NIS2 Compliance

a roadmap aligned with the ISO/IEC 27001 standard

Methodology – PECB IMS2

(Integrated Implementation Methodology for Management Systems and Standards)

Objectif

Objective : to achieve a demonstrable level of NIS2 compliance (measures, governance, evidence, preparation for assessments), leveraging an ISO/IEC 27001 ISMS (management, risks, controls, continuous improvement) to establish a sustainable compliance framework and facilitate client and regulatory audits.

1) Expected results (deliverable commitment)
At the end of the assignment, you will have :
  • A substantiated NIS2 classification : essential/important entity, scope, responsibilities, and governance.
  • A scope mapping (critical information systems, essential services, dependencies, suppliers, key assets) aligned with NIS2.
  • A NIS2 gap analysis and a prioritized remediation plan (quick wins + structural projects).
  • A set of operational NIS2 measures (policies, procedures, controls) tailored to the risk.
  • An incident management & reporting framework : detection, response, escalation, notification criteria, evidence.
  • Enhanced supply chain security : third-party requirements, assessment, clauses, monitoring.
  • An evidence pack : indicators, records, traceability, preparation for assessment.
  • An ISO/IEC 27001 roadmap : ISMS governance, risk analysis, SoA, internal audits, and continuous improvement.
  • A readiness assessment and a corrective action plan to pass a NIS2 assessment and/or move toward ISO/IEC 27001 certification.
2) Scope (what the offer covers)
2.1 Scope of “NIS2 Compliance”
  • Scope and definition : entity, activities, critical services, responsibilities.
  • Governance & responsibilities : organization, roles, oversight, decision-making, management awareness.
  • Risk management : approach, prioritization, response plans.
  • Technical and organizational measures : policies, procedures, controls.
  • Incident management : detection, response, escalation, communication, reporting preparation.
  • Supply chain security : requirements, assessment, contractualization, monitoring.
  • Continuity/resilience (as needed) : critical dependencies, robustness measures.
  • Evidence & assessment preparation : indicators, records, traceability.
2.2 Scope of the “ISO/IEC 27001 Roadmap” (Management Framework)
  • ISMS Governance : scope, objectives, KPIs, oversight.
  • ISO 27001 risk analysis : methodology, register, treatment plan.
  • Statement of Applicability (SoA) : selected controls and justification.
  • Document management : policies/procedures/records.
  • Internal audit and management review : verification, decisions, continuous improvement.

 

The approach : NIS2 sets the requirements, and ISO 27001 provides the management framework and evidence to make compliance sustainable, measurable, and audit-ready.

3) Implementation Process (PECB IMS2 aligned with NIS2 + ISO/IEC 27001)
Phase 1 — Define & Establish

Objective : To implement NIS2, define the scope, establish governance, and build the risk and evidence framework using ISO 27001.


Activities :

 

  1. Leadership & approval : sponsor, project governance, objectives, milestones.
  2. NIS2 classification : status (essential/important), obligations, initial scope.
  3. Roles & responsibilities : RACI (CISO, IT Ops, Risk, Legal/Compliance, DPO if applicable, business units).
  4. Context & stakeholders : regulators, customers, suppliers, major risks.
  5. Scope mapping : critical assets, essential services, dependencies, third parties.
  6. Risk Methodology : NIS2 approach + ISO 27001 methodology (alignment).
  7. Core policies : security governance framework, principles, third-party requirements.
  8. ISO 27001 SoA (v1) : initial structural controls related to NIS2 gaps.


Phase 1 Deliverables

 

  • Project Charter + Governance + RACI
  • NIS2 qualification + initial scope
  • “Services/assets/third parties” mapping (v1)
  • Risk methodology + risk register (v1)
  • Security policy (v1) + third-party requirements (v1)
  • ISO 27001 SoA (v1)
  • Project plan + evidence plan (structure)
Phase 2 — Implement & Operate

Objective : Implement priority NIS2 measures, formalize procedures, and begin collecting evidence.


Activities :

 

  1. NIS2 gap analysis : requirements → current status → remediation plan.
  2. “Quick win” measures : hardening, access control, backups, logs, vulnerabilities (as appropriate).
  3. Key procedures : risk management, access control, vulnerability management, change management, backups.
  4. Supply chain : third-party inventory, assessment, clauses, requirements, monitoring.
  5. Incident management : playbooks, escalation, notification criteria, testing.
  6. Establishment of records : tickets, reviews, logs, certifications, reports.


Phase 2 Deliverables

 

  • NIS2 gap analysis + prioritized remediation plan
  • Procedures : incidents & escalation, vulnerability management, access, changes, backups/logs (depending on scope)
  • Third-party register + requirements/clauses + follow-up plan
  • Risk register (v2) + treatment plan + evidence of execution
  • Evidence catalog + record templates
  • ISO 27001 roadmap (aligned with NIS2 remediation)
Phase 3 — Monitor & Review

Objective : Demonstrate measurable NIS2 governance and prepare for an assessment, leveraging ISO 27001 mechanisms.


Activities :

 

  1. Monitoring & KPIs : security, compliance, incident, third-party, and vulnerability indicators.
  2. NIS2-focused internal audit (ISO 27001) : plan, checklists, findings.
  3. Management review : decisions, trade-offs, resources, residual risks, improvement plan.


Phase 3 Deliverables

 

  • KPI dashboard + periodic reviews (minutes)
  • Internal audit report + remediation plan
  • Management review minutes + decisions + action plan
  • Update of SoA, risks, evidence
Phase 4 — Maintain & Improve

Objective : Finalize demonstrable compliance, close gaps, and prepare for the NIS2 assessment and the ISO 27001 certification process.


Activities :

 

  1. Non-conformity resolution : corrective actions, verification of effectiveness.
  2. Readiness : assessment simulation, verification of the evidence pack, final preparations.
  3. Sustainability : scheduling of internal audits, reviews, and improvement cycles.


Phase 4 Deliverables

 

  • Non-conformity register + corrective actions + closure evidence
  • “NIS2 Readiness” package : final evidence file + assessment checklist
  • “ISO 27001 Readiness” package (if desired) : final Statement of Approach (SoA) + audit plan + schedule
4) “Assessment & Evaluation” section (integrated throughout the course)
4.1 Evidence-based workshops
  • Definition of the evidence required by NIS2 requirements.
  • Establishment of records : reviews, tickets, reports, logs, and validations.
  • Organization of the document repository and traceability.
4.2 Deliverables and evidence
  • Evidence catalog + location + owner + frequency
  • Consolidated evidence package (procedures + records + reports)
5) Project Organization
Workshops (typical)
  • Kick-off + NIS2 qualification + scope definition
  • Workshops on assets, services, and third parties
  • NIS2 gap analysis workshop + remediation prioritization
  • Incident & notification workshop (playbooks + testing)
  • Supply chain workshop (third parties, clauses, monitoring)
  • Risk & ISO 27001 SoA workshop
  • Internal audit + management review + readiness
Client-side roles (minimum)
  • Sponsor (management)
  • Security Lead / CISO (owner)
  • IT Operations / Production lead
  • Risk/Compliance / Legal lead
  • Procurement / Vendor management lead (third parties)
  • Business unit lead (critical services)
6) Duration (to be adjusted based on the scope)
  • Standard : 8 to 14 weeks, depending on maturity, scope, and the number of critical suppliers.
  • Extended : 14+ weeks for multi-site environments, heterogeneous IT systems, or large-scale remediation programs.
7) What determines value (compliance + ISO trajectory)
  • Demonstrable compliance : NIS2 requirements translated into implemented measures and evidence.
  • Sustainable management : ISO 27001 provides a stable framework (risks, controls, audits, improvement).
  • Risk and impact reduction : better incident preparedness, controlled supply chain.
  • Simplified assessments : ready-to-use evidence pack, traceability, clear governance.
8) Options
  • “Architecture & Hardening” Package : architecture review, hardening, segmentation, logs/monitoring.
  • “Penetration Testing & Remediation” Package : application/infrastructure penetration testing + remediation plan + evidence.
  • “Crisis Exercise” Package : cyber tabletop exercise + notification test + lessons learned.
  • “Scale” Package : expansion to other entities / subsidiaries / scopes.