If you are interested in cybersecurity and compliance, you might have heard of two important standards: NIS2 and ISO 27001:2022. But what are they, and how do they relate to each other? This blog post will compare these two standards, describe their similarities and dissimilarities, and explain why they are relevant to your business.
NIS2: Directive for Cybersecurity in the EU
NIS2 is the acronym for the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, which the European Parliament and the Council adopted on 14 December 2022. It is an update and expansion of the previous NIS Directive (EU) 2016/1148, which aimed to build cybersecurity capabilities across the EU, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents.
NIS2 has a broader scope than its predecessor, as it covers not only essential services but also important entities in various sectors, such as energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, public administration, postal and courier services, waste management, chemicals, food production and distribution, manufacturing of medical devices and pharmaceuticals. It also covers providers of certain digital services, such as online marketplaces, online search engines, cloud computing services, social networks, video-sharing platforms, messaging services, web browsers, and application stores.
NIS2 sets out a number of obligations for these entities and service providers, such as:
Implementing appropriate technical and organizational measures to manage the risks posed to the security of network and information systems.
Reporting significant incidents affecting the security of network and information systems to the competent authorities or computer security incident response teams (CSIRTs).
Cooperating with the competent authorities or CSIRTs in case of incidents or inspections.
Providing information to the public about incidents or preventive measures.
Complying with codes of conduct or standards of practice established at the Union or national level.
NIS2 also strengthens the cooperation mechanisms among Member States and at the Union level. It establishes a European Cybersecurity Board composed of representatives of national cybersecurity authorities and the European Union Agency for Cybersecurity (ENISA), which will advise on strategic issues related to cybersecurity policy. It also reinforces the role of ENISA in supporting Member States and Union institutions in implementing NIS2.
NIS2 will enter into force on 16 January 2023. Member States will have until 16 July 2023 to transpose it into their national laws. The identification of essential services and important entities will have to be completed by 16 January 2024.
ISO 27001:2022: A New Version of the International Standard for Information Security Management Systems
ISO 27001:2022 is the latest version of the international standard for information security management systems (ISMS), published by the International Organization for Standardization (ISO) on 15 December 2022. It is an update and revision of the previous version, ISO 27001:2013, which aimed to provide a framework of best practice policies, procedures, and controls for information security to reduce the risk of information security breaches.
ISO 27001:2022 has a structure similar to ISO 27001:2013, as it follows the Plan-Do-Check-Act (PDCA) cycle for establishing, implementing, maintaining, and improving an ISMS. It also maintains the same high-level clauses as other ISO management system standards, such as ISO 9001 (quality management) or ISO 14001 (environmental management), which facilitates their integration.
However, ISO 27001:2022 also introduces some changes and improvements compared to ISO 27001:2013, such as:
Emphasizing the role of top management in providing leadership and direction for the ISMS.
Clarifying the requirements for risk assessment and risk treatment.
Updating the Annex A controls to reflect new technologies and threats.
Aligning with other relevant standards, such as ISO/IEC 27701 (privacy information management) or ISO/IEC 27018 (cloud computing).
Simplifying some terms and definitions.
ISO 27001:2022 is intended to be applicable to any organization regardless of its size, type, or nature. It can be used to demonstrate compliance with legal or contractual obligations related to information security, such as NIS2. It can also be used as a basis for certification by accredited certification bodies.
ISO 27001:2022 will replace ISO 27001:2013 as the valid version of the standard from 15 June 2023. Organizations that are already certified or implementing an ISMS based on ISO 27001:2013 will have until then to transition to ISO 27001:2022.
How NIS2 and ISO 27001:2022 Compare and Contrast
NIS2 and ISO 27001:2022 are both standards related to information security, but they have different origins, scopes and purposes. NIS2 is a legal act of the EU that sets out minimum requirements for cybersecurity for certain entities and service providers operating in the EU. ISO 27001:2022 is a voluntary standard of the ISO that provides guidelines for establishing and maintaining an ISMS for any organization.
The table below summarizes some of the main similarities and dissimilarities between NIS2 and ISO 27001:2022:
Aspect | NIS2 | ISO27001:2022 |
Origin | EU Legal Act | ISO voluntary standard |
Scope | Essential services, important entities, and certain digital service providers in the EU | Any organization |
Purpose | Ensure a high common level of cybersecurity across the EU | Provide a framework for information security management |
Requirements | Technical and organizational measures, incident reporting, cooperation, information provision, compliance with codes of conduct or standards of practice | Provide a framework for information security management |
Annex A Controls | Not specified, but can be aligned with ISO/IEC 27002:2022 | Specified and updated to reflect new technologies and threats |
Certification | Not mandatory, but possible at the national level | Not mandatory, but possible at the international level |
Scope
The NIS2 Directive applies to operators of essential services (OES) and important entities (IE) in sectors such as energy, transport, banking, health, water, digital infrastructure, and cloud computing. The directive defines OES as entities that provide a service that is essential for maintaining critical societal and economic activities and that depend on network and information systems. The directive defines IE as entities that provide a service that is important for maintaining a high level of security of network and information systems across the EU.
The ISO 27001:2022 standard applies to any organization that wishes to establish, implement, maintain, and continually improve an ISMS. The standard does not prescribe specific sectors or types of organizations that need to adopt it. Rather, it is based on the principle of risk assessment and risk treatment, which allows each organization to identify its own information security risks and implement appropriate controls to mitigate them.
Objectives
The main objective of the NIS2 Directive is to enhance the level of cybersecurity across the EU by ensuring a common level of preparedness, response, and resilience among OES and IE. The directive also aims to foster cooperation and information sharing among member states and relevant stakeholders on cybersecurity issues.
The main objective of the ISO 27001:2022 standard is to help organizations protect their information assets from internal and external threats by establishing an ISMS that follows a Plan-Do-Check-Act (PDCA) cycle. The standard also aims to provide assurance to stakeholders that the organization is managing its information security effectively.
Requirements
The NIS2 Directive sets out a number of general and specific requirements for OES and IE. Some of the general requirements include:
Adopting appropriate technical and organizational measures to manage the risks posed to their network and information systems.
Reporting any incident that has a significant impact on the continuity or provision of their services to the competent authorities.
Cooperating with the competent authorities and other OES and IE on cybersecurity matters
Participating in regular audits, inspections and exercises to assess their level of compliance with the directive.
Some of the specific requirements vary depending on the sector and type of entity. For example, OES in the energy sector must comply with additional requirements related to the security of supply chains, interconnections, and smart grids.
The ISO 27001:2022 standard sets out a number of requirements for establishing, implementing, maintaining, and continually improving an ISMS. Some of the requirements include:
Defining the scope, context and objectives of the ISMS
Conducting a risk assessment to identify the information security risks that affect the organization.
Select and implement controls from Annex A or other sources to treat the identified risks.
Establishing policies, procedures, and processes to support the operation of the ISMS.
Monitoring, measuring, analyzing, and evaluating the performance and effectiveness of the ISMS.
Conducting internal audits and management reviews to ensure continual improvement of the ISMS.
Controls
Both the NIS2 Directive and the ISO 27001:2022 standard provide guidance on selecting and implementing controls to achieve their respective objectives. However, there are some differences in how they approach this topic.
The NIS2 Directive does not prescribe a specific set of controls for OES and IE. Rather, it states that they should adopt measures that are appropriate to their specific risk profile, considering factors such as:
The state of the art in cybersecurity
The potential impact of incidents on their services
The costs of implementing the measures
The proportionality between the measures and the risks
The directive also refers to existing standards, guidelines, and best practices that can help OES and IE choose suitable controls. For example, it mentions:
The NIST Cybersecurity Framework
The ENISA Good Practices for Security of Internet of Things
The ETSI Technical Specification on Critical Security Controls for Effective Cyber Defense
The ISO 27001:2022 standard provides a generic set of controls in Annex A that can be applied by any organization regardless of its size, type, or sector. The standard specifies 93 controls in 4 domains covering various aspects of information security, such as:
Organizational Controls
People Controls
Physical Controls
Technological Controls
The updates in ISO 27001:2022 can be mapped back to its predecessor, which had 114 controls under 14 domains:
Information security policies
Organization of information security
Human resource security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development, and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance
The standard also allows organizations to select and implement controls from other sources, such as industry-specific standards, regulations, or contractual obligations, as long as they are consistent with the objectives of the ISMS.
Similarities
Despite the differences in scope, objectives, requirements and controls, there are some similarities between the NIS2 Directive and the ISO 27001:2022 standard. Some of the similarities include:
Both frameworks are based on the concept of risk management, which involves identifying, analyzing, evaluating, and treating the information security risks that affect the organization or the service.
Both frameworks require the involvement and commitment of top management, who are responsible for ensuring that the appropriate resources, roles and responsibilities are allocated to support the implementation and maintenance of the measures.
Both frameworks emphasize the importance of continuous improvement, which involves monitoring, measuring, reviewing, and updating the measures to ensure they remain effective and relevant in a changing environment.
Both frameworks encourage cooperation and information sharing among relevant stakeholders, such as authorities, regulators, customers, suppliers, and peers, to enhance the overall level of cybersecurity.
Why NIS2 and ISO 27001:2022 Are Relevant for Your Business
If you are an essential service provider, an important entity, or a digital service provider in the EU, you must comply with NIS2 by 16 July 2023. This means that you will have to implement appropriate technical and organizational measures to manage the risks posed to the security of your network and information systems, report significant incidents to the authorities or CSIRTs, cooperate with them in case of incidents or inspections, provide information to the public about incidents or preventive measures, and comply with codes of conduct or standards of practice established at Union or national level.
If NIS2 does not cover you, you might still benefit from implementing an ISMS based on ISO 27001:2022. This will help you to protect your information assets from internal and external threats, enhance your reputation and trustworthiness, comply with legal or contractual obligations related to information security, such as the General Data Protection Regulation (GDPR) or NIS2 itself, and gain a competitive advantage in the market.
Whether you are subject to NIS2 or not, you can use ISO 27001:2022 as a reference for your information security management. ISO 27001:2022 provides a comprehensive and updated set of controls that can help you meet the requirements of NIS2. It also provides a systematic approach to establishing, implementing, maintaining, and improving your ISMS. Moreover, it allows you to obtain an internationally recognized certification demonstrating your commitment to information security.
Conclusion
NIS2 and ISO 27001:2022 are two important standards for information security, both recently updated and revised. They have different origins, scopes, and purposes, but they also have some similarities and complementarities. If you are an essential service provider, an important entity, or a digital service provider in the EU, you must comply with NIS2 by 18 October 2024. If NIS2 does not cover you, you might still benefit from implementing an ISMS based on ISO 27001:2022. In any case, you can use ISO 27001:2022 as a reference for your information security management and obtain a certification that can prove your compliance with NIS2.
References:
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555
ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements: https://www.iso.org/standard/78793.html
NIS2 to ISO27001 & ISO27002 Mapping Tool: https://www.huntandhackett.com/blog/iso-mapping-tool
NIS 2: What The Proposed Changes Mean For Your Business: https://www.isms.online/cyber-security/nis-2-what-the-proposed-changes-mean-for-your-business/