NIS2 Resilience

integrated ISMS & business continuity — preparation for ISO/IEC 27001 & ISO 22301

Methodology – PECB IMS2

(Integrated Implementation Methodology for Management Systems and Standards)

Objective

Build a robust and resilient organization capable of withstanding crises (cyberattacks, outages, supplier unavailability), with demonstrable NIS2 compliance, by implementing an operational, tested, and audit-ready ISMS (ISO/IEC 27001) and BCMS (ISO 22301).

1) Expected results (deliverable commitment)
At the end of the assignment, you will have :
  • An operational ISMS (ISO/IEC 27001) : governance, risks, controls, evidence, internal audits.
  • An operational BCMS (ISO 22301) : BIA, continuity strategy, disaster recovery/business continuity plans, crisis management organization, drills.
  • Integrated security and continuity governance : responsibilities, committees, decisions, KPIs.
  • Mapping of critical services and dependencies (IT systems, business units, suppliers, infrastructure) and availability requirements.
  • Unified risk management : IT risks (27001) + continuity risks (22301), with response plans.
  • An incident and crisis management system : detection, response, escalation, communication, business/IT coordination.
  • Enhanced supply chain control : requirements, contractual agreements, monitoring of critical suppliers.
  • A NIS2 evidence plan and an evidence pack (procedures + records + exercise reports) to demonstrate compliance.
  • Tests and exercises conducted : cyber tabletop exercises, DRP tests, crisis management exercises, lessons learned (REX).
  • A readiness assessment : NIS2 compliance + ISO/IEC 27001 & ISO 22301 readiness, with a corrective action plan.
2) Scope (what the offer covers)
2.1 Scope of “ISO/IEC 27001”
  • Governance : leadership, roles, policies, objectives, KPIs.
  • IT risk management : methodology, registers, processes, acceptance.
  • Statement of Applicability (SoA) : selected controls/justification.
  • Key measures : IAM, logging, vulnerabilities, backups, hardening, operational security.
  • Third-party/supply chain management : requirements, assessment, clauses, monitoring.
  • Incident management : response, escalation, post-mortem.
  • Internal audit, management review, continuous improvement.
2.2 Scope of “SMCA ISO 22301”
  • Definition of the continuity scope (services, sites, teams, vendors).
  • BIA (Business Impact Analysis) : impacts, priorities, RTO/RPO, dependencies.
  • Continuity strategy : options, redundancies, target organization.
  • Plans : DRP/BCP, recovery procedures, crisis management, communication.
  • Exercises : DRP tests, simulations, lessons learned, improvement plans.
  • Oversight and continuous improvement (reviews, KPIs, plan updates).
2.3 “NIS2 Compliance” Scope (Integrated)
  • Governance and responsibilities (management, oversight).
  • Risk management and technical/organizational measures.
  • Incident management and reporting readiness.
    Supply chain security and dependencies.
  • Evidence & assessment readiness : records, reports, metrics.

 

The approach : NIS2 sets the requirements; 27001 structures cybersecurity; 22301 structures business continuity. Together, they produce demonstrable evidence and tested systems.

3) Implementation process (PECB IMS2 aligned with NIS2 + ISO/IEC 27001 + ISO 22301)
Phase 1 — Define & establish

Objective : Define the scope, establish integrated governance, and lay the foundation for risk, business continuity, and evidence.


Activities :

 

  1. Leadership & approval : sponsor, project governance, objectives, milestones.
  2. NIS2 qualification : scope, requirements, compliance priorities.
  3. Roles & responsibilities : RACI (security, business continuity, IT operations, business units, vendors).
  4. Mapping of critical services & dependencies : IT systems, business units, third parties, infrastructure.
  5. Evidence strategy : NIS2 + ISO evidence pack structure (procedures + records + tests).
  6. Risk methodologies : IT risks (27001) + business continuity risks (22301) + integration.
  7. BIA (scope definition) : method, scope, interview schedule, required data.
  8. ISO/IEC 27001 SoA (v1) and initial documentation framework (base policies, plans).


Phase 1 Deliverables

 

  • Project charter + governance + RACI
  • NIS2 qualification + initial scope
  • “Services/dependencies/third parties” mapping (v1)
  • IT risk methodology + risk register (v1)
  • Business continuity methodology + BIA work plan
  • ISO/IEC 27001 SoA (v1)
  • Project plan + evidence plan (structure)
Phase 2 — Implement & operate

Objective : Implement NIS2 measures, formalize business continuity plans, and launch operations.


Activities :

 

  1. Comprehensive BIA : impacts, priorities, RTO/RPO, critical dependencies.
  2. Business continuity strategy : scenarios, options, target organization.
  3. DRP/BCP plans : recovery procedures, testing, success criteria.
  4. Cybersecurity measures (27001) : priority controls + procedures (access, logs, vulnerabilities, backups, changes, third parties).
  5. Supply chain : third-party requirements, assessment, clauses, monitoring of critical suppliers.
  6. Incidents & crises : playbooks, escalation, communication, IT/business coordination.


Phase 2 Deliverables

 

  • BIA (report) + RTO/RPO + dependencies
  • Continuity strategy + DRP/BCP plans (v1)
  • Crisis & communication procedures (v1)
  • Risk register (v2) + treatments + evidence
  • Key security procedures + records
  • Third-party register + requirements/clauses + monitoring plan
  • Evidence catalog + record templates
Phase 3 — Monitor & review

Objective : Demonstrate effectiveness through KPIs, internal audits, and exercises that test the system.


Activities :

 

  1. Monitoring & KPIs : security + business continuity (incidents, vulnerabilities, tests, availability).
  2. Internal audit (ISO/IEC 27001 and business continuity elements) aligned with NIS2.
  3. Exercises : cyber tabletop exercises, DRP/BCP testing, crisis management exercises.
  4. Executive review : decisions, trade-offs, budgets, improvement plan.


Phase 3 Deliverables

 

  • KPI dashboard + review reports
  • Internal audit reports + action plan
  • Exercise reports (table-top/DRP test/crisis) + lessons learned
  • Update of SoA, risks, plans, evidence
Phase 4 — Maintain & improve

Objective : Close gaps, stabilize, and finalize preparations for audits and assessments.


Activities :

 

  1. Corrective actions : non-conformities, effectiveness verification.
  2. Readiness : Review of the NIS2 evidence pack + preparation for ISO 27001/22301.
  3. Sustainability : audit schedule, periodic tests, reviews, continuous improvement.


Phase 4 Deliverables

 

  • Non-conformity log + corrective actions + closure evidence
  • “NIS2 Readiness” package : final evidence file + assessment checklist
  • “ISO Readiness” package : audit transition plan + checklist (27001 + 22301)
4) “Tests & evidence” section (integrated on an ongoing basis)
4.1 Pilot workshops
  • Definition of scenarios (cyber incidents, system failures, third-party outages).
  • Success criteria (RTO/RPO), responsibilities, and communications.
  • Test planning and evidence collection.
4.2 Test deliverables
  • Test Plan (DRP/BCP + Stress Tests)
  • Test Reports + LL + Improvement Plan
5) Project organization
Workshops (typical)
  • Kick-off + NIS2 qualification + scope definition
  • Workshops on mapping services/assets/dependencies/third parties
  • Workshops on risks + ISO/IEC 27001 SoA
  • Workshops on BIA + continuity strategy
  • Workshops on DRP/BCP + crisis management + communication
  • Supply chain workshop (third parties, clauses, monitoring)
  • Internal audit + exercises + management review + readiness
Client-side roles (minimum)
  • Sponsor (management)
  • Security officer/CISO (owner)
  • Business continuity officer (BCM owner)
  • IT operations/Production officer
  • Risk/Compliance/Legal Officer
  • Procurement/Vendor Management Officer (third parties)
  • Business unit officer (critical services)
6) Duration (to be adjusted based on the scope)
  • Standard : 12 to 20 weeks, depending on maturity, the number of critical services, and the complexity of the DRP/BCP.
  • Extended : 20+ weeks for multi-site environments, heterogeneous IT systems, or significant vendor dependencies.
7) What drives value (compliance + certifications)
  • Demonstrable NIS2 compliance : implemented measures + evidence + tested systems.
  • Proven resilience : BIA, DRP/BCP, and drills minimize the impact of crises.
  • Sustainable management : ISO 27001 and ISO 22301 establish a framework for auditing, measurement, and continuous improvement.
  • Customer trust : availability, continuity, and security become key business advantages.
8) Options
  • “Architecture & Hardening” package : segmentation, hardening, observability, operational requirements.
  • “Penetration Testing & Remediation” package : penetration testing + remediation plan + evidence.
  • “Regulatory Exercise” package : audit/assessment simulation + crisis communication.
  • “Scale” package : expansion to additional subsidiaries/business units.