NIS2 | ISMS Requirements

Overview of Information Security Management System requirements under NIS2.

---

What is ISMS?

ISMS (Information Security Management System) is a systematic approach to managing an organisation’s information security. NIS2 requires the implementation of an ISMS for all Essential and Important entities.

---

ISMS Structure

---

NIS2 Specific Requirements (Article 21)

Mandatory Security Measures

#	Measure	Description	Priority
1	Risk analysis & policies	Policies for risk analysis and information security	Critical
2	Incident handling	Prevention, detection and response to incidents	Critical
3	Business continuity	BCM, backup, disaster recovery, crisis management	Critical
4	Supply chain security	Supply chain security	High
5	Network security	Security in acquisition and development	High
6	Vulnerability handling	Vulnerabilities and their disclosure	High
7	Cybersecurity assessment	Evaluation of the effectiveness of measures	High
8	Cybersecurity hygiene	Basic practices and training	High
9	Cryptography	Use of cryptography and encryption	High
10	HR security	Human resources security	Medium
11	Access control	Access management	Critical
12	Asset management	Asset management	Medium
13	MFA/Continuous auth	Multi-factor authentication	Critical

---

Technical Controls

Mandatory Technical Controls

Control	Requirement	Standard	Status
Encryption at rest	AES-256 for data	FIPS 140-2/3	Required
Encryption in transit	TLS 1.3 for all APIs	RFC 8446	Required
Access Control	RBAC + MFA	NIST 800-63	Required
Logging & Monitoring	SIEM, 1-year retention		Required
Backup	Regular, encrypted, tested	3-2-1 rule	Required
Patch Management	Critical <7d, High <30d		Required
Firewall	Network perimeter + internal		Required
Endpoint Protection	Antimalware, EDR		Required
IDS/IPS	Network intrusion detection		Recommended
DLP	Data Loss Prevention		Recommended

Encryption Standards

ENCRYPTION REQUIREMENTS

DATA AT REST

• Algorithm: AES-256
• Key management: HSM or cloud KMS
• Key rotation: Annually (recommended quarterly)
• Scope: All sensitive data

DATA IN TRANSIT

• Protocol: TLS 1.3 (minimum TLS 1.2)
• Cipher suites: AEAD (AES-GCM, ChaCha20-Poly1305)
• Certificate: Valid, trusted CA
• HSTS: Enabled

KEY MANAGEMENT

• Storage: HSM, cloud KMS, or secure vault
• Access: Least privilege, MFA
• Rotation: Automated where possible
• Backup: Secure key escrow

---

Organisational Controls

HR Security

Phase	Control	Description
Pre-employment	Background check	According to position and access level
Onboarding	NDA	Non-disclosure agreement
	Security training	Basic security training
	Policy acknowledgement	Confirmation of reading policies
	Access provisioning	Least privilege
During employment	Regular training	At least annually
	Phishing simulation	At least quarterly
	Access reviews	At least quarterly
Offboarding	Access revocation	Within 24h of termination
	Asset return	Devices, keys, badges
	Exit interview	Security debrief

Training Requirements

Role	Training	Frequency
All employees	Security awareness	Annually
All employees	Phishing awareness	Quarterly
IT staff	Technical security	Bi-annually
Developers	Secure coding	Bi-annually
Management	Security governance	Annually
CISO/Security team	Advanced certifications	Ongoing

---

Risk Management

Risk Assessment Process

Risk Matrix

Likelihood / Impact	Low	Medium	High	Critical
High	Medium	High	Critical	Critical
Medium	Low	Medium	High	Critical
Low	Low	Low	Medium	High
Very Low	Low	Low	Low	Medium

---

Business Continuity

BCM Components

Component	Description	Requirement
BIA	Business Impact Analysis	Identify critical processes
BCP	Business Continuity Plan	Continuity plan
DRP	Disaster Recovery Plan	Technical recovery
IRP	Incident Response Plan	Incident response
CMP	Crisis Management Plan	Crisis management

Recovery Objectives

System	RTO	RPO
Critical production	<4h	<1h
Web services	<2h	<1h
Email	<8h	<4h
Internal apps	<24h	<8h
Development	<48h	<24h

Testing Schedule

Test	Frequency	Scope
Backup restoration	Monthly	Sample restore
Failover test	Quarterly	DR site activation
Tabletop exercise	Bi-annually	Scenario walkthrough
Full DR drill	Annually	Complete failover

---

Vendor Security

Due Diligence Checklist

• Security questionnaire
• Certifications (ISO 27001, SOC 2)
• Penetration test results
• DPA (Data Processing Agreement)
• NDA
• Insurance certificate
• Sub-processor list

Ongoing Monitoring

Activity	Frequency
Security review	Annually
Access audit	Quarterly
Incident review	On incident
Contract review	On renewal

---

ISO 27001 Alignment

NIS2 requirements are closely aligned with ISO 27001:

NIS2 Requirement	ISO 27001 Control
Risk analysis	A.6.1 Risk assessment
Incident handling	A.5.24-27
Business continuity	A.5.29-30
Supply chain	A.5.21-22
Vulnerability handling	A.8.8
Access control	A.5.15-18, A.8.2-5
Cryptography	A.8.24
HR security	A.6.1-6

Recommendation: ISO 27001 certification significantly facilitates NIS2 compliance.

---

Implementation Roadmap

---

Next Steps

1. ISMS requirements understood
2. Compliance checklist
3. Implement according to roadmap
4. ISO 27001 certification (recommended)

---

Disclaimer

This content is for informational purposes only and does not constitute legal advice. For your organisation’s specific situation, we recommend consulting a qualified lawyer.

What’s next?

Need help with implementation? We offer a free 15-minute consultation.

Book a consultation -> | Test your readiness -> | Self-Assessment ->