How ISO/IEC 27001:2022 Accelerates NIS2 Compliance for SMEs

The NIS2 Directive is here, and for many small and medium-sized enterprises, it feels like a regulatory tidal wave. If you’re an SME in a critical sector or part of a larger supply chain, you’re now on the hook for a higher standard of cybersecurity. This guide shows you how to use the globally recognised ISO/IEC 27001:2022 framework to meet NIS2 requirements efficiently and strategically.

What’s at stake

The Network and Information Security (NIS2) Directive is the EU’s ambitious move to bolster cybersecurity resilience across critical sectors. Unlike its predecessor, NIS2 casts a much wider net, pulling in more industries and placing direct accountability on senior management. For an SME, being unprepared is not an option. The directive mandates a baseline of security measures, strict incident reporting timelines, and robust supply chain risk management. Failure to comply can result in significant fines, operational disruption, and severe reputational damage that could jeopardise key business relationships.

At its core, NIS2 demands that organisations adopt a proactive, risk based approach to cybersecurity. Article 21 of the directive outlines a minimum set of measures, including policies on risk analysis, incident handling, business continuity, and supply chain security. This is not a simple box ticking exercise. Regulators will expect to see evidence of a living, breathing security programme that understands its unique threats and has implemented appropriate controls to mitigate them. For an SME with limited resources, trying to build this from scratch can feel overwhelming, leading to fragmented efforts that fail to meet the directive’s holistic expectations.

Consider a mid-sized logistics company that provides transport services for the food sector. Under NIS2, they are now considered an “important entity”. A ransomware attack that encrypts their scheduling and routing systems could halt operations for days, causing spoilage and breaking supply chain commitments. Under NIS2, this incident would require reporting to authorities within 24 hours. The company would also face scrutiny over its risk management practices. Did they have proper backups? Was access to critical systems controlled? Were their software vendors vetted for security? Without a structured framework, proving due diligence becomes a chaotic and often unsuccessful scramble.

What good looks like

Achieving compliance with NIS2 doesn’t have to mean reinventing the wheel. An Information Security Management System (ISMS) built on ISO/IEC 27001:2022 provides the perfect foundation. The standard is designed to help organisations manage their information security risks systematically. This inherent alignment means that by implementing ISO 27001, you are simultaneously building the exact capabilities and documentation that NIS2 demands. It transforms a daunting regulatory burden into a structured, manageable project that delivers tangible business value beyond mere compliance.

The synergy is clear across multiple domains. NIS2’s requirement for risk assessment and security policies is the very essence of ISO 27001 clauses 4 through 8. The directive’s heavy emphasis on supply chain security is directly addressed by Annex A controls like 5.19, 5.20, and 5.21, which cover security in supplier relationships. Similarly, NIS2 mandates for incident handling and business continuity are met by implementing controls 5.24 through 5.30. By using ISO 27001, you create a single, coherent system that satisfies multiple requirements, saving time, reducing duplication of effort, and providing a clear narrative for auditors and regulators. Our comprehensive controls library helps you map these requirements precisely. Zenith Controls¹

Imagine a small managed service provider (MSP) that hosts infrastructure for a local hospital. The hospital is an “essential entity” under NIS2 and must ensure its suppliers are secure. The MSP, by achieving ISO 27001 certification, can provide immediate, internationally recognised assurance that it has a robust ISMS. It can point to its risk assessment, its Statement of Applicability, and its internal audit reports as concrete evidence of compliance. This not only satisfies the hospital’s due diligence requirements under NIS2 but also becomes a powerful competitive differentiator, opening doors to more business in regulated sectors.

Practical path

Building an ISMS that aligns with both ISO 27001 and NIS2 is a strategic project, not just an IT task. It requires a methodical approach that starts with understanding your organisation and its risks, and then systematically implementing controls to manage them. By breaking the journey down into logical phases, even a small team can make steady, demonstrable progress. This path ensures you build a system that is not only compliant but also genuinely effective at protecting your business. The goal is to create a sustainable security programme, not just to pass an audit.

Phase 1: Establish Your Foundation (Weeks 1-4)

The first phase is about setting the stage. Before you can manage risk, you must understand your context. This involves defining what you are trying to protect (the scope), securing commitment from leadership, and identifying all your legal and regulatory obligations, with NIS2 being a primary driver. This foundational work, guided by ISO 27001 clauses 4 and 5, is critical for ensuring your ISMS is aligned with your business objectives and has the authority it needs to succeed. Without clear scope and leadership backing, even the best technical efforts will falter.

• Define the ISMS Scope: Clearly document which parts of your business, systems, and locations will be covered.
• Secure Management Commitment: Get formal approval and resources from top management. This is a non negotiable requirement for both ISO 27001 and NIS2.
• Identify Interested Parties and Requirements: List all stakeholders (customers, regulators, partners) and their security expectations, including the specific articles of NIS2.
• Form the Implementation Team: Assign roles and responsibilities for building and maintaining the ISMS.

Phase 2: Assess and Plan Your Risk Treatment (Weeks 5-8)

This is the heart of your ISMS. Here, you will systematically identify, analyse, and evaluate information security risks. This process must be formal and repeatable. You will identify your critical assets, the threats that could harm them, and the vulnerabilities that expose them. The outcome is a prioritised list of risks that allows you to make informed decisions about where to focus your resources. This risk assessment directly satisfies the core requirement of NIS2 Article 21, providing a defensible basis for your security strategy. Our implementation blueprint provides the necessary tools, including a pre-built risk register, to streamline this process. Zenith Blueprint²

• Create an Asset Inventory: Document all important information assets, including data, software, hardware, and services.
• Conduct a Risk Assessment: Use a defined methodology to identify threats and vulnerabilities for each asset, then calculate risk levels.
• Select Risk Treatment Options: For each significant risk, decide whether to mitigate, accept, avoid, or transfer it.
• Develop a Risk Treatment Plan: For risks you choose to mitigate, select appropriate controls from ISO 27001 Annex A and document your plan for implementing them.
• Create the Statement of Applicability (SoA): Document which of the 93 Annex A controls are applicable to your organisation and why, and justify any exclusions.

Phase 3: Implement Controls and Build Evidence (Weeks 9-16)

With your plan in place, it’s time to execute. This phase involves implementing the policies, procedures, and technical controls identified in your risk treatment plan. This is where the theory becomes practice. You might be deploying multi factor authentication, writing a new backup policy, or training your staff on phishing awareness. It is crucial to document everything you do. For every control you implement, you must generate evidence that it is operating effectively. This evidence will be essential for your internal and external audits and for demonstrating NIS2 compliance to regulators.

• Deploy Technical Controls: Implement security measures like firewalls, encryption, access controls, and logging.
• Write and Communicate Policies: Develop and publish key policies covering areas like acceptable use, access control, and incident response.
• Conduct Security Awareness Training: Train all employees on their information security responsibilities.
• Establish Monitoring and Measurement: Set up processes to monitor control effectiveness and measure the performance of your ISMS.

Phase 4: Monitor, Audit, and Continuously Improve (Ongoing)

An ISMS is not a one time project; it is a continuous cycle of improvement. This final phase, governed by ISO 27001 clauses 9 and 10, is about ensuring your ISMS remains effective over time. You will conduct regular internal audits to check for compliance and identify weaknesses. Management will review the performance of the ISMS to ensure it still meets business objectives. Any issues or nonconformities found are formally tracked and corrected. This ongoing process of monitoring and refinement is exactly what NIS2 regulators want to see, as it proves your commitment to maintaining a strong security posture.

• Conduct Internal Audits: Periodically review your ISMS against the requirements of ISO 27001 and your own policies.
• Hold Management Reviews: Present the performance of the ISMS to top management and make strategic decisions.
• Manage Nonconformities: Implement a formal process for identifying, documenting, and resolving any issues or compliance gaps.
• Prepare for Certification Audit: Engage with an external certification body to have your ISMS formally audited and certified.

Policies that make it stick

Policies are the backbone of your ISMS. They translate your security strategy into clear, enforceable rules for your entire organisation. For NIS2 compliance, having well defined and consistently applied policies is not just good practice; it is a requirement. These documents provide clear guidance to employees, set expectations for suppliers, and serve as critical evidence for auditors and regulators. They demonstrate that your approach to security is deliberate and systematic, not reactive and ad hoc. Two of the most foundational policies that support both ISO 27001 and NIS2 are the Asset Management Policy and the Backup and Restore Policy.

The Asset Management Policy³ is the starting point for all security efforts. You cannot protect what you do not know you have. This policy establishes a formal process for identifying, classifying, and managing all information assets throughout their lifecycle. For NIS2, a comprehensive asset inventory is essential for scoping your risk assessment. It ensures you have visibility over all the systems, applications, and data that support your critical services. Without it, you are flying blind, likely leaving significant gaps in your security coverage. This policy ensures that accountability is clear and that all critical components are included in your security programme.

Equally critical is the Backup and Restore Policy⁴. NIS2 Article 21 explicitly requires measures for business continuity, such as backup management and disaster recovery. This policy defines the rules for what data gets backed up, how often, where backups are stored, and how they are tested. In the event of a disruptive incident like a ransomware attack, a well executed backup strategy is often the only thing that stands between a quick recovery and a catastrophic business failure. This policy provides assurance to management, customers, and regulators that you have a credible plan to maintain operational resilience and recover critical services in a timely manner, directly fulfilling a core mandate of the directive.

A small engineering firm that designs components for the energy sector implemented a formal Asset Management Policy. By cataloguing their design servers, CAD software licenses, and sensitive client data, they identified their most critical assets. This allowed them to focus their limited security budget on protecting these high value targets with stronger access controls and encryption, demonstrating a mature, risk based approach during a supplier audit from a major energy client.

Checklists

To help you navigate your journey, here are three practical checklists. They are designed to guide you through the key stages of building, operating, and verifying your ISMS, ensuring you cover the essential requirements for both ISO/IEC 27001:2022 and the NIS2 Directive.

Build: Establishing Your ISO 27001 Framework for NIS2 Compliance

Before you can operate a compliant ISMS, you must build it on a solid foundation. This initial phase is about planning, scoping, and getting the necessary buy in and resources. A mistake here can undermine the entire project. This checklist covers the essential strategic steps required to define your ISMS and align it with the risk management principles at the heart of NIS2.

• Secure formal management approval and budget for the ISMS project.
• Define and document the scope of the ISMS, explicitly referencing services that fall under NIS2.
• Identify all applicable legal, regulatory (NIS2), and contractual requirements.
• Establish an asset inventory of all information, hardware, software, and services in scope.
• Conduct a formal risk assessment to identify threats and vulnerabilities to your key assets.
• Create a Risk Treatment Plan detailing the controls selected to mitigate identified risks.
• Develop a Statement of Applicability (SoA) justifying the inclusion and exclusion of all 93 Annex A controls.
• Draft and approve foundational policies, including Information Security, Asset Management, and Acceptable Use.

Operate: Maintaining Daily Security Hygiene

Compliance is not a one time event. It is the result of consistent, day to day operational discipline. This checklist focuses on the ongoing activities that keep your ISMS effective and your organisation secure. These are the practical measures that demonstrate to auditors and regulators that your security programme is alive and well, not just a collection of documents on a shelf.

• Conduct regular security awareness training for all employees, including phishing simulations.
• Enforce access control procedures, including regular reviews of user permissions and privileged access.
• Manage technical vulnerabilities by implementing a systematic patch management process.
• Monitor systems and networks for security events and unusual activity.
• Execute and test your data backup and restore procedures according to policy.
• Manage changes to systems and applications through a formal change control process.
• Oversee supplier security by conducting regular reviews and assessments of key vendors.
• Maintain security of physical sites, including access control to sensitive areas.

Verify: Auditing and Improving Your ISMS

The final piece of the puzzle is verification. You must regularly check that your controls are working as intended and that your ISMS is achieving its objectives. This continuous improvement loop is a core principle of ISO 27001 and a key expectation of NIS2. This checklist covers the assurance activities that provide management and stakeholders with confidence in your security posture.

• Schedule and conduct a full internal audit of the ISMS against ISO 27001 requirements.
• Perform regular penetration tests or vulnerability scans on critical systems.
• Test your incident response plan with tabletop exercises or full simulations.
• Test your disaster recovery and business continuity plans.
• Hold formal management review meetings to assess ISMS performance and allocate resources.
• Track all audit findings and nonconformities in a corrective action register until they are resolved.
• Collect and analyse metrics on the effectiveness of your security controls.
• Update your risk assessment at least annually or when significant changes occur.

Common pitfalls

Navigating the path to dual ISO 27001 and NIS2 compliance is challenging, and several common mistakes can derail even well intentioned efforts. Being aware of these pitfalls can help you steer clear of them.

• Underestimating the Supply Chain Mandate: NIS2 places unprecedented focus on supply chain security. Many SMEs focus only on their internal controls and forget to perform due diligence on their critical suppliers. If your cloud provider or software vendor has a security failure that impacts you, you are still accountable under NIS2. You must have a process to assess and manage vendor risk.
• Treating It as a Purely IT Project: While IT is heavily involved, information security is a business issue. Without genuine buy in and leadership from the top, the ISMS will lack the authority and resources it needs. NIS2 specifically places responsibility on management, so they must be actively involved in governance and risk decisions.
• Creating Shelfware: The biggest pitfall is creating a beautiful set of documents that nobody follows. An ISMS is a living system. If your policies are not communicated, your procedures are not followed, and your controls are not monitored, you have achieved nothing but a false sense of security. Auditors and regulators will look for evidence of operation, not just documentation.
• Poor or Ambiguous Scoping: Defining a scope that is too broad can make the project unmanageable for an SME. Defining it too narrowly can leave critical systems that fall under NIS2 out of scope, creating a major compliance gap. The scope must be carefully considered and clearly aligned with your critical services and business objectives.
• Neglecting Incident Response Testing: Having an incident response plan is a basic requirement. However, if it has never been tested, it will likely fail during a real crisis. NIS2 has very strict reporting deadlines (an initial report within 24 hours). A tabletop exercise can quickly reveal gaps in your plan, such as not knowing who to call or how to collect the right information quickly.

A small financial services firm achieved ISO 27001 certification but only ever discussed their incident response plan in meetings. When they suffered a minor data breach, the team was unprepared. They wasted hours debating who had the authority to contact their cyber insurance provider and struggled to gather the necessary forensic data, nearly missing their regulatory reporting window.

Next steps

Ready to build a resilient security posture that satisfies both ISO 27001 and NIS2? Our toolkits provide the policies, templates, and guidance you need to accelerate your compliance journey.

• Zenith Suite
• Complete SME + Enterprise Combo Pack
• Full SME Pack

References