The good news: You have a head start
If your organisation is already ISO 27001 certified, you’ve made significant progress towards NIS2 compliance. Approximately 70-80% of the technical and organisational requirements overlap.
But here’s the reality: It’s not enough.
NIS2 imposes requirements that go beyond what ISO 27001 covers. And whilst the overlap is substantial, there are specific gaps that must be filled to achieve full compliance.
Practical insight: View NIS2 as an addition to your ISMS, not a replacement. Your existing structure is the foundation — now it’s about supplementing with specific NIS2 requirements.
Where ISO 27001 and NIS2 meet
Here are the areas where your ISO 27001 implementation already provides coverage:
Strong overlap exists within:
- Risk management — Both require systematic identification and treatment of risks
- Security policies — Documented policies and procedures
- Access control — Management of privileges and identities
- Cryptography — Protection of data in transit and at rest
- Operational security — Backup, logging, monitoring
- Incident management — Processes for detecting and handling incidents
- Business continuity — Plans for maintaining operations
- Physical security — Protection of premises and equipment
The three biggest gaps
1. Incident reporting — time requirements are missing
Incidents shall be handled systematically and documented. Lessons shall be learned. But there are no specific time requirements for reporting to authorities.
Significant incidents must be reported to national competent authorities within 24 hours (early warning), 72 hours (incident notification) and 1 month (final report). The timeframes are absolute.
What you need to do:
- Define what constitutes a “significant incident” under NIS2
- Establish contact channels to national competent authorities and supervisory bodies
- Create templates for the three report types
- Practice producing reports under time pressure
2. Management responsibility — it becomes personal
Management shall demonstrate commitment and ensure resources. But responsibility remains at organisational level.
Management (board, CEO) must personally approve cybersecurity measures, undergo training and can be held individually accountable for violations.
What you need to do:
- Document that management actively approves security policies
- Conduct cybersecurity training for board and executive management
- Create clear reporting from CISO/security officer to management
- Formalise management’s oversight of security work
3. Supply chain security — more concrete
Supplier relationships shall be managed securely (A.5.19-A.5.22). Requirements shall be included in agreements and suppliers shall be monitored.
Explicit requirements for supply chain risk assessment, including security quality of suppliers, their development processes and vulnerability management.
What you need to do:
- Map critical suppliers and their importance to your operations
- Conduct security assessments of key suppliers
- Update agreements with specific NIS2-related security requirements
- Establish ongoing monitoring and incident management in the chain
Mapping: ISO 27001 controls to NIS2
Here’s an overview of how ISO 27001:2022 controls map to NIS2 requirements:
| NIS2 requirement | ISO 27001:2022 controls | Gap to fill |
|---|---|---|
| Risk management | A.5.1-A.5.4 | Minimal |
| Incident handling | A.5.24-A.5.28 | 24/72h time requirements |
| Business continuity | A.5.29-A.5.30 | Minimal |
| Supplier security | A.5.19-A.5.23 | Deeper assessment |
| Access control | A.5.15-A.5.18, A.8.* | Minimal |
| Cryptography | A.8.24 | Minimal |
| Personnel training | A.6.3 | Management training |
| Vulnerability mgmt | A.8.8 | Minimal |
Step-by-step: From ISO 27001 to NIS2
- GAP analysis Map exactly where your current controls fall short for NIS2. Focus on incident reporting, management responsibility and supplier requirements.
- Update documentation Supplement your existing policies and procedures with NIS2-specific requirements. Create new documents where needed (e.g. incident report templates).
- Train management Conduct specific training for board and management on NIS2 requirements and their personal responsibility. Document completion.
- Establish reporting channels Set up contact channels to national competent authorities and your sectoral authority. Test that reporting works.
- Deepen supplier work Conduct security assessments of critical suppliers. Update agreements and establish ongoing monitoring.
- Practice incident handling Conduct exercises focusing on NIS2's time requirements. Can you produce an early warning within 24 hours, including weekends and nights?
The time saving is real
Organisations with existing ISO 27001 certification typically have these advantages:
Already in place:
- Established ISMS structure and processes
- Documented policies and procedures
- Risk management framework
- Incident management processes (need time requirements)
- Security culture and awareness
- Internal audit process
Typical time saving: 6-12 months compared to starting from scratch
How Securapilot can help
With Securapilot you get tools that support both ISO 27001 and NIS2 in the same platform:
- GAP analysis — Identify exactly what’s missing for NIS2
- Risk management — ISO 27005-based, covers both frameworks
- Incident management — Built-in time requirements and report templates for NIS2
- Supplier management — Assessment and monitoring
- Control mapping — See how your ISO 27001 controls map to NIS2
Book a demo and see how we can help you go from ISO 27001 to full NIS2 compliance.
Frequently asked questions
Is ISO 27001 sufficient for NIS2 compliance?
No, ISO 27001 covers approximately 70-80% of NIS2 requirements. You get an excellent head start, but need to supplement with specific NIS2 requirements such as incident reporting within 24 hours, explicit management responsibilities and sector-specific requirements.
Is it worth having both ISO 27001 and NIS2?
Absolutely. ISO 27001 provides a structured ISMS that facilitates NIS2 compliance. The certification also demonstrates to customers and partners that you take security seriously. Many organisations view ISO 27001 as the foundation and NIS2 as an addition.
What are the biggest gaps between ISO 27001 and NIS2?
The three biggest gaps are: 1) Incident reporting within 24 hours (ISO 27001 has no specific time requirement), 2) Management's personal responsibility and training requirements, 3) Supply chain security requirements that are more explicit in NIS2.
How long does it take to go from ISO 27001 to NIS2 compliance?
With existing ISO 27001 certification, you can typically achieve NIS2 compliance in 3-6 months, compared to 12-18 months without an existing ISMS. The time saving comes from processes, documentation and culture already being in place.
