ISO 27001 is intended to give a framework of best practice policies, procedures and controls for information security to reduce the risk of information security breaches. ISO 27002 is about the implementation of controls and guidelines. When mapping NIS2 measures to the ISO 27001:2022 standard, most of the relevant controls come from Annex A, as they provide the best clues from a control perspective.
Annex A in ISO/IEC 27001:2022 is a part of the standard that lists a set of security controls that organisations use to demonstrate compliance with ISO/IEC 27001 6.1.3 (Information security risk treatment) and its associated “Statement of Applicability”. A Statement of Applicability (SoA) in ISO/IEC 27001:2022 is a document that lists the Annex A controls that an organisation will implement to meet the requirements of the standard. It is a mandatory step for anyone planning on pursuing ISO 27001 certification.
ISO/IEC 27002:2022 is a code of practice for an information security management system (ISMS) and delves into a much higher level of detail than Annex A of the ISO 27001:2022 standard. ISO/IEC 27002:2022 gives, broadly speaking, guidance on implementing an ISMS. While ISO/IEC 27002:2022 is not a certifiable standard by itself, compliance with its information security, physical security, cyber security and privacy management guidelines brings organisations closer to meeting the ISO 27001 certification requirements.
The table below provides an overview of how to map NIS2 to the ISO 27001:2022 and ISO/IEC 27002:2022 standards.
Interested in learning more? Check out our NIS2 to CIS Controls Mapping Tool.
Would you like to know more about the NIS2 Directive? Check out our in-depth analysis!