🛡️

ISO/IEC 27001

Information security management systems - Requirements

Organization: ISO/IEC • Category: Information Security Management

Articles with Obligations

Key Sections

Coverage Areas

Overview

Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Provides a systematic approach to managing sensitive company information.

Applicability

Organizational security management and governance

Relevance to Network and Information Security Directive (NIS2)

Key Coverage Areas

Information security management system (ISMS)

Risk assessment and treatment

Security policies and procedures

Access control

Asset management

Incident management

Business continuity

Supplier relationships

Standard Sections & Chapters

A.5

Organizational controls

A.6

People controls

A.7

Physical controls

A.8

Technological controls

A.5.1

Policies for information security

A.5.7

Threat intelligence

A.5.23

Information security for use of cloud services

A.8.1

User endpoint devices

A.8.2

Privileged access rights

A.8.3

Information access restriction

A.8.8

Management of technical vulnerabilities

Related Network and Information Security Directive (NIS2) Articles

Article I: SECTORS OF HIGH CRITICALITY

View Article →

Sections: A.5, A.6, A.8

Comprehensive security controls for critical sectors

Implementation Guidance:

Essential entities must implement full ISO 27001 ISMS with all applicable controls

Mapped Obligations:

Stricter incident reporting timelines and penalties for non-compliance

Article II: OTHER CRITICAL SECTORS

View Article →

Sections: 4, 5, 6, 7, 8, A.5, A.8

Core security management for important entities

Implementation Guidance:

Important entities should implement ISO 27001 ISMS focusing on key controls

Mapped Obligations:

Cybersecurity risk management measures must be implemented
Incident reporting obligations apply with specified timelines

Article 6: Definitions

View Article →

Sections: A.5, A.5.1

Strategic security governance and policy framework

Implementation Guidance:

Establish national-level ISMS aligned with ISO 27001 governance requirements

Mapped Obligations:

Using these definitions to properly classify incidents, risks, and cyber threats

Article 20: Governance

View Article →

Sections: 5, A.5

Leadership and organizational cybersecurity governance

Implementation Guidance:

Establish top management commitment and governance structure per ISO 27001

Mapped Obligations:

Management bodies must formally approve all cybersecurity risk-management measures
Management must oversee implementation of cybersecurity measures
Management can be held personally liable for non-compliance
Management members must undergo mandatory cybersecurity training
Organizations should provide regular cybersecurity training to all employees

Article 21: Cybersecurity risk-management measures

View Article →

Sections: 6, A.5, A.8

Risk assessment and treatment, organizational and technological controls

Implementation Guidance:

Implement comprehensive ISMS with risk management, access control, vulnerability management, incident response

Mapped Obligations:

Set up incident handling procedures
Ensure business continuity through backup management and disaster recovery plans
Secure supply chains by assessing suppliers and service providers
Manage security in system development and maintenance including vulnerability handling
Provide basic cyber hygiene practices and cybersecurity training
Implement cryptography and encryption policies where appropriate
Enforce human resources security, access control and asset management
Use multi-factor or continuous authentication where appropriate

Article 22: Union level coordinated security risk assessments of critical supply chains

View Article →

Sections: A.5.29, A.5.30

ICT readiness for business continuity

Implementation Guidance:

Integrate ICT continuity into overall business continuity

Mapped Obligations:

Member states must participate in EU-level coordinated supply chain risk assessments when requested
Organizations may need to provide information about their critical ICT supply chains for assessment
Stakeholders must cooperate with Commission and ENISA during supply chain evaluations

Article 23: Reporting obligations

View Article →

Sections: A.5.24, A.5.26, A.5.28

Information security event management and reporting

Implementation Guidance:

Implement event logging, monitoring, and reporting to authorities

Mapped Obligations:

Report significant incidents to CSIRT or competent authority without undue delay
Submit early warning within 24 hours of becoming aware of incident
Submit incident notification within 72 hours with initial assessment
Submit final report within one month after incident notification
Notify recipients/customers of services about significant incidents that may affect them
Cooperate with authorities on cross-border incident information sharing

Article 28: Database of domain name registration data

View Article →

Sections: A.5.19, A.5.20, A.5.21, A.5.22

Supplier relationships and supply chain policy

Implementation Guidance:

Define and monitor supplier security requirements and agreements

Article 32: Supervisory and enforcement measures in relation to essential entities

View Article →

Sections: 9

Performance evaluation and auditing

Implementation Guidance:

Conduct regular audits and assessments of cybersecurity measures

Mapped Obligations:

Comply with binding instructions to prevent or remedy incidents
Ensure management has power and liability for compliance

Quick Information

Organization: ISO/IEC
Category: Information Security Management
Certification: ✓ Available

← All Network and Information Security Directive (NIS2) Standards View All Articles Compliance Guide

Get Implementation Help

CRA

NIS2

GDPR

DSA

AI Act

Available Now

In Development

Get notified when new content is ready

eIDAS 2.0

Available Content

MDR

Available Content

Menu

ISO/IEC 27001

Overview

Applicability

Relevance to Network and Information Security Directive (NIS2)

Key Coverage Areas

Standard Sections & Chapters

Related Network and Information Security Directive (NIS2) Articles

Article I: SECTORS OF HIGH CRITICALITY

Mapped Obligations:

Article II: OTHER CRITICAL SECTORS

Mapped Obligations:

Article 6: Definitions

Mapped Obligations:

Article 20: Governance

Mapped Obligations:

Article 21: Cybersecurity risk-management measures

Mapped Obligations:

Article 22: Union level coordinated security risk assessments of critical supply chains

Mapped Obligations:

Article 23: Reporting obligations

Mapped Obligations:

Article 28: Database of domain name registration data

Article 32: Supervisory and enforcement measures in relation to essential entities

Mapped Obligations:

Quick Information

Related Pages

🤝 Still Feeling Overwhelmed?

Available Now

In Development

Get notified when new content is ready

Available Content

Available Content

ISO/IEC 27001

Overview

Applicability

Relevance to Network and Information Security Directive (NIS2)

Key Coverage Areas

Standard Sections & Chapters

Related Network and Information Security Directive (NIS2) Articles

Article I: SECTORS OF HIGH CRITICALITY

Mapped Obligations:

Article II: OTHER CRITICAL SECTORS

Mapped Obligations:

Article 6: Definitions

Mapped Obligations:

Article 20: Governance

Mapped Obligations:

Article 21: Cybersecurity risk-management measures

Mapped Obligations:

Article 22: Union level coordinated security risk assessments of critical supply chains

Mapped Obligations:

Article 23: Reporting obligations

Mapped Obligations:

Article 28: Database of domain name registration data

Article 32: Supervisory and enforcement measures in relation to essential entities

Mapped Obligations:

Quick Information

Related Pages

🤝 Still Feeling Overwhelmed?

We use cookies