nis2-control-mapping-reuse-iso-27001-and-cis-work
  • ISO 27001
  • NIS 2
  • 9th Jul 2026
  • 1 min read

NIS2 Control Mapping: Reuse ISO 27001 and CIS Work

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short...
  • NIS2 maps largely onto controls you already run. Article 21 is outcome-based, and ISO 27001 or CIS Controls v8.1 already produce most of the evidence it expects.
  • Three gaps repeat across ISO 27001-certified organisations. Supply chain security depth, incident reporting timelines, and board-level governance accountability.
  • CIS published a formal NIS2 mapping for Controls v8.1 in April 2025. It correlates each Article 21 area with specific CIS Safeguards.
  • A crosswalk is a living artefact. Coverage drifts as controls, evidence, and suppliers change, so it needs revisiting on a schedule.

If your organisation already holds ISO 27001 certification, or runs CIS Controls v8.1 at Implementation Group 2 or higher, you have already produced most of the evidence Article 21 of NIS2, the EU's Network and Information Security Directive 2 (Directive (EU) 2022/2555), requires. The work still needed is a structured crosswalk: confirm what your existing controls already cover, identify where coverage is genuinely thin, and close only those gaps. Building a parallel NIS2 programme from a blank page duplicates work your team has already done, and it wastes months better spent closing real exposure.

Expert View

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about avoiding duplicate NIS2 work

 

"Most teams over-invest in the mapping exercise and under-invest in keeping it current. The crosswalk only earns its keep when it’s alive, updated the moment a control changes rather than filed away after the first audit. That’s the shift that moves teams from spreadsheet fatigue to real coverage confidence."

 

What NIS2 Article 21 Actually Requires

NIS2 came into force in January 2023, with Member States required to transpose it into national law by 17 October 2024. It applies to medium and large organisations operating in 18 critical sectors, including energy, transport, financial services, healthcare, and manufacturing.

 

The compliance obligation lives in Article 21 of the directive. It requires in-scope organisations to implement appropriate and proportionate cybersecurity risk management measures, and to demonstrate those measures are operating in practice. Regulators judge programmes on the evidence that required measures are running today.

 

The 10 Mandatory Measure Areas Under Article 21(2)

Article 21 is deliberately outcome-driven. It sets ten minimum areas every in-scope entity must address, without naming a specific technology or framework to get there.

 

#

NIS2 Article 21(2) requirement 

What regulators expect to see

a

Risk analysis and information system security policies

Live risk register, board-approved policy, review cadence

b

Incident handling

Incident response plan, escalation matrix, post-incident review process

c

Business continuity, backup management, disaster recovery, crisis management

Tested restore procedures, documented RTO/RPO

d

Supply chain security

Vendor inventory, contractual security clauses, monitoring

e

Secure acquisition, development, and maintenance

Patch SLAs, SDLC gates, vulnerability disclosure process

f

Effectiveness testing of cybersecurity measures

Penetration test summaries, KPI dashboards, action tracking

g

Cyber hygiene and cybersecurity training

Training records, onboarding and offboarding checklists

h

Cryptography and encryption policies

Encryption policy, TLS configuration, key management approach

i

Human resources security, access control, asset management

Joiner-mover-leaver process, access reviews, asset inventory

j

MFA and secure communications

MFA configuration proof, admin hardening, emergency communications

 

The October 2024 Implementing Regulation (EU) 2024/2690 added technical and methodological detail on top of these ten areas, targeted at cloud, managed service, and digital infrastructure providers specifically. Organisations in scope for that regulation need to map one level deeper than the ten areas alone. ENISA, the EU Agency for Cybersecurity, published Technical Implementation Guidance for the regulation in June 2025, correlating its requirements directly with ISO 27001, NIST CSF, and other frameworks, with the explicit aim of cutting duplicate audit work across overlapping regimes.

 

Article 20 adds a governance layer on top of Article 21: management bodies must approve cybersecurity measures, oversee their implementation, and complete security training themselves. Directors can be held personally liable for non-compliance, a real shift from the original NIS Directive.

Why Reusing Existing Controls Beats Building From Scratch

Treating NIS2 as a new compliance programme feels like the safe choice. New directive, new acronym, new deadline. But it's the more expensive path, and it costs teams months of duplicated work.

 

NIS2 is outcome-based: it sets the bar as evidence that cybersecurity risk is managed as a repeatable, documented process, without mandating a specific framework to get there. That's exactly what ISO 27001 and CIS Controls already produce.

 

If your organisation already holds ISO 27001 certification, or has implemented CIS Controls v8.1 at Implementation Group 2 or above, you've covered most of Article 21's ten measure areas already. The mapping leaves genuine gaps, particularly around supply chain security depth and incident reporting timelines, but the foundation is already in place.

Duplication carries a real cost. Teams that treat NIS2 as a standalone programme end up maintaining two separate control sets, two evidence repositories, and two audit cycles for controls that are substantively identical. That pattern builds compliance debt with every audit cycle.

 

The smarter approach is a crosswalk: map each NIS2 Article 21 requirement to the controls you already own, rate what's covered, what's partially covered, and where genuine gaps remain, then close only those gaps.

 

This is what ENISA itself recommends. Its Technical Implementation Guidance, published in June 2025, maps Implementing Regulation 2024/2690 requirements directly onto ISO 27001, NIST CSF, and other frameworks, precisely so organisations can avoid running duplicate audits across overlapping regimes.

 

The principle: treat NIS2 as an overlay on your existing controls. Map once. Reuse everywhere.

How to Map NIS2 Requirements to Controls You Already Have

The mapping exercise runs in three steps: establish your coverage baseline, identify gaps, and prioritise remediation. Here's how each Article 21(2) area maps to ISO 27001:2022 Annex A controls and CIS Controls v8.1.

 

The NIS2 to ISO 27001 and CIS Controls crosswalk

 

NIS2 Art. 21(2)

ISO 27001:2022 Annex A

CIS Controls v8.1

Coverage level

(a) Risk analysis and security policies

A.5.1, A.5.2

No dedicated Safeguard

Strong via ISO; CIS has no policy-layer equivalent

(b) Incident handling

A.5.24-A.5.28

CIS 17

Strong

(c) Business continuity and DR

A.5.29, A.5.30

CIS 11

Partial: restore testing often missing

(d) Supply chain security

A.5.19-A.5.23

CIS 15

Partial: NIS2 requires deeper contractual obligations

(e) Secure development and maintenance

A.8.25-A.8.34

CIS 16

Strong for IT; gaps in OT/ICS environments

(f) Effectiveness testing

A.5.35, A.5.36

CIS 18

Partial: continuous testing vs point-in-time

(g) Cyber hygiene and training

A.6.3

CIS 5, CIS 14

Strong

(h) Cryptography and encryption

A.8.24

CIS 3

Strong

(i) Access control, asset management, HR security

A.5.9-A.5.18, A.6.1-A.6.5

CIS 1, CIS 5, CIS 6

Strong

(j) MFA and secure communications

A.8.5, A.8.20

CIS 6, CIS 12

Strong for IT; gaps in legacy OT systems

 

This crosswalk is illustrative, built from each framework's published control structure rather than reproduced from a single official source. CIS Controls v8.1 has no dedicated Safeguard for governance-level risk policy, which is a structural gap in CIS itself rather than an oversight in the mapping. For certification or audit-grade work, cross-check against CIS's own NIS2 mapping and your ISO 27001 Statement of Applicability directly.

 

Where ISO 27001 Leaves Genuine NIS2 Gaps

Three areas consistently surface as real NIS2 gaps for ISO 27001-certified organisations.

  1. Supply chain security (Article 21(2)(d)): ISO 27001 Annex A covers supplier relationships in A.5.19 through A.5.23, but NIS2 goes further. It requires organisations to assess the security practices of direct suppliers and to take into account the results of coordinated supply chain risk assessments carried out under Article 22. A supplier programme built around questionnaires and contractual clauses alone will need strengthening to meet that bar.
  2. Incident reporting timelines (Article 23): ISO 27001 sets no fixed notification clock. NIS2 does: a 24-hour early warning, a 72-hour incident notification, and a final report within one month for significant incidents. Map explicit NIS2 triggers into your incident response plan, tied to the relevant CSIRT (Computer Security Incident Response Team) or competent authority.
  3. Board-level governance (Article 20): Directors carry personal accountability for cybersecurity measures under Article 20, and must complete security training themselves. ISO 27001 requires management commitment, but stops short of personal liability or mandatory board-level training. This gap needs a dedicated governance artefact, tracked and evidenced on its own terms.

CIS Controls v8.1 confirms a similar picture. CIS published a formal mapping between CIS Controls v8.1 and Directive (EU) 2022/2555 in April 2025, correlating each Article 21 area with specific CIS Safeguards. The underlying point holds regardless of which framework you run: NIS2 adds regulatory weight and reporting obligations to security practices CIS and ISO already recommend on technical grounds. You’re formalising and evidencing controls you should already have.

Using the Crosswalk in Practice

Turning the mapping above into a working exercise takes four steps.

 

Step 1: Populate your existing control inventory

Start with what you already have: for each of the ten Article 21 areas, list the controls you currently operate against that domain. If you're ISO 27001 certified, your Statement of Applicability is the natural starting point. If you're CIS-aligned, your Implementation Group 2 records serve the same purpose. The goal at this stage is an honest picture of current coverage you can build on.

 

Step 2: Apply the coverage rating

Rate each NIS2 requirement as covered, partial, or a gap. Covered means an existing control directly satisfies the requirement and you hold evidence it's operating. Partial means you have a control, but the evidence is missing, or the control addresses a narrower obligation than NIS2 specifies, a supplier questionnaire without contractual security clauses, for example. Gap means no existing control addresses the requirement, and new work is required.

 

Step 3: Prioritise the gaps

Not every gap carries equal risk. Weigh each one against two factors: regulatory exposure if the area fails, and operational impact if an incident hits that domain. Supply chain security, incident reporting timelines, and board governance are consistently the highest-priority gaps for ISO 27001-certified organisations. Start there.

 

Step 4: Document the mapping

The crosswalk becomes a compliance artefact in its own right. When a regulator or auditor asks how your cybersecurity programme maps to NIS2, you hand them the crosswalk. It shows which controls satisfy which requirements, what the evidence is, and what remediation is already under way for any gaps.

 

This turns “we're working on NIS2” into “here's our NIS2 control coverage, evidenced,” and regulators respond very differently to those two answers.

Keeping the Crosswalk Current as Controls Change

A crosswalk built once has a shelf life. A control rated 'covered' in January can drift to 'partial' by June if the evidence hasn't been refreshed, a supplier list has changed, or a framework has released a new version. Keeping that picture current by hand across ISO 27001, CIS Controls, NIS2, and any other framework your organisation answers to is a genuine ongoing burden.

 

SureCloud's Compliance Management platform is built for governance, risk, and compliance (GRC) teams juggling more than one framework, with a named Persona doing the mapping work instead of a person maintaining it by hand. A Compliance Persona inside Gracie AI Agents with Personas and Skills holds the ISO 27001, CIS Controls, and NIS2 mappings as live data: when evidence is collected against one control, every framework that references it sees the update, and a flagged gap creates a remediation task, owned and tracked automatically.

 

This matters in practice: teams running NIS2 alongside DORA, ISO 27001, and other frameworks share evidence across all three instead of collecting it three separate times, and evidence retrieval for a regulator's request happens in minutes rather than days. Control coverage stays visible in real time.

 

The 10-in-1 SureCloud Controls Framework is the operational version of the crosswalk in this guide: one control, tested once, satisfies multiple standards. Teams managing NIS2 alongside an existing ISO 27001 or CIS programme see a 50-65% reduction in manual evidence collection as a direct result.

 

Most of that operational detail, connecting evidence sources, running incident workflows, and generating board packs, is what separates a spreadsheet crosswalk from a NIS2 compliance software platform built to operate day to day.

Start With What You Already Have

The NIS2 deadline has passed, and enforcement is active. The path to compliance for most organisations is a structured gap analysis against controls already in place.

 

Run the crosswalk. Rate coverage honestly. Close the three gaps that matter most: supply chain security, incident reporting timelines, and board-level governance accountability. Then build the evidence trail that shows regulators the programme is live and operating.

Map Your NIS2 Controls Without Starting Over

If you're ready to turn this crosswalk into a live, evidenced record instead of a static spreadsheet, Gracie AI Agents with Personas and Skills keeps NIS2, ISO 27001, and CIS Controls mapped to one set of evidence. Teams doing this report a 75% reduction in audit prep time.
Related articles:
  • NIS 2
  • Cyber Security

NIS2 Compliance Software: From Directive to Execution 2026

  • Compliance Management
  • Cyber Security

The UK Cyber Security and Resilience Bill: What It Means in Practice

  • NIS 2

NIS2 Compliance Software: 3 Gaps Spreadsheets Miss

Share this article

FAQ’s

What does NIS2 control mapping mean?

NIS2 control mapping is the process of matching Article 21 requirements to the controls an organisation already operates, such as ISO 27001 or CIS Controls v8.1. The goal is to identify what's fully covered, what's partial, and where genuine gaps remain.

Can ISO 27001 cover NIS2 requirements?

ISO 27001 certification covers a large share of Article 21 in most organisations. Three areas consistently need extra work beyond ISO 27001 alone: incident reporting timelines, supply chain security depth, and board-level accountability.

How do CIS Controls relate to NIS2?

CIS Controls v8.1 maps closely to most Article 21 measures, particularly technical and operational security areas. CIS published a formal mapping to Directive (EU) 2022/2555 in April 2025, and a crosswalk against your own control set confirms exactly where coverage sits.

Why build a crosswalk instead of a new NIS2 programme?

A crosswalk gives you a repeatable way to rate every Article 21 requirement as covered, partial, or a gap, and to attach evidence and a remediation owner to each rating. That structure costs far less than running a parallel programme, and it hands a regulator a ready-made record the moment one is requested.

What are the biggest NIS2 gaps for ISO 27001-certified organisations?

The most common gaps are supply chain security depth, incident reporting timelines, and board-level governance. They carry the highest regulatory and operational risk, so they're the areas to prioritise first.