Where ISO 27001 Alone May Not Be Enough
ISO/IEC 27001:2022 is an international standard, not a law. ISO 27001 certification does not guarantee NIS2 compliance. Three areas – supply chain security, management accountability and the statutory obligation to report security incidents – generally require measures and evidence that go beyond what an ISO 27001 certificate alone can demonstrate.
ISO 27001 is a voluntary international standard, whereas NIS2 is binding European law. Certification therefore does not automatically replace compliance with all NIS2 obligations, particularly regarding supply chain security, reporting obligations and management accountability.
Article 21(2) of NIS2 defines ten categories of cybersecurity risk management measures that affected organisations are legally required to implement. The content of the ISO/IEC 27001:2022 standard and the controls listed in Annex A can be mapped to most of these categories – though without corresponding to them on a one-to-one basis as legal requirements:
Supply Chain Security
The NIS2 Directive requires organisations to assess and manage cybersecurity risks across their entire supply chain – not just within their own corporate boundaries.
Recent cyber security incidents have repeatedly shown that attackers exploit the supply chain to gain unauthorised access to larger customer networks. After all, the principle of efficiency – ‘achieving maximum reach with minimum effort!’ – applies here too.
Consequently, Article 21(2)(d) of NIS2 requires supply chain security, which is consistent with requirements 5.19–5.23 of Annex A to ISO 27001:
- Information security in supplier relationships
- Addressing information security in supplier agreements
- Management of information security in the ICT supply chain
- Monitoring, auditing and change management of supplier services
- Information security for the use of cloud services
Executive Accountability
Under NIS2, cybersecurity is no longer regarded as a purely technical matter that can be delegated to the IT department.
The Directive stipulates that the organisation’s management body must assume responsibility for approving, monitoring and regularly reviewing the implementation of cybersecurity risk management measures. In practice, senior management is expected to:
- Understand cyber risks and actively engage with them,
- Participate in governance activities and decision-making processes relating to cybersecurity,
- Provide adequate resources for resilience measures, and
- Monitor incident response preparedness and reporting obligations.
Depending on the national implementation of NIS2 and the relevant corporate and liability regulations, members of the management body may also face personal consequences if they fail to fulfil their cybersecurity duties adequately. Cybersecurity governance is thus becoming a key management responsibility – with potential regulatory and financial implications should sufficient oversight not be convincingly demonstrated.
Incident Reporting
NIS2 introduces legally binding timelines: organisations must submit an initial early‑warning notification to the competent authority within 24 hours of becoming aware of a significant incident, followed by a more detailed report within 72 hours and a final report at a later stage as defined in the legislation.
Many organisations currently lack the documented processes, clearly assigned responsibilities and tested procedures needed to meet these timeframes reliably. Existing incident management frameworks within an ISMS often require targeted adjustments to reflect the regulatory deadlines and external reporting obligations introduced by NIS2.
In practice, this usually means closing three specific gaps. First, defining and documenting a clear trigger for when “becoming aware” of a significant incident starts the 24‑hour clock – most ISMS procedures focus on internal severity classification rather than regulatory timing. Second, designating a specific role responsible for the early‑warning notification and direct liaison with the national CSIRT or competent authority, separate from the role that leads the internal response. Third, establishing an auditable evidence trail – including timestamped logs, copies of notifications and the rationale behind the initial severity assessment – that can be produced if a supervisory authority later reviews how the 24‑ and 72‑hour deadlines under NIS2 were met.
Operational Resilience
Regulators and customers increasingly expect evidence that resilience measures have been tested — not just documented on paper.
Organisations are therefore expected to demonstrate that they can maintain or quickly restore critical operations during disruptive events, rather than merely presenting written plans. This typically includes:
- Business continuity planning and regular testing
- Disaster recovery exercises for critical systems and data
- Realistic incident response simulations
- Defined and practised crisis management procedures
Together, these elements show whether resilience is truly embedded in day‑to‑day operations.