NIS2 & ISO 27001 Mapping
Detailed analysis of how ISO 27001 can be used as a foundation for NIS2 compliance, including identified gaps that require supplementary measures.
ISO 27001 Covers the Majority of NIS2 Requirements
Of 27 identified NIS2 requirements, 24 can be addressed directly through ISO 27001:2022. Only 2 areas require supplementary measures beyond the standard.
Organizations with existing ISO 27001-certified management systems have a strong foundation for NIS2 compliance, but should focus on identified gaps – especially authority reporting requirements.
Detailed Mapping
The table shows how NIS2 requirements map to ISO 27001:2022 clauses and controls.
| NIS2 | Requirement | ISO 27001 | Document | Status |
|---|---|---|---|---|
| Article 20.1 | Management body must approve cybersecurity measures | 6.1.3 Information security risk treatment | Risk treatment plan | Full |
| Article 20.1 | Management body must oversee implementation of measures | 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review | Measurement report, Internal audit report, Management review minutes | Full |
| Article 20.2 | Training requirements for management and employees | 7.2 Competence A.6.3 Information security awareness, education and training | Training and awareness plan | Full |
| Article 21.1 | Appropriate technical, operational and organizational measures | 6.1.3 Risk treatment 6.2 Information security objectives 8.1 Operational planning and control | Risk treatment table, Risk treatment plan | Full |
| Article 21.1 | Proportionality assessment based on risk exposure | 6.1.2 Information security risk assessment | Risk assessment methodology, Risk assessment template | Full |
| Article 21.2(a) | Risk analysis policy | 6.1.2 Information security risk assessment | Risk assessment methodology | Full |
| Article 21.2(a) | Information system security policy | 5.2 Policy | Information security policy | Full |
| Article 21.2(b) | Incident handling | A.5.24 Planning and preparation A.5.25 Assessment and decision A.5.26 Response to incidents | Incident handling procedure, Incident log | Full |
| Article 21.2(c) | Business continuity | A.5.29 Information security during disruption | Business continuity plan | Full |
| Article 21.2(c) | Backup | A.8.13 Information backup | Backup policy | Full |
| Article 21.2(c) | Disaster recovery | A.5.30 ICT readiness for business continuity A.8.14 Redundancy | Disaster recovery plan | Full |
| Article 21.2(c) | Crisis management | — | Crisis management plan (beyond ISO 27001) | Gap |
| Article 21.2(d) | Supply chain security | A.5.19–A.5.23 Supplier relationships and cloud services | Supplier security policy, Security clauses for suppliers | Full |
| Article 21.2(e) | Security in acquisition, development and maintenance | A.8.6–A.8.9, A.8.25–A.8.33 (Capacity, malware, vulnerabilities, secure development) | Secure development policy, Requirements specification | Full |
| Article 21.2(f) | Policies and procedures to evaluate effectiveness of measures | 9.1 Monitoring and measurement 9.2 Internal audit 9.3 Management review | Measurement methodology, Internal audit procedure | Full |
| Article 21.2(g) | Basic cyber hygiene | A.6.8, A.7.7, A.7.9, A.7.10, A.8.1, A.8.5, A.8.7, A.8.13, A.8.19, A.8.24 | IT security policy | Full |
| Article 21.2(g) | Cybersecurity training | 7.2 Competence A.6.3 Awareness and training | Training and awareness plan | Full |
| Article 21.2(h) | Encryption policies | A.8.24 Use of cryptography | Encryption policy | Full |
| Article 21.2(i) | Human resource security | A.6.1–A.6.5 (Screening, employment terms, training, disciplinary) | Human resource security policy | Full |
| Article 21.2(i) | Access control policies | A.5.15 Access control | Access control policy | Full |
| Article 21.2(i) | Asset management | A.5.9–A.5.11 (Inventory, acceptable use, return) | Asset management procedure, Asset register | Full |
| Article 21.2(j) | Multi-factor authentication (MFA) | A.5.16 Identity management A.5.17 Authentication information A.8.5 Secure authentication | Authentication policy | Full |
| Article 21.2(j) | Secure voice, video and text communication | A.5.14 Information transfer A.8.21 Security of network services | Information transfer policy, Secure communication policy | Full |
| Article 21.2(j) | Secure emergency communication within the organization | A.8.20 Network security | Secure communication policy (requires extension) | Partial |
| Article 21.3 | Assess vulnerabilities of suppliers and quality of their security practices | A.5.19, A.5.21–A.5.23 Supplier management | Supplier security policy, Risk assessment report | Full |
| Article 21.4 | Take appropriate corrective actions | 10.2 Nonconformity and corrective action | Corrective action procedure | Full |
| Article 23 | Reporting obligations (24h early warning, 72h incident report) | — | NIS2 incident reporting procedure (beyond ISO 27001) | Gap |
Management body must approve cybersecurity measures
Management body must oversee implementation of measures
Training requirements for management and employees
Appropriate technical, operational and organizational measures
Proportionality assessment based on risk exposure
Risk analysis policy
Information system security policy
Incident handling
Business continuity
Backup
Disaster recovery
Crisis management
Supply chain security
Security in acquisition, development and maintenance
Policies and procedures to evaluate effectiveness of measures
Basic cyber hygiene
Cybersecurity training
Encryption policies
Human resource security
Access control policies
Asset management
Multi-factor authentication (MFA)
Secure voice, video and text communication
Secure emergency communication within the organization
Assess vulnerabilities of suppliers and quality of their security practices
Take appropriate corrective actions
Reporting obligations (24h early warning, 72h incident report)
Gaps Requiring Additional Measures
These areas are not covered by ISO 27001 and must be handled separately for full NIS2 compliance.
Crisis Management
Article 21.2(c)NIS2 requires explicit crisis management beyond business continuity. ISO 27001 has no direct equivalent for strategic crisis management at the organizational level.
Implement a separate crisis management plan including communication strategies, escalation procedures, and decision-making during crises.
Incident Reporting to Authorities
Article 23NIS2 has specific time limits for reporting: 24 hours for early warning, 72 hours for incident report, and 1 month for final report. ISO 27001 lacks these regulatory requirements.
Establish dedicated processes and contact points for reporting to CSIRT and the supervisory authority. Integrate with existing incident handling.
Management Personal Liability
Article 20NIS2 sets explicit requirements for management personal liability for cybersecurity, including training requirements. ISO 27001 requires management commitment but not personal liability.
Document management roles and responsibilities specifically for NIS2. Ensure management undergoes cybersecurity training and can demonstrate competence.
Secure Emergency Communication
Article 21.2(j)NIS2 specifically requires secure emergency communication systems within the organization. ISO 27001 covers network security generally but not specifically emergency communication.
Implement and test secure communication channels for emergencies that work independently of regular infrastructure.
Sector-specific Requirements
National implementationNIS2 will be supplemented with sector-specific requirements through national legislation and delegated acts. These do not exist in ISO 27001.
Monitor guidance from regulatory authorities for your sector. Adapt the management system to sector-specific requirements.
Registration with Supervisory Authority
Article 3Organizations covered by NIS2 must register with the supervisory authority. This is an administrative requirement with no equivalent in ISO 27001.
Identify the correct supervisory authority for your business. Prepare registration documentation including contact information and business description.
Securapilot Supports Complete NIS2 Compliance
Our platform is designed to handle both ISO 27001-based requirements and NIS2-specific gaps.
GAP Analysis
Automated assessment of your current maturity level against NIS2 requirements with prioritized action recommendations.
Incident Reporting
Built-in support for NIS2 time requirements with automatic reminders for 24h and 72h reporting.
Risk Management
ISO 27005-based risk management that meets both ISO 27001 and NIS2 requirements.
Sources and References
NIS2 Directive
Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.
EUR-Lex: Directive (EU) 2022/2555ISO/IEC 27001:2022
International standard for information security management systems (ISMS).
ISO.org: ISO/IEC 27001Swedish Implementation
NIS2 is implemented in Sweden through the Cybersecurity Act which comes into force on January 15, 2026.
MSB: NIS DirectiveDisclaimer: The mapping on this page is based on our analysis of the NIS2 directive requirements and the ISO 27001:2022 standard. It does not constitute legal advice. Contact us for specific guidance on your organization's compliance.
Need Help with NIS2 Compliance?
Book an hour of free consultation and we'll help you identify gaps and plan the path to full compliance.