NIS 2 Cybersecurity risk-management measures mapping to ISO 27001:2022
1.0, 29.12.2022
NIS 2 ISO 27001:2022
General measures Article 21.2 a) 5.2 Policy Policies on risk analysis and 6.1.2 Information security risk assessment information system security 6.1.3 Information security risk treatment 8.2 Information security risk assessment 8.3 Information security risk treatment
Annex A. Information security controls reference:
• 5.1 Policies for information security Article 21.2 b) Annex A. Information security controls reference: Incident handling • 5.24 Information security incident management planning and preparation • 5.25 Assessment and decision on information security events • 5.26 Response to information security incidents • 5.27 Learning from information security incidents • 5.28 Collection of evidence • 6.8 Information security event reporting Article 21.2 c) Annex A. Information security controls reference: Business continuity, such as backup • 5.29 Information security during disruption management and disaster recovery, • 5.30 ICT readiness for business continuity and crisis management • 8.13 Information backup • 8.14 Redundancy of information processing facilities Article 21.2 d) Annex A. Information security controls reference: Supply chain security, including • 5.19 Information security in supplier relationships security-related aspects concerning the • 5.20 Addressing information security within supplier relationships between each entity and agreements its direct suppliers or service providers • 5.21 Managing information security in the ICT supply chain • 5.22 Monitoring, review and change management of supplier services • 5.23 Information security for use of cloud services Article 21.2 e) Annex A. Information security controls reference: Security in network and information • 5.37 Documented operating procedures systems acquisition, development and • 8.8 Management of technical vulnerabilities maintenance, including vulnerability • 8.9 Configuration management handling and disclosure • 8.20 Network security • 8.21 Security of network services Article 21.2 f) 9.1 Monitoring, measurement, analysis and evaluation Policies and procedures to assess the 9.2 Internal audit effectiveness of cybersecurity risk- 9.3 Management review management measures Annex A. Information security controls reference: • 5.35 Independent review of information security
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov NIS 2 Cybersecurity risk-management measures mapping to ISO 27001:2022 1.0, 29.12.2022
Article 21.2 g) 7.3 Awareness
Basic computer hygiene practices and 7.4 Communication cybersecurity training Annex A. Information security controls reference: • 6.3 Information security awareness, education and training Article 21.2 h) Annex A. Information security controls reference: Policies and procedures regarding the • 8.24 Use of cryptography use of cryptography and, where appropriate, encryption Article 21.2 i) Annex A. Information security controls reference: Human resources security, access • 6.1 Screening control policies and asset management • 6.2 Terms and conditions of employment • 6.4 Disciplinary process • 6.5 Responsibilities after termination or change of employment • 6.6 Confidentiality or non-disclosure agreements
• 5.15 Access control
• 5.16 Identity management • 5.17 Authentication information • 5.18 Access rights
• 5.9 Inventory of information and other associated assets
• 5.10 Acceptable use of information and other associated assets Article 21.2 j) Annex A. Information security controls reference: The use of multi-factor authentication • 5.16 Identity management or continuous authentication solutions, • 5.17 Authentication information secured voice, video and text • 5.14 Information transfer communications and secured emergency communications systems within the entity, where appropriate Other Article 21.3 Annex A. Information security controls reference: Secure development procedures • 8.25 Secure development life cycle • 8.26 Application security requirements • 8.27 Secure system architecture and engineering principles • 8.28 Secure coding • 8.29 Security testing in development and acceptance • 8.30 Outsourced development • 8.31 Separation of development, test and production environments • 8.32 Change management • 8.33 Test information Article 21.4 10.2 Nonconformity and corrective action Appropriate and proportionate corrective measures (if not comply)