5.20
5.21
5.22
5.23
 
Security risk measures (Article 21)
E. Security in network acquisition, development and maintenance
 
Annex A 5.20
Annex A 5.24
Annex A 5.37
Annex A 6.8
Annex A 8.8
Annex A 8.9
Annex A 8.20
Annex A 8.21
 
5.20
5.24
5.37
6.8
8.8
8.9
8.20
8.21
 
Security risk measures (Article 21)
F. Policies and procedures to assess effectiveness
 
9.1
9.2
9.3
Annex A 5.35
Annex A 5.36
5.35
5.36
 
Security risk measures (Article 21)
G.  Basic cyber hygiene practices and training
 
7.3
7.4
Annex A 5.15
Annex A 5.16
Annex A 5.18
Annex A 5.24
Annex A 6.3
Annex A 6.5
Annex A 6.8
Annex A 8.2
Annex A 8.3
Annex A 8.5
Annex A 8.7
Annex A 8.9
Annex A 8.13
Annex A 8.15
Annex A 5.19
Annex A 5.22
5.15
5.16
5.18
5.24
6.3
6.5
6.8
8.2
8.3
8.5
8.7
8.9
8.13
8.15
5.19
5.22
 
Security risk measures (Article 21)
H. Policies and use of cryptography and encryption
 
Annex A 8.248.24
Security risk measures (Article 21)
I. Human resources security

 
Annex A 5.9
Annex A 5.10
Annex A 5.11
Annex A 5.15
Annex A 5.16
Annex A 5.17
Annex A 5.18
Annex A 6.1
Annex A 6.2
Annex A 6.4
Annex A 6.5
Annex A 6.6
5.9
5.10
5.11
5.15
5.16
5.17
5.18
6.1
6.2
6.4
6.5
6.6
Security risk measures (Article 21)
J. Use of multi-factor authentication
 
Annex A 5.14
Annex A 5.16
Annex A 5.17
 
5.14
5.16
5.17
 
Reporting (Article 23)Annex A 5.14
Annex A 6.8
 
5.14
6.8
 
Use of European cybersecurity certification schemes (Article 24)Annex A 5.205.20

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Source: Hunt and Hackett

 

Risk appetite

ISO 27001 is a risk-based rather than a rules-based management system, so the identification and appropriate management of risks is fundamental and essential. As some risks are acceptable to a company, not all controls are necessarily necessary, and not all risks need to be fully addressed.  Which risks are acceptable and which aren't depends entirely on the risk appetite of the company. 

Although NIS2 also calls for a risk-based approach, it is certain that an ISO 27001 certification of companies with a very high risk appetite will not be accepted for NIS2 compliance, as this defeats the purpose of NIS2, which is to ensure business continuity for essential and important enterprises.

The importance of ISO 27002

The ISO 27002 standard is a detailed supplementary guide to the security controls in the ISO 27001 framework.  ISO 27002 provides best-practices guidance on selecting and implementing the controls listed in ISO 27001, however ISO 27002 controls (94 controls in the 2022 standard) aren’t compulsory to become 27001 certified.  They are, at best, a reference set of information security controls that organizations can use.  Also, companies can only certify for ISO 27001, not for ISO 27002.

As shown in the above table, many ISO 27002 controls map to NIS 2 requirements.  As such, while not required for obtaining the ISO 27001 certificate, (most of) ISO 27002 is mandatory for NIS2 compliance.

Business continuity management is where ISO 22301 may help, but it’s not a must.

Under NIS2, critical and important entities must ensure continuity of operations in the event of a major incident, which may be an incident other than a cyberattack, and which may not be an internal incident, but also an incident at a critical supplier. Organizations must therefore implement a comprehensive resilience framework - which includes business continuity, disaster recovery and crisis management - to minimize disruptions.

If organizations have carefully implemented the above ISO27001 and ISO27002 controls related to business continuity and disaster recovery (5.29 and 5.30 as core), they should comply with NIS2 in this area.  However, organizations covered by NIS2 could consider adding ISO 22301 for business continuity management (BCM). ISO 22301 is designed to help implement, maintain, and continuously improve a company's business continuity approach. While some aspects of ISO 27001 include business continuity management, it does not define a process for implementing BCM. That's where the complementary standard ISO 22301 comes in. Certification to this standard will further demonstrates compliance with NIS 2, but it’s not an absolute must.

Supply chain risk management is not just about information security

In the context of NIS2, attention should not only be paid to information security throughout the supply chain.  Any business continuity threat that could potentially spread through the entire supply chain should be identified and mitigated.  Therefore, the content of risk assessments can be revised to place more emphasis on business continuity measures implemented at the supplier.  The list of suppliers covered by the third-party risk management may also be revised because while the focus of ISO 27001 is more on the ICT supply chain, the focus of NIS2 on general business continuity may require you to expand the list of assessed suppliers.  Obviously, the security of potential IT integrations (eg. APIs) with these non-ICT suppliers must also be considered.

ISO 27036 for supply chain risk management is a bit like ISO 22301 for business continuity. ISO 27001 does not define a process for implementing third-party risk. That's where ISO 27036 can help companies that have no experience/expertise in this area or want to use the standard to structure the activity. But also here, ISO 27036 is in se not mandatory for NIS2 compliance. 

In the area of incident notification, there is certainly work to be done

Article 23 of the NIS2 DIRECTIVE states that “Each Member State shall ensure that essential and important entities notify, without undue delay, its CSIRT or, where applicable, its competent authority of any incident that has a significant impact on the provision of their services.”

Cyber criminals operate across national borders.  Therefore, NIS2 aims to improve cooperation and information sharing regarding cyber incidents across the European Union. Consequently, there is an obligation to report significant incidents immediately to competent authorities within specified deadlines, as determined by individual member states. The directive describes the prescribed lead times for such reports:

  • First notification with 24 hours 
  • First report within 72 hours 
  • Full report within a month after notification

This requirement has far-reaching implications and is only marginally covered by the ISO 27001/27002 standards.  For organizations subject to the GDPR, the implementation of Annex A 5.24 (Information Security Incident Management Planning and Preparation) requires notification procedures to be in place to report data breaches to authorities within 72 hours.  However, NIS2 aims to report any security incident that poses a threat to business continuity within 24 hours. To report properly, companies must first have adequate detection, including initial analysis and forensics, and incident response.  Also, "military-style" internal reporting and decision-making processes must be in place to meet the 24-hour deadline.  These processes must not only be defined, but they must also be tested to ensure they work as they should.

This blogpost has been written in collaboration with Danny Zeegers, NIS2/ISO 9001/ISO27001 Expert at QFIRST

How Ceeyu can assist with NIS2 compliance

Ceeyu’s SaaS platform scans your network and the networks of a companies in the supply chain using automated active and passive scanning techniques like those hackers use, in search for software vulnerabilities and network weaknesses.  

Because not all security risks can be identified in an automated manner, Ceeyu also offers the possibility to carry out digital questionnaire-based audits.  This can be done by creating questionnaires tailored to the supplier, from a white sheet or starting from templates that Ceeyu makes available.  The completion of the questionnaire by the supplier and the follow-up of the process by the customer is done in a secure environment on the same SaaS platform. This enables a simple, central follow-up, entirely online and without the intervention of third parties. The closed platform guarantees the confidentiality of the survey, since only authorized persons have access to the application.    

As such, Ceeyu contributes to fulfilling a considerable part of requirements in Article 21 of the NIS2 regulation, more specifically:

[…] essential and important entities must take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems […]. The measures […] shall include at least the following:
(a)  policies on risk analysis and information system security;
(d)  supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e)  security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f)  policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
 

 

 

 

 
 

 

 

Dries Plasman

Dries Plasman

Author

Dries leads the marketing and product management activities at Ceeyu. Before joining Ceeyu, he worked in similar roles at Voxbone (now Bandwidth.com) and Orange. Dries also worked in management consulting (at Greenwich, now EY Parthenon). He is a B2B marketer at heart, with a very strong affinity for technology.

Other Blogposts

Ceeyu UI

NIS2: Essential entities vs Important entities, what’s the difference?

The impact of NIS2 for essential and important entities is not much different when it comes to implementing controls to comply, as they are ...

December 11, 2023

the-eu-dora-regulation-and-third-party-risk

The EU DORA regulation and third party risk

With the DORA regulation that the EU aims to strengthen the IT security of financial services and industries. This means banks, insurance co...

July 17, 2022

how-to-manage-the-third-party-risks-posed-by-your-critical-suppliers

How to manage the third party risks posed by your critical suppliers

This blog post walks you through some ideas on how to navigate the complex web of third-party risks, focusing on critical suppliers.

June 27, 2022