NIS2 + ISO 27001 Certification: 12-Month Path

1. Months 1-2: Scope and preparation

Appoint an ISMS officer, define the certification scope (sites, processes, systems), run a gap analysis against ISO 27001:2022 Annex A, and build a 12-month roadmap with budget and milestones.

2. Months 3-6: Buildout

Author the 12 mandatory policies, complete the risk assessment, produce the Statement of Applicability (SoA), build the asset inventory, and run mandatory awareness training. This is the most documentation-heavy phase.

3. Months 7-8: Trial run

Run an internal audit, close gaps, formalize a CAPA process for non-conformities, and hold the first management review. The CAPA log will be reviewed at Stage 2.

4. Months 9-10: Stage 1 audit

The certification body conducts a documentation review. Findings are typically minor non-conformities. Close gaps before Stage 2.

5. Months 11-12: Stage 2 audit

On-site audit including evidence sampling, interviews, and walkthroughs. On success, the certificate is valid for three years with annual surveillance audits.

6. Costs and effort

7. Coverage gap vs. NIS2

ISO 27001 maps to roughly 9 of 10 NIS2 measures. The remaining gap is supply-chain security (Annex A.5.19-A.5.23 needs additional structure) and explicit Section 38 BSIG management-liability awareness. Add a focused supply-chain audit program and management training to close the gap.

Summary

For NIS2-regulated SMEs, ISO 27001 is the highest-leverage path: it handles most controls, signals seriousness to customers, and creates a recurring audit cadence. Plan for 12 months and a budget under EUR 150,000 in the SME segment.

View NIS2 Kit →