Cyberattacks are among the fastest-growing forms of crime worldwide. One clear indicator of the current threat landscape is the fact that, according to media reports, obtaining cyber insurance has become significantly more difficult for many organizations. Insurers are continuously raising their expectations regarding the maturity of an organization's cybersecurity capabilities. As a result, the widely used self-assessment approaches are increasingly being replaced by qualified audits supported by mandatory evidence demonstrating the implementation of required security measures.

Management Is Accountable

Directive (EU) 2022/2555 significantly expands both the number of organizations affected and their obligations. From 2024 onwards, it is expected that approximately 3,000 organizations in Austria — across 16 sectors, with at least 50 employees and annual revenues exceeding EUR 10 million — will be required to demonstrably implement cybersecurity measures. National legislation will be responsible for verifying compliance with these minimum requirements and, consequently, holding the executive management of operators of critical infrastructure accountable.

Leverage Synergies

The use of internationally recognized security standards is expected to be encouraged, with the European Commission planning to issue additional implementing regulations. Regardless of these future developments, ISO 27001 already presents itself as a highly relevant framework. Due to the extensive overlap between the requirements of NIS2 and ISO 27001 (see appendix), organizations affected by NIS2 have a strong incentive to invest in achieving certification readiness—or in obtaining ISO 27001 certification directly.

Both the NIS2 Directive and ISO 27001 pursue the common objective of improving the security of networks and information systems. However, they differ in one fundamental aspect. NIS2 is a legally binding European Union directive requiring operators of critical infrastructure to strengthen their security and resilience in order to respond effectively to cyberattacks. ISO 27001, on the other hand, is a voluntary international standard that can be implemented by organizations of any size and across all industries.

Start Planning Early

Today, information security has become a decisive competitive advantage. What was once often regarded primarily as a marketing instrument has now become essential for an organization's survival. In summary, NIS2 is the perfect fuel for ISO 27001. Operators of critical infrastructure are therefore well advised to start evaluating an ISO 27001 certification at an early stage. The overlap between the requirements of both frameworks (see mapping below) makes this an especially attractive opportunity.

Christoph Zajic
CERTAINITY, Head of Process Consulting


Mapping the NIS Regulation to ISO 27001:2022

 

NIS Regulation

ISO 27001:2022

Governance and Risk Management

A risk assessment of network and information systems must be carried out. Specific risks shall be identified based on an analysis of the operational impact of security incidents and assessed with regard to the critical importance of the operator of essential services for the functioning of society.

Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment

An information security policy shall be established and reviewed periodically.

A.5.1 Policies for information security
A.5.8 Information security in project management
A.5.31 Legal, statutory, regulatory and contractual requirements

The periodic review of network and information system security shall be planned and defined.

A.8.34 Protection of information systems during audit testing

All resources required to ensure the functionality of network and information systems shall be planned and provided with regard to short-, medium-, and long-term capacity requirements.

A.8.6 Capacity management

The periodic review of the information security management system shall be defined and carried out.

Clause 9.2 Internal audit

Information security aspects shall be considered and implemented within human resources processes.

6 People controls
A.5.1 Policies for information security

 


 

 

NIS Regulation

ISO 27001

Supplier and Vendor Management

Requirements for service providers, suppliers, and third parties regarding the operation of, secure access to, and access rights for network and information systems shall be defined and reviewed periodically.

A.5.19 Information security in supplier relationships

Service level agreements with service providers and suppliers shall be reviewed and monitored periodically.

A.5.20 Addressing information security within supplier agreements

Security Architecture

Network and information systems shall be securely configured. These configurations shall be documented in a structured manner and kept up to date.

A.5.37 Documented operating procedures
A.8.19 Installation of software on operational systems

 

Assets related to network and information systems shall be systematically identified, analysed, and documented.

A.5.9 Inventory of information and other associated assets
A.5.12 Classification of information

Network segmentation shall be implemented within network and information systems according to the required level of protection.

A.8.20 Network security
A.8.21 Security of network services

 

Security within network segments and at the interfaces between network segments shall be ensured.

A.8.8 Management of technical vulnerabilities
A.8.19 Installation of software on operational systems
A.8.22 Segregation of networks

 

The confidentiality, authenticity, and integrity of information shall be ensured through the appropriate and effective use of cryptographic methods and technologies.

A.8.24 Use of cryptography
A.5.3 Segregation of duties
A.7.10 Storage media
A.7.14 Secure disposal or re-use of equipment
A.7.7 Clear desk and clear screen
A.8.7 Protection against malware
A.8.13 Information backup
A.5.11 Return of assets

 


 

 

NIS Regulation

ISO 27001

System Administration

Administrative access rights shall be assigned according to the principle of least privilege. These assignments shall be reviewed periodically and adjusted where necessary.

A.8.2 Privileged access rights

Systems and applications used for system administration shall be used exclusively for administrative purposes. The security of these systems and applications shall be ensured.

A.8.3 Information access restriction

Identity and Access Management

Processes and technologies shall be implemented to ensure the identification and authentication of users and services.

A.5.15 Access control

Processes and technologies shall be implemented to prevent unauthorized access to network and information systems.

A.5.3 Segregation of duties
A.5.16 Identity management
A.5.17 Authentication information

System Maintenance and Operations

Processes and procedures to ensure the secure operation of network and information systems shall be established and reviewed periodically.

A.5.8 Information security in project management
A.8.25 Secure development life cycle
A.7.13 Equipment maintenance

Remote access shall be granted according to the principle of least privilege and limited in time. Remote access rights shall be reviewed periodically and adjusted where necessary. The security of remote access shall be ensured.

A.8.1 User endpoint devices

Physical Security

The physical protection of network and information systems, in particular against unauthorized access and entry, shall be ensured.

7 Physical controls

 


 

 

NIS Regulation

ISO 27001

Incident Detection

Mechanisms for detecting and assessing incidents shall be implemented.

A.8.15 Logging
A.8.7 Protection against malware
A.8.8 Management of technical vulnerabilities
A.8.29 Security testing in development and acceptance

Mechanisms for logging and monitoring, particularly of activities and processes essential for the delivery of essential services, shall be implemented.

A.8.15 Logging

Mechanisms for detecting and appropriately assessing incidents through the correlation and analysis of collected log data shall be implemented.

A.8.15 Logging

Incident Response

Processes for responding to incidents shall be established, maintained, and regularly tested.

A.8.7 Protection against malware
A.5.24 Information security incident management planning and preparation
A.6.8 Information security event reporting
A.5.26 Response to information security incidents

Processes for the internal and external reporting of incidents shall be established, maintained, and regularly tested.

A.5.26 Response to information security incidents
A.5.5 Contact with authorities

Processes for the analysis and assessment of incidents and for the collection of relevant information shall be established, maintained, and regularly tested to support continuous improvement.

A.5.25 Assessment and decision on information security events
A.5.27 Learning from information security incidents
A.5.28 Collection of evidence

Business Continuity

The restoration of essential services to a predefined quality level following a security incident shall be ensured.

A.5.29 Information security during disruption

Emergency response plans shall be established, implemented, regularly reviewed, and tested.

A.8.14 Redundancy of information processing facilities

Crisis Management

Framework conditions and crisis management processes for maintaining essential services before and during a security incident shall be defined, implemented, and regularly tested.

A.8.29 Security testing in development and acceptance

(Draft – no guarantee of completeness)

 

References: