NIS2 Cyber Hygiene Evidence Mapped to ISO 27001
It is 08:40 on a Monday. Sarah, the CISO of a fast-growing B2B SaaS provider, joins the leadership call expecting a routine review of open risk actions. Instead, the general counsel opens with a sharper question:
“If the national competent authority asks us tomorrow to prove NIS2 Article 21 cyber hygiene and cybersecurity training, what exactly do we send?”
The HR director says every employee completed annual awareness training. The SOC manager says phishing simulations are improving. The IT operations lead says MFA is enforced, backups are tested, and patching is tracked. The compliance manager says the ISO/IEC 27001:2022 audit file contains training records, but the DORA project team has its own resilience training evidence, while the GDPR folder has separate privacy awareness logs.
Everyone has done work. Nobody is sure the evidence tells one coherent story.
That is the real NIS2 Article 21 problem for essential and important entities. The requirement is not simply “train users.” Article 21 requires appropriate and proportionate technical, operational and organisational measures to manage cyber risk. Its minimum control set includes cyber hygiene and cybersecurity training, but also incident handling, business continuity, supply chain security, vulnerability handling, cryptography, HR security, access control, asset management, MFA or continuous authentication, secured communications, and procedures to assess effectiveness.
Cyber hygiene is not an awareness campaign. It is the daily operating discipline that connects people, controls, evidence, and management accountability.
For CISOs, compliance managers, MSPs, SaaS providers, cloud operators, and digital service providers, the practical answer is not to create a separate “NIS2 training project.” The stronger approach is to build one audit-ready evidence chain inside an ISO/IEC 27001:2022 ISMS, supported by ISO/IEC 27002:2022 control practices, risk-managed through ISO/IEC 27005:2022, and cross-referenced to NIS2, DORA, GDPR, NIST-style assurance, and COBIT 2019 governance expectations.
Why NIS2 Article 21 makes training board evidence
NIS2 applies to many medium and large entities in Annex I and Annex II sectors that provide services or carry out activities in the Union. For technology companies, the scope can be wider than many leadership teams expect. Annex I covers digital infrastructure, including cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, DNS service providers, and TLD registries. Annex I also covers ICT service management B2B, including managed service providers and managed security service providers. Annex II includes digital providers such as online marketplaces, online search engines, and social networking services platforms.
Some entities can be in scope regardless of size, including certain DNS service providers and TLD registries. National criticality decisions can also bring smaller providers into scope where disruption could affect public safety, systemic risk, or essential services.
Article 21(1) requires essential and important entities to implement appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information systems used for operations or service provision, and to prevent or minimise incident impact. Article 21(2) lists the minimum measures, including policies on risk analysis and information system security, incident handling, business continuity, supply chain security, secure acquisition and maintenance, effectiveness assessment, basic cyber hygiene practices and cybersecurity training, cryptography, HR security, access control, asset management, and MFA or continuous authentication where appropriate.
Article 20 raises the stakes. Management bodies must approve cybersecurity risk-management measures, oversee implementation, and can be held liable for infringements. Members of management bodies must follow training, and entities are encouraged to provide similar regular training to employees so they can identify risks and assess cybersecurity risk-management practices and their impact on services.
Article 34 adds financial pressure. Infringements of Article 21 or Article 23 can trigger administrative fines reaching at least EUR 10,000,000 or 2% of worldwide annual turnover for essential entities, and at least EUR 7,000,000 or 1.4% for important entities, whichever is higher.
That is why “we ran annual awareness training” is not enough. A regulator, ISO auditor, customer security assessor, or cyber insurer will expect evidence that training is role-based, risk-based, current, measured, connected to incidents, and understood by management.
Clarysec’s enterprise Information Security Awareness and Training Policy, clause 5.1.1.3, requires training to:
Cover topics such as phishing, password hygiene, incident reporting and management, physical security, and data protection and minimization
The same policy, clause 8.3.1.1, identifies the evidence line auditors usually ask for first:
Records of training assignment, acknowledgment, and completion
For SMEs, Clarysec’s Information Security Awareness and Training Policy - SME, clause 8.4.1, is even more direct about auditability:
Training records are subject to internal audit and external review. Records must be accurate, complete, and demonstrable on request (e.g., for ISO certification, GDPR audit, or insurance validation).
That sentence captures the difference between awareness as an HR activity and awareness as a compliance control. If records are incomplete, unverifiable, or not linked to role risk, the control may exist operationally but fail under audit.
Use ISO/IEC 27001:2022 as the evidence spine
ISO/IEC 27001:2022 is the natural backbone for NIS2 Article 21 because it forces the organisation to define scope, interested parties, risks, controls, objectives, evidence, internal audit, management review, and continual improvement.
Clauses 4.1 to 4.4 require the organisation to understand internal and external issues, determine interested parties and their requirements, define the ISMS scope, consider interfaces and dependencies with activities performed by other organisations, and maintain the ISMS as an interacting set of processes. For a SaaS provider or MSP, the ISMS scope should explicitly include NIS2 obligations, customer contractual obligations, cloud provider dependencies, outsourced SOC coverage, data processing roles, and service availability commitments.
Clauses 5.1 to 5.3 bring governance accountability. Top management must align information security policy and objectives with strategic direction, integrate ISMS requirements into business processes, provide resources, assign responsibilities, and ensure performance reporting. That aligns directly with NIS2 Article 20, where management bodies approve and oversee cybersecurity risk-management measures.
Clauses 6.1.1 to 6.1.3 and 6.2 convert legal expectations into risk treatment. The organisation must plan actions for risks and opportunities, operate a repeatable information security risk assessment process, determine risk owners, select treatment options, compare controls with Annex A, create a Statement of Applicability, formulate a treatment plan, obtain risk-owner approval, and set measurable security objectives.
This is where NIS2 Article 21 becomes manageable. You do not need a disconnected NIS2 awareness program. You need a mapped risk and control story.
| NIS2 requirement area | ISO/IEC 27001:2022 evidence mechanism | Practical evidence |
|---|---|---|
| Management approval and oversight | Clauses 5.1, 5.3, 9.3 | Board minutes, management review pack, role assignments, budget approvals |
| Cyber hygiene and training | Clause 7.2, Clause 7.3, Annex A people and technology controls | Training plan, LMS exports, role matrix, phishing results, policy acknowledgements |
| Risk analysis and security policy | Clauses 6.1.2, 6.1.3, 6.2 | Risk assessment, risk treatment plan, Statement of Applicability, security objectives |
| Effectiveness assessment | Clauses 9.1, 9.2, 10.2 | KPIs, internal audit results, corrective actions, control testing results |
| Incident handling and reporting readiness | Annex A incident management controls | Incident runbooks, escalation logs, tabletop reports, evidence preservation records |
| Supply chain and cloud dependency | Annex A supplier and cloud service controls | Supplier register, due diligence, contracts, exit plans, service reviews |
| Access, asset management, and MFA | Annex A access, asset, and identity controls | Asset inventory, access reviews, MFA reports, privileged access evidence |
Clauses 8.1 to 8.3, 9.1 to 9.3, and 10.1 to 10.2 complete the operating loop. They require planned operational control, risk reassessment, implementation of treatment plans, monitoring and measurement, internal audit, management review, continual improvement, and corrective action. ISO/IEC 27001:2022 becomes the evidence engine for NIS2 Article 21, not just a certification badge.
Translate cyber hygiene into ISO control anchors
“Cyber hygiene” is broad by design. For auditors, it must be translated into specific, testable controls. Clarysec usually starts NIS2 Article 21 cyber hygiene evidence with three practical control anchors from ISO/IEC 27002:2022, interpreted through Zenith Controls: The Cross-Compliance Guide.
The first anchor is ISO/IEC 27002:2022 control 6.3, Information security awareness, education and training. In Zenith Controls, 6.3 is treated as a preventive control supporting confidentiality, integrity, and availability. Its operational capability is human resource security, and its cybersecurity concept is protect. That frames awareness as a protective control, not a communications exercise.
Zenith Controls also shows how 6.3 depends on, and reinforces, other controls. It ties to 5.2 information security roles and responsibilities because training must reflect assigned responsibilities. It ties to 6.8 information security event reporting because staff cannot report what they do not recognise. It ties to 8.16 monitoring activities because SOC analysts and operations staff need training to recognise anomalies and follow response protocols. It ties to 5.36 compliance with policies, rules and standards for information security because policies only work when people understand them.
As Zenith Controls states for ISO/IEC 27002:2022 control 6.3:
Compliance is contingent upon awareness. 6.3 ensures that employees are aware of security policies and understand their personal responsibility in adhering to them. Regular education and training mitigate the risk of unintentional policy breaches due to ignorance.
The second anchor is ISO/IEC 27002:2022 control 5.10, acceptable use of information and other associated assets. Cyber hygiene depends on people understanding what they may do with endpoints, cloud drives, SaaS tools, collaboration platforms, removable media, production data, test data, and AI-enabled tools. Zenith Controls maps 5.10 as a preventive control across asset management and information protection. In practice, acceptable use evidence is not only a signed policy. It includes proof that the policy covers the real asset estate, onboarding includes acknowledgement, monitoring supports enforcement, and exceptions are handled.
The third anchor is ISO/IEC 27002:2022 control 5.36, compliance with policies, rules and standards for information security. This is the audit bridge. Zenith Controls maps 5.36 as a preventive governance and assurance control. It ties to 5.1 policies for information security, 6.4 disciplinary process, 5.35 independent review of information security, 5.2 roles and responsibilities, 5.25 assessment and decision on information security events, 8.15 logging, 8.16 monitoring activities, and 5.33 protection of records.
For NIS2 Article 21, this is crucial. Regulators and auditors do not only ask whether a policy exists. They ask whether adherence is monitored, breaches are detected, evidence is protected, corrective action occurs, and management sees the results.
Build a NIS2 cyber hygiene and training evidence pack
Consider a mid-sized SaaS provider preparing for both NIS2 readiness and an ISO/IEC 27001:2022 surveillance audit. The organisation has 310 employees, including developers, SREs, support agents, sales staff, contractors, and executives. It provides cloud-based workflow services to EU customers and relies on a hyperscale cloud provider, two identity platforms, an outsourced MDR provider, and several subcontracted support tools.
The compliance manager has training exports from the LMS, but they are not mapped to NIS2 Article 21, ISO controls, business roles, or risk scenarios. A practical remediation sprint produces a Cyber Hygiene and Training Evidence Pack with six components.
| Evidence component | What it proves | Owner | Audit test |
|---|---|---|---|
| Role-based training matrix | Training is matched to responsibilities and risk exposure | ISMS Manager and HR | Sample roles and verify required modules were assigned |
| Annual training plan | Competence and awareness are planned, not ad hoc | ISMS Manager | Check dates, topics, audience, approval, and completion targets |
| LMS completion export | Staff completed assigned training | HR or People Ops | Reconcile employee list to completion report, joiners, and leavers |
| Phishing simulation report | Awareness effectiveness is measured | Security Operations | Review campaign results, repeat clickers, and remedial training |
| Policy acknowledgement log | Staff accepted rules and responsibilities | HR and Compliance | Confirm acknowledgement of security, acceptable use, and incident reporting policies |
| Management review summary | Leadership oversees trends and corrective actions | CISO and executive sponsor | Verify minutes include metrics, exceptions, risks, and decisions |
The key is traceability.
Start with NIS2 Article 21(2)(g), basic cyber hygiene practices and cybersecurity training. Link it to ISO/IEC 27001:2022 clauses 7.2 and 7.3 for competence and awareness, clauses 9.1 and 9.2 for monitoring and audit, and Annex A controls including awareness, acceptable use, vulnerability management, configuration management, backups, logging, monitoring, cryptography, access control, and incident management. Then link the evidence to the risk register.
| Role group | NIS2 cyber hygiene risk | Required training | Evidence |
|---|---|---|---|
| All employees | Phishing, weak passwords, poor incident reporting, mishandling data | Baseline security awareness, password hygiene, MFA, data protection, incident reporting | LMS completion, quiz score, policy acknowledgement |
| Executives | Risk acceptance, legal liability, crisis decisions, reporting oversight | Governance duties, NIS2 management responsibilities, incident escalation, risk appetite | Executive workshop attendance, board pack, decisions log |
| Developers | Vulnerabilities, insecure code, secrets exposure, unsafe test data | Secure coding, dependency management, vulnerability disclosure, data minimisation | Training record, secure SDLC checklist, code review samples |
| SRE and IT operations | Misconfiguration, patch delay, backup failure, logging gaps | Patch management, secure configuration, backup restore, monitoring, incident response | Patch report, backup test, SIEM alert evidence, tabletop report |
| Customer support | Social engineering, unauthorised disclosure, privacy breach | Identity verification, data handling, escalation, breach reporting | CRM access review, training record, support QA sample |
| Contractors with access | Unclear obligations, unmanaged access, data leakage | Condensed security onboarding, acceptable use, reporting route | Contractor acknowledgement, access approval, offboarding evidence |
The enterprise Information Security Awareness and Training Policy supports this structure. Clause 5.1.2.4 explicitly includes executive training topics:
Executives (e.g., governance, risk acceptance, legal obligations)
That line matters under NIS2 Article 20 because management training is not optional. If the board approves risk-management measures but cannot explain risk acceptance, incident thresholds, or oversight routines, the evidence chain breaks.
Clarysec’s Information Security Policy - SME, clause 6.4.1, shows how cyber hygiene becomes day-to-day control behaviour:
Mandatory security controls must be applied consistently, including regular backups, antivirus updates, strong passwords, and secure disposal of sensitive documents.
That is a concise SME expression of practical cyber hygiene. The auditor will still want evidence, such as backup job reports, EDR coverage, password or MFA configuration, and secure disposal logs, but the policy establishes the expected behaviour.
Map NIS2 Article 21 to audit evidence
Auditors test control operation, not slogans. They will follow the golden thread from legal requirement to ISMS scope, risk assessment, Statement of Applicability, policy, procedure, evidence, and management review.
| NIS2 Article 21 area | ISO/IEC 27001:2022 or ISO/IEC 27002:2022 mapping | Clarysec reference | Primary audit evidence |
|---|---|---|---|
| Cybersecurity training | Clause 7.2, Clause 7.3, A.6.3 Information security awareness, education and training | Information Security Awareness and Training Policy | Training policy, annual plan, LMS records, phishing results, onboarding checklist, board training minutes |
| Acceptable cyber hygiene behaviour | A.5.10 Acceptable use of information and other associated assets | Information Security Policy - SME | Acceptable use acknowledgement, onboarding records, exception records, monitoring evidence |
| Vulnerability and patch hygiene | A.8.8 Management of technical vulnerabilities | Zenith Blueprint Step 19 | Vulnerability scans, patch reports, remediation tickets, risk acceptance records |
| Secure configuration | A.8.9 Configuration management | Zenith Blueprint Step 19 | Secure baselines, configuration reviews, change approvals, drift reports |
| Resilience and recovery | A.8.13 Information backup | Information Security Policy - SME | Backup logs, restore tests, backup failure reviews, recovery evidence |
| Detection and response | A.8.15 Logging, A.8.16 Monitoring activities, A.6.8 Information security event reporting | Zenith Controls | SIEM alerts, monitoring procedures, incident reporting training, tabletop outputs |
| Cryptographic protection | A.8.24 Use of cryptography | ISO/IEC 27001:2022 Annex A | Encryption standards, key management evidence, TLS configuration, storage encryption reports |
| Evidence integrity | A.5.33 Protection of records | Zenith Controls | Controlled audit folders, export timestamps, retention rules, access logs |
A regulator may not use ISO terminology, but the evidence path remains the same. Show that the requirement is identified, risk-assessed, treated, implemented, monitored, reported to management, and improved.
Use the Zenith Blueprint to move from plan to evidence
The Zenith Blueprint: An Auditor’s 30-Step Roadmap gives teams a practical route from intent to evidence. In the ISMS Foundation & Leadership phase, Step 5, Communication, Awareness, and Competence, the Blueprint instructs organisations to identify required competencies, assess current competencies, provide training to fill gaps, maintain competence records, and treat competence as ongoing.
The Blueprint’s action item is intentionally operational:
Perform a quick training needs analysis. List your key ISMS roles (from Step 4) and for each, write down any known training or certification they have, and what additional training might be beneficial. Also list general security awareness topics needed for all employees. Using this, draft a simple Training Plan for the next year – e.g., “Q1: Security awareness for all staff; Q2: Advanced incident response training for IT; Q3: ISO 27001 internal auditor training for two team members; …”.
In the Controls in Action phase, Step 15, People Controls I, the Zenith Blueprint recommends mandatory annual training for all employees, role-specific modules, new hire security onboarding within the first week, simulated phishing campaigns, newsletters, team briefings, evidence of participation, targeted security bulletins after emerging threats, and training for contractors or third parties with access.
Step 16, People Controls II, warns that auditors will test implementation, not just documentation. For remote working, auditors may ask for the Remote Working Policy, VPN or endpoint encryption evidence, MDM implementation, BYOD restrictions, and training records showing remote work precautions. If hybrid work is part of the operating model, NIS2 training evidence should include secure Wi-Fi use, device locking, approved storage, MFA, and reporting suspicious activity from home environments.
Step 19, Technological Controls I, links cyber hygiene to the technical control layer. The Zenith Blueprint recommends reviewing patch reports, vulnerability scans, secure baselines, EDR coverage, malware logs, DLP alerts, backup restores, redundancy evidence, logging improvements, and time synchronisation. Article 21(2)(g) cannot be assessed in isolation. A trained workforce still needs patched endpoints, monitored logs, tested backups, and secure configurations.
Make the training plan risk-based with ISO/IEC 27005:2022
A common audit weakness is a generic training plan that looks the same for developers, finance, support, executives, and contractors. ISO/IEC 27005:2022 helps avoid that weakness by making training part of risk treatment.
Clause 6.2 recommends identifying the basic requirements of relevant interested parties and compliance status, including ISO/IEC 27001:2022 Annex A, other ISMS standards, sector-specific requirements, national and international regulations, internal security rules, contractual security controls, and controls already implemented through prior risk treatment. This supports one requirements register instead of separate NIS2, ISO, DORA, GDPR, customer, and insurance spreadsheets.
Clauses 6.4.1 to 6.4.3 explain that risk acceptance and assessment criteria should consider legal and regulatory aspects, operational activities, supplier relationships, technological and financial constraints, privacy, reputation harm, contractual breaches, service-level breaches, and impacts on third parties. A phishing incident affecting an internal newsletter system is different from credential compromise affecting a managed security service, customer support platform, payment integration, or DNS operation.
Clauses 7.1 to 7.2.2 require consistent, reproducible risk assessment, including confidentiality, integrity, and availability risks, and named risk owners. Clauses 8.2 to 8.6 then guide treatment selection, control determination, Annex A comparison, Statement of Applicability documentation, and treatment plan detail.
Training is one treatment, but not the only one. If repeated phishing simulations show finance users are vulnerable to invoice fraud, the treatment plan may include refresher training, stronger payment approval workflow, conditional access, mailbox rules monitoring, and executive fraud scenario drills.
Clauses 9.1, 9.2, 10.4.2, 10.5.1, and 10.5.2 emphasise planned reassessment, documented methods, effectiveness monitoring, and updates when new vulnerabilities, assets, technology use, laws, incidents, or risk appetite changes. That proves the organisation does not freeze its training plan once per year.
Reuse the same evidence for NIS2, DORA, GDPR, NIST, and COBIT
The strongest NIS2 evidence pack should support multiple assurance conversations.
NIS2 Article 4 recognises that sector-specific Union legal acts can replace corresponding NIS2 risk-management and reporting obligations where they are at least equivalent in effect. Recital 28 identifies DORA as the sector-specific regime for in-scope financial entities. For covered financial entities, DORA’s ICT risk management, incident management, resilience testing, information-sharing, and ICT third-party risk rules apply instead of corresponding NIS2 provisions. NIS2 remains highly relevant for entities outside DORA and for ICT third-party providers such as cloud providers, MSPs, and MSSPs.
DORA reinforces the same management-system logic. Articles 4 to 6 require proportionate ICT risk management, management body responsibility, clear ICT roles, digital operational resilience strategy, ICT audit plans, budgets, and awareness or training resources. Articles 8 to 13 require asset and dependency identification, protection and prevention, access controls, strong authentication, backups, continuity, response and recovery, post-incident learning, senior ICT reporting, and compulsory ICT security awareness and digital operational resilience training. Articles 17 to 23 require structured incident management, classification, escalation, and client communications. Articles 24 to 30 connect testing with supplier governance, due diligence, contracts, audit rights, and exit strategies.
GDPR adds the privacy accountability layer. Article 5 requires integrity and confidentiality through appropriate technical and organisational measures, and Article 5(2) requires controllers to demonstrate compliance. Article 6 requires lawful basis for processing, while Articles 9 and 10 impose stricter safeguards for special categories and criminal-offence-related data. For a SaaS provider, training evidence should include privacy, data minimisation, secure disclosure, breach escalation, and role-specific handling of customer data.
NIST-style and COBIT 2019 audit lenses often appear in customer assurance, internal audit, and board reporting. A NIST-style assessor will usually ask whether awareness and training are risk-based, role-based, measured, and connected to incident response, identity, asset management, and continuous monitoring. A COBIT 2019 or ISACA-style auditor will focus on governance, accountability, performance metrics, management oversight, process ownership, and alignment with enterprise objectives.
| Framework lens | What the auditor cares about | Evidence to prepare |
|---|---|---|
| NIS2 Article 21 | Proportionate cyber risk measures, cyber hygiene, training, management oversight | Article 21 mapping, board approval, training plan, cyber hygiene KPIs, incident readiness evidence |
| ISO/IEC 27001:2022 | ISMS scope, risk treatment, competence, awareness, monitoring, internal audit, improvement | Scope, risk register, SoA, competence matrix, training records, audit report, corrective actions |
| DORA | ICT risk lifecycle, resilience training, testing, incident classification, third-party ICT risk | ICT risk framework, resilience training, testing results, incident procedure, supplier register |
| GDPR | Accountability, data protection, privacy breach awareness, confidentiality, minimisation | Privacy training, processing role map, breach escalation evidence, data handling procedures |
| NIST-style review | Role-based awareness, measurable control operation, monitoring, response | Role matrix, simulation metrics, access evidence, logging evidence, tabletop outputs |
| COBIT 2019 or ISACA review | Governance, process ownership, performance, control assurance, management reporting | RACI, KPI dashboard, management review minutes, internal audit programme, remediation tracking |
The practical benefit is simple: one evidence pack, multiple audit narratives.
How auditors will test the same control
An ISO/IEC 27001:2022 auditor will start with the ISMS. They will ask whether competence and awareness requirements are determined, whether personnel understand their responsibilities, whether records are retained, whether internal audits test the process, and whether management review considers performance and improvement. They may sample employees and ask them how to report an incident, how MFA is used, what the acceptable use rules are, or what to do after receiving a suspicious email.
A NIS2 supervisory review will be more outcome and service-risk focused. The reviewer may ask how cyber hygiene reduces risk to service provision, how management approved the measures, how training is tailored to essential services, how third-party personnel are covered, how effectiveness is assessed, and how the organisation would communicate significant cyber threats or incidents under Article 23. Since Article 23 includes an early warning within 24 hours and incident notification within 72 hours for significant incidents, training must include recognition and escalation speed.
A DORA auditor for a financial entity will connect awareness to digital operational resilience. They may ask whether ICT security awareness and resilience training are compulsory, whether senior ICT reporting reaches the management body, whether incident classification criteria are understood, whether crisis communications have been exercised, and whether third-party providers participate in training where contractually relevant.
A GDPR auditor or privacy assessor will focus on whether staff understand personal data, processing roles, confidentiality, breach identification, breach escalation, data minimisation, and secure disclosure. They will expect training to vary for support, HR, developers, and administrators because those roles create different privacy risks.
A COBIT 2019 or ISACA internal auditor will ask who owns the process, which objectives it supports, how performance is measured, what exceptions exist, whether corrective actions are tracked, and whether management receives meaningful reporting rather than vanity metrics.
Common NIS2 training readiness findings
The most common finding is incomplete population coverage. The LMS report shows 94% completion, but the missing 6% includes privileged administrators, contractors, or new hires. Auditors will not accept a percentage without understanding who is missing and why.
The second finding is lack of role sensitivity. Everyone receives the same annual module, but developers are not trained on secure coding, support agents are not trained on identity verification, and executives are not trained on governance duties or crisis decisions. NIS2 Article 20 and Article 21 make that difficult to defend.
The third finding is weak effectiveness evidence. Completion is not the same as comprehension or behaviour change. Auditors increasingly expect quiz scores, phishing trends, incident reporting trends, tabletop lessons, reduction in repeat failures, and corrective actions.
The fourth finding is disconnected technical hygiene. Training says “report suspicious activity,” but there is no tested reporting channel. Training says “use MFA,” but service accounts bypass MFA. Training says “protect data,” but production data appears in test environments. Article 21 expects a control system, not slogans.
The fifth finding is poor record integrity. Evidence is stored in an editable spreadsheet with no owner, export timestamp, access control, or reconciliation to HR records. ISO/IEC 27002:2022 control relationships in Zenith Controls point back to protection of records for a reason. Evidence must be trustworthy.
A 10-day remediation sprint for audit-ready evidence
If your organisation is under pressure, start with a focused sprint.
| Day | Action | Output |
|---|---|---|
| Day 1 | Confirm NIS2 applicability and service scope | Essential or important entity decision, in-scope services, supporting functions |
| Day 2 | Build the requirements register | NIS2 Articles 20, 21, 23, ISO clauses, Annex A controls, GDPR, DORA, contracts, insurance requirements |
| Day 3 | Create the role-based training matrix | Training mapped to job families, privileged access, developers, support, contractors, executives |
| Day 4 | Map training to risk scenarios | Phishing, credential compromise, data leakage, ransomware, misconfiguration, supplier compromise, privacy breach |
| Day 5 | Collect evidence | LMS exports, acknowledgements, phishing reports, onboarding records, contractor records, executive attendance |
| Day 6 | Reconcile evidence | Training population checked against HR records, identity groups, privileged accounts, contractor lists |
| Day 7 | Test employee understanding | Interview notes showing staff know incident reporting, MFA expectations, suspicious email handling, data rules |
| Day 8 | Review technical hygiene controls | MFA, backups, EDR, patching, vulnerability scanning, logging, monitoring, secure configuration evidence |
| Day 9 | Produce the management review pack | Completion, exceptions, phishing trends, open actions, high-risk roles, incidents, budget needs |
| Day 10 | Update the risk treatment plan and SoA | Residual risk, owners, deadlines, effectiveness measures, Statement of Applicability updates |
That sprint gives you a defensible evidence baseline. It does not replace ongoing ISMS operation, but it creates the structure regulators and auditors expect.
What good looks like
A mature NIS2 Article 21 cyber hygiene and training program has five characteristics.
First, it is board-visible. Management approves the approach, sees meaningful metrics, understands residual risk, and funds improvement.
Second, it is risk-based. Training differs by role, service criticality, access level, data exposure, and incident responsibility.
Third, it is evidence-led. Completion records, acknowledgements, simulations, tabletop exercises, technical hygiene reports, and corrective actions are complete, reconciled, and protected.
Fourth, it is cross-compliance aware. The same evidence supports NIS2, ISO/IEC 27001:2022, DORA, GDPR, NIST-style assurance, and COBIT 2019 governance reporting.
Fifth, it improves. Incidents, audit findings, legal changes, supplier changes, new technologies, and emerging threats update the training plan.
That final point is the difference between compliance theatre and operational resilience.
Next steps with Clarysec
If your leadership team is asking, “Can we prove NIS2 Article 21 cyber hygiene and cybersecurity training tomorrow?”, Clarysec can help you move from scattered evidence to an audit-ready ISMS evidence pack.
Start with the Zenith Blueprint to structure competence, awareness, people controls, remote work practices, vulnerability management, backups, logging, monitoring, and technical hygiene actions across the 30-step roadmap.
Use Zenith Controls to cross-reference ISO/IEC 27002:2022 awareness, acceptable use, compliance, monitoring, records, and assurance expectations across NIS2, ISO/IEC 27001:2022, DORA, GDPR, NIST, and COBIT 2019 audit conversations.
Then operationalise the requirements through Clarysec’s Information Security Awareness and Training Policy, Information Security Awareness and Training Policy - SME, and Information Security Policy - SME.
Your immediate action is simple: build a one-page NIS2 Article 21 training evidence map this week. List in-scope roles, assigned training, completion evidence, policy acknowledgements, phishing metrics, technical cyber hygiene evidence, management review date, and corrective actions. If any cell is blank, you have found your next audit remediation task.
For a faster path, download the Clarysec policy templates, use the Zenith Blueprint roadmap, and schedule a NIS2 evidence readiness assessment to turn your current training records, cyber hygiene controls, and ISO/IEC 27001:2022 ISMS into one defensible audit file.
Frequently Asked Questions
About the Author
Igor Petreski
Compliance Systems Architect, Clarysec LLC
Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council
