Great summary here from Marcel on the distinctions between ISO 27001 and NIS2 compliance. As we dive deeper into these frameworks, it’s clear that while ISO 27001 sets a foundation, NIS2 brings added rigor, especially around areas like MFA and incident response. In a landscape where cyber threats constantly evolve, starting with ISO 27001 is a great first step but we can’t stop there. Committing to continuous improvement and assessing our maturity in these critical areas is essential. For anyone working toward NIS2 compliance, this journey requires strategic prioritization together with a long-term view.
Is an #ISO27001 certification sufficient to cover your #NIS2 obligations? Most certainly, the answer is no! Does this mean that ISO 27001 was a waste of time? Absolutely not! Marcel Rieger 𝐬𝐮𝐦𝐦𝐚𝐫𝐢𝐳𝐞𝐝 𝐭𝐡𝐞 𝐞𝐬𝐬𝐞𝐧𝐭𝐢𝐚𝐥 𝐟𝐚𝐜𝐭𝐬 𝐟𝐨𝐫 𝐲𝐨𝐮: While ISO 27001 controls can cover approximately 75% of the NIS2 requirements - if fully implemented - some areas require a higher level of maturity. For example, ISO 27001 does not address Multi-Factor Authentication (#MFA) at all. Additionally, for other requirements like incident management, continuity management, disaster recovery, and crisis management, NIS2 requires more than what is covered by ISO 27001. 𝘕𝘰𝘵𝘦: 𝘐𝘯𝘤𝘳𝘦𝘢𝘴𝘪𝘯𝘨 𝘤𝘺𝘣𝘦𝘳 𝘳𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘤𝘦 𝘪𝘴 𝘢𝘭𝘴𝘰 𝘰𝘯𝘦 𝘰𝘧 𝘵𝘩𝘦 𝘮𝘢𝘪𝘯 𝘳𝘦𝘢𝘴𝘰𝘯𝘴 𝘧𝘰𝘳 𝘵𝘩𝘦 𝘳𝘦𝘨𝘶𝘭𝘢𝘵𝘪𝘰𝘯. 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐭𝐡𝐞 𝐛𝐞𝐬𝐭 𝐰𝐚𝐲 𝐭𝐨 𝐚𝐝𝐝𝐫𝐞𝐬𝐬 𝐛𝐨𝐭𝐡 𝐈𝐒𝐎 27001 𝐚𝐧𝐝 𝐍𝐈𝐒2? This can be broken down into four simple steps to get started: ➡️ Verify that your #ISMS scope covers your entire organization (as required by NIS2). ➡️ Check the control status for controls directly impacting major NIS2 requirements. ➡️ Evaluate already running projects to improve the maturity state of NIS2 areas. ➡️ Prioritize and plan for major gaps. After these steps, are you NIS2 compliant? Not entirely, but you've started your journey! 𝐁𝐨𝐧𝐮𝐬 𝐭𝐢𝐩: If someone tries to sell you a comprehensive, fast-track NIS2 (𝘮𝘢𝘨𝘪𝘤) certification, think twice. Security cannot be achieved without ongoing commitment. 𝐓𝐡𝐞 𝐠𝐨𝐨𝐝 𝐧𝐞𝐰𝐬: Once you’ve covered the basics, it gets easier. 𝐒𝐮𝐦𝐦𝐚𝐫𝐲: ISO 27001 certification isn’t sufficient to meet all NIS2 requirements. However, it provides a solid baseline to build upon. Dare to be secure! #CyberResilience #InformationSecurity #CyberSecurity #Regulations #JAMORIE