Building an ISMS under NIS2: 10-Week Plan for SMEs
Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information, please consult a licensed attorney.
TL;DR
- NIS2 requires ISMS-equivalent structures — Section 30 (1) BSIG
- ISO 27001:2022 as the gold standard, not mandatory
- 10-week build realistic for SMEs
- 12 mandatory policies + 22 mandatory templates
- Annual internal audit mandatory
1. Legal Basis: NIS2 vs. ISO 27001
| Aspect | NIS2 (Section 30 BSIG) | ISO 27001:2022 |
|---|---|---|
| Mandatory status | statutory (for in-scope entities) | voluntary |
| Measures | 10 areas (subsection 2) | 93 controls (Annex A) |
| Risk assessment | required (subsection 1) | clause 6.1.2 |
| Certification | not required | possible |
| Fine | EUR 10 million / 2% | no |
Practice recommendation: build an ISO 27001-compliant ISMS; certification optional.
2. Defining the ISMS Scope
Scope definition:
- Which processes: all / only critical / specific
- Which locations
- Which IT systems
- Which subsidiaries
Recommendation for SMEs subject to NIS2: the entire company in scope.
3. Risk Analysis + Treatment Plan
- Asset inventory: all IT assets, data classes, business processes
- Threat analysis: typical threats per asset (ransomware, data breach, outage)
- Vulnerability assessment: current protection level
- Risk score: likelihood of occurrence × impact
- Treatment options: reduce / accept / transfer / avoid
- Statement of Applicability (SoA): which controls are applicable
4. 12 Mandatory Policies
- Information Security Policy (top-level)
- Acceptable Use Policy
- Access Control Policy
- Cryptographic Controls Policy
- Backup + Recovery Policy
- Patch Management Policy
- Incident Management Policy
- Supplier Management Policy
- Mobile Device + BYOD Policy
- Clear Desk + Clear Screen Policy
- Password Policy
- Physical Security Policy
5. Internal Audit + Management Review
- Annual internal audit: full ISMS scope, performed by an independent internal auditor (or external)
- Annual management review: management reviews the audit report, incidents and risk changes
- Continuous improvement: CAPA process (corrective + preventive actions)
6. 10-Week Roadmap
| Week | Activity |
|---|---|
| 1 | Appoint ISMS officer, define scope |
| 2-3 | Asset inventory + risk analysis |
| 4 | Risk treatment plan + SoA |
| 5-7 | Draft and approve 12 policies |
| 8 | Awareness training + onboarding |
| 9 | Internal audit preparation + execution |
| 10 | Management review + communication |
22 mandatory templates (policies + work instructions + audit templates) in the NIS2 Kit.
Sources
- BSIG 2025 (consolidated version) — Section 30, Section 38, Section 60 BSIG (as of: 02 May 2026)
- NIS2 Implementation Act — BGBl. 2025 I No. 301 (as of: 02 May 2026; in force 06 December 2025)
- Directive (EU) 2022/2555 (NIS2) — Art. 21 (EUR-Lex DE) (as of: 02 May 2026)
- BSI — NIS-2 FAQ for regulated entities
Sources
- Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
- BSIG 2025 (Section 30 measures) (As of: 2026-05-02)
- BSI — NIS-2 FAQ (as of: ongoing)