Cyberattacks are among the fastest-growing forms of crime worldwide. One clear indicator of the current threat landscape is the fact that, according to media reports, obtaining cyber insurance has become significantly more difficult for many organizations. Insurers are continuously raising their expectations regarding the maturity of an organization's cybersecurity capabilities. As a result, the widely used self-assessment approaches are increasingly being replaced by qualified audits supported by mandatory evidence demonstrating the implementation of required security measures.
Management Is Accountable
Directive (EU) 2022/2555 significantly expands both the number of organizations affected and their obligations. From 2024 onwards, it is expected that approximately 3,000 organizations in Austria — across 16 sectors, with at least 50 employees and annual revenues exceeding EUR 10 million — will be required to demonstrably implement cybersecurity measures. National legislation will be responsible for verifying compliance with these minimum requirements and, consequently, holding the executive management of operators of critical infrastructure accountable.
Leverage Synergies
The use of internationally recognized security standards is expected to be encouraged, with the European Commission planning to issue additional implementing regulations. Regardless of these future developments, ISO 27001 already presents itself as a highly relevant framework. Due to the extensive overlap between the requirements of NIS2 and ISO 27001 (see appendix), organizations affected by NIS2 have a strong incentive to invest in achieving certification readiness—or in obtaining ISO 27001 certification directly.
Both the NIS2 Directive and ISO 27001 pursue the common objective of improving the security of networks and information systems. However, they differ in one fundamental aspect. NIS2 is a legally binding European Union directive requiring operators of critical infrastructure to strengthen their security and resilience in order to respond effectively to cyberattacks. ISO 27001, on the other hand, is a voluntary international standard that can be implemented by organizations of any size and across all industries.
Start Planning Early
Today, information security has become a decisive competitive advantage. What was once often regarded primarily as a marketing instrument has now become essential for an organization's survival. In summary, NIS2 is the perfect fuel for ISO 27001. Operators of critical infrastructure are therefore well advised to start evaluating an ISO 27001 certification at an early stage. The overlap between the requirements of both frameworks (see mapping below) makes this an especially attractive opportunity.
Christoph Zajic
CERTAINITY, Head of Process Consulting
Mapping the NIS Regulation to ISO 27001:2022
| NIS Regulation | ISO 27001:2022 |
Governance and Risk Management | A risk assessment of network and information systems must be carried out. Specific risks shall be identified based on an analysis of the operational impact of security incidents and assessed with regard to the critical importance of the operator of essential services for the functioning of society. | Clause 8.2 Information security risk assessment |
An information security policy shall be established and reviewed periodically. | A.5.1 Policies for information security | |
The periodic review of network and information system security shall be planned and defined. | A.8.34 Protection of information systems during audit testing | |
All resources required to ensure the functionality of network and information systems shall be planned and provided with regard to short-, medium-, and long-term capacity requirements. | A.8.6 Capacity management | |
The periodic review of the information security management system shall be defined and carried out. | Clause 9.2 Internal audit | |
Information security aspects shall be considered and implemented within human resources processes. | 6 People controls |
| NIS Regulation | ISO 27001 |
Supplier and Vendor Management | Requirements for service providers, suppliers, and third parties regarding the operation of, secure access to, and access rights for network and information systems shall be defined and reviewed periodically. | A.5.19 Information security in supplier relationships |
Service level agreements with service providers and suppliers shall be reviewed and monitored periodically. | A.5.20 Addressing information security within supplier agreements | |
Security Architecture | Network and information systems shall be securely configured. These configurations shall be documented in a structured manner and kept up to date. | A.5.37 Documented operating procedures
|
Assets related to network and information systems shall be systematically identified, analysed, and documented. | A.5.9 Inventory of information and other associated assets | |
Network segmentation shall be implemented within network and information systems according to the required level of protection. | A.8.20 Network security
| |
Security within network segments and at the interfaces between network segments shall be ensured. | A.8.8 Management of technical vulnerabilities
| |
The confidentiality, authenticity, and integrity of information shall be ensured through the appropriate and effective use of cryptographic methods and technologies. | A.8.24 Use of cryptography |
| NIS Regulation | ISO 27001 |
System Administration | Administrative access rights shall be assigned according to the principle of least privilege. These assignments shall be reviewed periodically and adjusted where necessary. | A.8.2 Privileged access rights |
Systems and applications used for system administration shall be used exclusively for administrative purposes. The security of these systems and applications shall be ensured. | A.8.3 Information access restriction | |
Identity and Access Management | Processes and technologies shall be implemented to ensure the identification and authentication of users and services. | A.5.15 Access control |
Processes and technologies shall be implemented to prevent unauthorized access to network and information systems. | A.5.3 Segregation of duties | |
System Maintenance and Operations | Processes and procedures to ensure the secure operation of network and information systems shall be established and reviewed periodically. | A.5.8 Information security in project management |
Remote access shall be granted according to the principle of least privilege and limited in time. Remote access rights shall be reviewed periodically and adjusted where necessary. The security of remote access shall be ensured. | A.8.1 User endpoint devices | |
Physical Security | The physical protection of network and information systems, in particular against unauthorized access and entry, shall be ensured. | 7 Physical controls |
| NIS Regulation | ISO 27001 |
Incident Detection | Mechanisms for detecting and assessing incidents shall be implemented. | A.8.15 Logging |
Mechanisms for logging and monitoring, particularly of activities and processes essential for the delivery of essential services, shall be implemented. | A.8.15 Logging | |
Mechanisms for detecting and appropriately assessing incidents through the correlation and analysis of collected log data shall be implemented. | A.8.15 Logging | |
Incident Response | Processes for responding to incidents shall be established, maintained, and regularly tested. | A.8.7 Protection against malware |
Processes for the internal and external reporting of incidents shall be established, maintained, and regularly tested. | A.5.26 Response to information security incidents | |
Processes for the analysis and assessment of incidents and for the collection of relevant information shall be established, maintained, and regularly tested to support continuous improvement. | A.5.25 Assessment and decision on information security events | |
Business Continuity | The restoration of essential services to a predefined quality level following a security incident shall be ensured. | A.5.29 Information security during disruption |
Emergency response plans shall be established, implemented, regularly reviewed, and tested. | A.8.14 Redundancy of information processing facilities | |
Crisis Management | Framework conditions and crisis management processes for maintaining essential services before and during a security incident shall be defined, implemented, and regularly tested. | A.8.29 Security testing in development and acceptance |
(Draft – no guarantee of completeness)
References:
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=DE
- National Competence Centre for the Network and Information Systems Security Act (NISG) – nis.gv.at
- RIS – Network and Information Systems Security Act (NISG) – Consolidated Federal Law, version dated 13 February 2023 (bka.gv.at)
- Security Measures for Operators of Essential Services (nis.gv.at)
- https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf
- https://greco.services/home-deutsch/losungen/cyber-crime/
- ISO/IEC 27001 and ISO/IEC 27002:2022
