How ISO 27001, NEN 7510 and NIS2 work together to improve information security

Cyber threats are increasing and organisations in vital sectors must better protect themselves against these digital risks. This article explains how ISO 27001, NEN 7510 and the new European NIS2 directive work together to strengthen information security. It describes the similarities between the standards and the directive, includes a practical step-by-step guide to meeting NIS2 requirements, and shows how Kiwa can support organisations in this process.

The revised NEN 7510:2024 aligns seamlessly with the requirements of ISO 27001:2022 and supports organisations in complying with the European NIS2 regulation. From the second quarter of 2026, NIS2 will become a mandatory framework for cyber resilience in many vital and important sectors, such as healthcare, energy, transport, digital infrastructure, government, financial services and ICT. The smart structure of ISO 27001:2022 and NEN 7510:2024 provides practical guidelines that help organisations meet NIS2 requirements step by step.

Similarities Between ISO 27001/NEN 7510 and NIS24

The NIS2 directive sets clear requirements for organisations in the field of cybersecurity. Many of these requirements align closely with the existing ISO 27001:2022 and NEN 7510:2024 standards. The table below gives an overview of the most important NIS2 topics and shows which chapters and controls from ISO 27001 and NEN 7510 directly correspond to them.

NIS2 topics

ISO 27001:2022/NEN 7510:2024

Policy on risk analysis and information system security

Chapters 6, 7 and 8

Policies and procedures for incident handling

Controls A5.24 to A5.27 and A6.8

Business continuity measures, such as backup management and emergency planning

Controls A5.29 and A6.8

Supply chain security

Controls A5.19 to A5.23

Security in acquiring, developing and maintaining network and information systems, including vulnerability response and disclosure

Controls A8.1, A8.8, A8.19 and A8.25 to A8.32

Policies and procedures to assess the effectiveness of cybersecurity risk controls

Chapters 6, 9 and 10

Basic cyber hygiene and cybersecurity training

Controls in A5, A6, A7 and A8

Policies and procedures for the use of cryptography and encryption

Control A8.24

Security aspects of personnel, access control and asset management

Controls in A5, A6 and A8

Use of multi-factor authentication, secure voice/video/text communication and secure emergency communication systems

Chapter 8 and controls A5.14, A5. 42 and A8.3

 

Step-by-Step Plan: From ISO 27001 / NEN 7510 to NIS2 compliance

Organisations with an ISO 27001 or NEN 7510-certified management system already have a solid foundation for NIS2 compliance. The step-by-step plan below shows which additional actions are needed to fully meet the directive.

    Update your risk analysis

    Check whether the following risks are properly included: ransomware attacks, power outages, internet outages, telephony outages and other disruptions.

    Create a business continuity plan

    Ensure you have a business continuity plan that takes into account the need to maintain services to critical sectors, even during major incidents.

    Identify critical suppliers

    Determine which suppliers are truly essential to your services for critical sectors, and ensure sufficient backups, redundancy or stock.

    Optimize logging and monitoring

    Ensure proper logging and monitoring of your technical infrastructure so vulnerabilities and attacks can be detected quickly.

    Strengthen security testing policies

    Establish a strong security testing policy (formerly PEN testing). A simple penetration test is no longer enough, you must conduct detailed testing of internal and external vulnerabilities.

    Prepare a crisis plan and crisis team

    Develop a crisis plan and assemble a crisis team including IT specialists, executives and communication specialists. Verify whether this plan works in real crisis situations.

    Training for executives and senior management

    NIS2 requires a proactive, strategic approach from boards, directors and top management. By following NIS2 compliance training, executives learn their responsibilities and the steps needed to manage cyber threats and safeguard business continuity.

    Include NIS2 as relevant legislation

    NIS2 must be identified as relevant legislation and included in the context analysis.

How Kiwa supports NIS2 compliance

Meeting the NIS2 directive often requires more than just technical measures. Kiwa helps organizations assess, improve and demonstrate their cyber resilience. The services below form the core of our approach.

  • Baseline assessment: Can be conducted at any moment. Provides a clear picture of your organization’s current level of compliance with NIS2 requirements.
  • Certification: If you choose certification, this can be combined with your existing ISO 27001 and/or NEN 7510 certification. Note: a separate report will be prepared regarding NIS2 findings.
  • NIS2 Quality Mark QM20/QM30: Kiwa provides an independent assessment in line with the NIS2 Quality Mark. With the NIS2 Quality Mark certificate, you demonstrate to customers, partners and regulators that your organisation meets the requirements of the Dutch Cybersecurity Act (Cyberbeveiligingswet, Cbw).
  • Training: Kiwa offers various NIS2 training courses for operational managers, executives and senior management.
Contact

Learn more?

Would you like to know more about this topic? Call us at +31 (0)88 998 33 70 or fill out the contact form. Our experts will be happy to help you!

Go to contact form