- If your company has pursued an ISO 27001:2022 certification, you won’t have to start from scratch with NIS2 compliance.
- Both frameworks emphasize risk management, incident response, vendor security, and governance.
- However, an ISO certification alone does not equal NIS2 compliance. Learn about the similarities and differences.
Understanding the NIS2 <> ISO 27001 relationship
Becoming NIS2 compliant doesn’t have to be a “start-from-scratch" exercise. In fact, if you have already pursued cybersecurity certifications like ISO 27001, you can build on top of previous investments and make the new directive more manageable.
However, we can’t stress this enough: the two frameworks are not the same. NIS2 has much higher expectations in several areas compared to ISO 27001, because its core purpose is to keep critical infrastructure and entire communities safe.
Keep reading this guide to understand how your existing InfoSec program could give you a head start and where the two frameworks diverge.
Where NIS2 and ISO 27001:2022 overlap
Both ISO 27001:2022 and NIS2 promote a structured, risk-based approach to information security. They require organizations to identify risks, implement appropriate controls, and continuously improve security posture. This includes:
- Risk management, including identification, assessment, and treatment: Evaluating threats, vulnerabilities, their likelihood, and the potential impact on assets and operations
- Incident management: Setting up processes for detecting, responding to, and learning from security incidents
- Access control and identity management: Ensuring only authorized personnel can access critical systems or information
- Supplier security: Assessing risks in your supply chain and implementing safeguards for third-party relationships
- Business continuity planning: Preparing to maintain operations during disruptions
Both frameworks also emphasize governance and accountability, requiring leadership involvement, clear roles, and documented policies. In many cases, the measures taken to meet ISO 27001 requirements can form a strong foundation for NIS2 compliance.
This overlap is why organizations often view ISO 27001 certification as a natural stepping stone toward meeting NIS2 obligations. However, the two frameworks are far from interchangeable.
NIS2 requirements mapped to ISO 27001:2022 controls
To guide companies in their compliance journey, the European Union Agency for Cybersecurity (ENISA) has mapped out some NIS2 requirements to other cybersecurity frameworks. We have extracted the ISO 27001 columns and matched their labels to the corresponding clauses and Annex A controls.
This mapping exercise shouldn’t be interpreted as legal advice, nor is it confirmation that having these ISO 27001 controls in place automatically means you are NIS2 compliant.
Rather, it’s a great starting point to understand how your cybersecurity investments could support upcoming compliance tasks.
NIS2 requirements mapped to ISO 27001 controls (click to expand)
|
NIS2 requirement |
ISO standard 27001:2022 |
|
|
Point No |
Title |
Corresponding clause and/or Annex A control |
|
1.1 |
Policy on the security of network and information systems |
Clause 5.2 > Information Security Policy Annex A 5.1 > Policies for Information Security Annex A 5.36 > Compliance with Policies, Rules, and Standards for Information Security Annex 5.4 > Management Responsibilities Annex 9.3 > Management Review |
|
1.2 |
Roles, responsibilities, and authorities |
Clause 5.3 > Roles and Responsibilities Annex A 5.2 > Information Security Roles & Responsibilities Annex A 5.4 > Management Responsibilities |
|
2.1 |
Risk management framework |
Clause 6.1 > Actions to Address Risks & Opportunities Clause 6.1.2 > Information Security Risk Assessment Clause 6.1.3 > Information Security Risk Treatment Clause 6.2 > Information Security Objectives and Planning to Achieve them Clause 8.2 > Information Security Risk Assessment (executing) Clause 8.3 > Information Security Risk Treatment Annex A 5.7 > Threat Intelligence |
|
2.2 |
Compliance monitoring |
Clause 9.2 > Internal Audit Annex A 5.31 > Legal, Statutory, Regulatory, and Contractual Requirements Annex A 5.35 > Independent Review of Information Security Annex A 5.36 > Compliance with Policies, Rules, and Standards for Information Security |
|
2.3 |
Independent review of information and network security |
Clause 9.2 > Internal Audit Clause 10.1 > Nonconformities & Corrective Actions Annex A 5.35 > Independent Review of Information Security Annex A 8.34 > Protection of Information Systems During Audit Testing |
|
3.1 |
Incident handling policy |
Annex A 5.24 > Information Security Incident Management Planning and Preparation |
|
3.2 |
Monitoring and logging |
Annex A 5.28 > Collection of Evidence Annex A 8.15 > Logging Annex A 8.16 > Monitoring Activities Annex A 8.17 > Clock Synchronization |
|
3.3 |
Event reporting |
Annex A 6.8 > Information Security Event Reporting |
|
3.4 |
Event assessment and classification |
Annex A 5.25 > Assessment and Decision on Information Security Events |
|
3.5 |
Incident response |
Annex A 5.26 > Response to Information Security Incidents |
|
3.6 |
Post-incident reviews |
Annex A 5.27 > Learning from Information Security Incidents |
|
4.1 |
Business continuity and disaster recovery plan |
Annex A 5.29 > Information Security During Disruption Annex A 5.30 > ICT Readiness for Business Continuity |
|
4.2 |
Backup management |
Annex A 8.13 > Information Backup Annex A 8.14 > Redundancy of Information Processing Facilities |
|
4.3 |
Crisis management |
Annex A 5.26 > Response to Information Security Incidents Annex A 5.29 > Information Security During Disruption Annex A 5.30 > ICT Readiness for Business Continuity |
|
5.1 |
Supply chain security policy |
Annex A 5.19 > Information Security in Supplier Relationships Annex A 5.20 > Addressing Information Security within Supplier Agreements Annex A 5.21 > Managing Information Security in the ICT Supply Chain Annex A 8.30 > Outsourced Development |
|
5.2 |
Directory of suppliers and service providers |
Annex A 5.22 > Monitoring, Review, and Change Management of Supplier Services |
|
6.1 |
Security in acquisition of ICT services, ICT systems or ICT products |
Annex A 5.21 > Managing Information Security in the ICT Supply Chain Annex A 5.23 > Information Security for Use of Cloud Services |
|
6.2 |
Secure development life cycle |
Annex A 8.25 > Secure Development Life Cycle Annex A 8.31 > Separation of Development, Test, and Production Environments |
|
6.3 |
Configuration management |
Annex A 8.9 > Configuration Management |
|
6.4 |
Change management, repairs, and maintenance |
Clause 6.3 > Planning of Changes Clause 8.1 > Operational Planning and Control Annex A 7.13 > Equipment Maintenance Annex A 8.32 > Change Management |
|
6.5 |
Security testing |
Annex A 8.29 > Security Testing in Development and Acceptance Annex A 8.33 > Test Information Annex A 8.34 > Protection of Information Systems During Audit Testing |
|
6.6 |
Security patch management |
Annex A 8.31 > Separation of Development, Test and Production Environments Annex A 8.32 > Change Management |
|
6.7 |
Network security |
Annex A 8.16 > Monitoring Activities Annex A 8.20 > Networks Security |
|
6.8 |
Network segmentation |
Annex A 8.22 > Segregation of Networks |
|
6.9 |
Protection against malicious and unauthorized software |
Annex A 5.32 > Intellectual Property Rights Annex A 8.7 > Protection Against Malware |
|
6.10 |
Vulnerability handling and disclosure |
Annex A 8.8 > Management of Technical Vulnerabilities |
|
7.1 |
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures |
Clause 6.2 > Information Security Objectives and Planning to Achieve Them Clause 9.1 > Performance Evaluation Clause 9.3 > Management Review |
|
8.1 |
Awareness raising and basic cyber hygiene practices |
Clause 7.3 > Awareness Annex A 6.3 > Information Security Awareness, Education and Training Annex A 8.7 > Protection Against Malware |
|
8.2 |
Security training |
Clause 7.2 > Competence Annex A 6.3 > Information Security Awareness, Education and Training |
|
9.1 |
Cryptography |
Annex A 5.31 > Legal, Statutory, Regulatory, and Contractual Requirements Annex A 8.24 > Use of Cryptography |
|
10.1 |
Human resources security |
Clause 7.1 > Resources for ISO 27001 Clause 7.2 > Competence Annex A 6.2 > Terms and Conditions of Employment Annex A 6.3 > Information Security Awareness, Education and Training |
|
10.2 |
Verification of Background |
Annex A 6.1 > Screening |
|
10.3 |
Termination or change of employment procedures |
Annex A 6.5 > Responsibilities After Termination or Change of Employment |
|
10.4 |
Disciplinary process |
Clause 5.28 > Collection of Evidence Annex A 6.4 > Disciplinary Process |
|
11.1 |
Access control policy |
Αnnex A 5.15 > Access Control Annex A 7.2 > Physical Entry Αnnex A 8.3 > Information Access Restriction Αnnex A 8.21 > Security of Network Services |
|
11.2 |
Management of access rights |
Annex A 5.3 > Segregation of Duties Αnnex A 5.18 > Access Rights |
|
11.3 |
Privileged accounts and system administration accounts |
Αnnex A 8.2 > Privileged Access Rights Annex A 8.18 > Use of Privileged Utility Programs |
|
11.4 |
Administration systems |
Αnnex A 8.2 > Privileged Access Rights Annex A 8.18 > Use of Privileged Utility Programs |
|
11.5 |
Identification |
Αnnex A 5.16 > Identity Management |
|
11.6 |
Authentication |
Αnnex A 5.17 > Authentication Information |
|
11.7 |
Multi-factor authentication |
Αnnex A 8.5 > Secure Authentication |
|
12.1 |
Asset classification |
Annex A 5.9 > Inventory of Information and Other Associated Assets Annex A 5.12 > Classification of Information Annex A 5.13 > Labelling of Information |
|
12.2 |
Handling of assets |
Annex A 5.9 > Inventory of Information and Other Associated Assets Annex A 5.10 > Acceptable Use of Information and Other Associated Assets Annex A 5.14 > Information Transfer Annex A 7.10 > Storage Media |
|
12.3 |
Removable media policy |
Annex A 7.7 > Clear Desk and Clear Screen Annex A 7.10 > Storage Media |
|
12.4 |
Asset inventory |
Annex A 5.9 > Inventory of Information and Other Associated Assets |
|
12.5 |
Deposit, return or deletion of assets upon termination of employment |
Annex A 5.11 > Return of Assets Annex A 5.18 > Access Rights Annex A 8.24 > Use of Cryptography |
|
13.1 |
Supporting utilities |
Annex A 7.11 > Supporting Utilities |
|
13.2 |
Protection against physical and environmental threats |
Annex A 7.3 > Securing Offices, Rooms, and Facilities Annex A 7.5 > Protecting Against Physical and Environmental Threats |
|
13.3 |
Perimeter and physical access control |
Annex A 7.1 > Physical Security Perimeters Annex A 7.2 > Physical Entry Annex A 7.4 > Physical Security Monitoring |
Where NIS2 and ISO 27001 diverge
- Voluntary vs. mandatory
Perhaps the most fundamental difference is that ISO 27001 is voluntary, while NIS2 is a legal obligation for European entities in specific sectors considered essential or important to the functioning of society.
An ISO 27001 certification proves your commitment to information security and can offer a competitive advantage in the marketplace. By contrast, NIS2 compliance is non-negotiable for in-scope entities, and failure to comply can result in significant fines and regulatory enforcement. - Scope and focus
ISO 27001 focuses on establishing an Information Security Management System (ISMS), which is a flexible framework that organizations adapt to their unique risks and circumstances. Its primary aim is protecting the confidentiality, integrity, and availability of information.
NIS2’s scope is broader. While it addresses information security, it is equally concerned with operational resilience of critical infrastructure. This includes ensuring that essential services can continue running during incidents, whether caused by cyberattacks, natural disasters, or supply chain failures. The NIS2 perspective is societal as much as organizational. - Business continuity requirements
ISO 27001 requires you to plan for disruptions that could affect your operations and data security. NIS2 raises the bar, demanding preparations for wider crises with potential national or societal impact—for example, cascading failures across utilities, transport systems, or healthcare networks. - Supplier and supply-chain obligations
While both frameworks address supplier security, NIS2 applies more stringent requirements. It extends due diligence beyond direct vendors to multiple tiers of the supply chain. To be compliant, you must find and address vulnerabilities even among suppliers you don't contract with directly. - Control maturity and flexibility
ISO 27001 allows flexibility: if a control is not applicable due to special circumstances, you can exclude it with proper justification. NIS2 offers less room for discretion; certain measures are explicitly required.
Furthermore, NIS2 expects a higher maturity level for controls. While ISO 27001 can be flexibly adjusted to an organization’s risk appetite, NIS2 mandates state-of-the-art information security appropriate not just to the impact on the organization but also on society and the economy as a whole. - Auditing and oversight
For ISO 27001, you would typically prepare for a scheduled audit, often focusing your efforts in the months leading up to it. Under NIS2, essential and important entities can face unannounced inspections at any time, fostering a state of continuous compliance readiness.
Common misconceptions about NIS2 and ISO 27001
A common misconception is that ISO 27001 certification automatically ensures NIS2 compliance. While the overlap in controls can make NIS2 compliance easier to achieve, the differences in scope, legal obligation, and enforcement mean that an ISO certification alone is insufficient.
An ISO-certified organization could still fall short on:
- Risk management taking societal impact into account
- Informing authorities and customers during incident response
- Administrative obligations around registration and communication with authorities
- Extended supply-chain due diligence
- Meeting explicit control requirements without risk-based exemptions
- Demonstrating continuous compliance under potential unannounced audits
A complementary approach
For organizations in NIS2-regulated sectors, ISO 27001 can be a powerful foundation. It embeds a culture of security, provides a tested management framework, and aligns closely with many NIS2 requirements.
However, achieving full NIS2 compliance will require:
- Gap analysis to identify where NIS2 imposes stricter or additional measures
- Operational resilience planning beyond IT-focused continuity
- Broader supply-chain risk management practices
- Processes for ongoing regulatory readiness
By understanding both the similarities and differences, you can leverage the strengths of ISO 27001 while striving to fully meet the demands of NIS2. The result is not only legal compliance, but also stronger resilience in the face of evolving threats.
Frequently asked questions
Is a company NIS2 compliant if it has an ISO 27001:2022 certification?
No. An ISO 27001 certification doesn’t automatically translate to NIS2 compliance. Being certified means you’ve done some of the work required for NIS2 and you won’t be starting from scratch, but it’s not enough.
What’s the difference between the ISO 27001 clauses and Annex A controls?
In the ISO 27001 framework, clauses describe the mandatory requirements that you have to meet and Annex A controls are the more specific actions you can take to fulfil that obligation.
Does this table cover all NIS2 obligations?
No. This is just an overview of where some of your cybersecurity investments with ISO 27001 can help you achieve important milestones for NIS2. For a full picture of how NIS2 relates to your company, we recommend doing a gap analysis and risk assessment to understand where you need to focus. You can lean on our platform and experts to make your compliance journey more efficient.
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)