NIS2 Article 21 to ISO 27001 Annex A: Complete Control Mapping

Why this mapping matters

If your organization needs both NIS2 compliance and ISO 27001 certification, you are not starting from scratch on either one. Roughly 70-80% of NIS2 Article 21 requirements map directly to ISO 27001:2022 Annex A controls. Work done for one framework reduces effort on the other.

The problem is that neither framework uses the other’s numbering system. Compliance officers end up maintaining two separate spreadsheets, two separate evidence sets, and two separate audit timelines - often for controls that are functionally identical.

This mapping table eliminates that duplication. It is based on the official NIS2 text (Directive 2022/2555, Article 21) and ISO 27001:2022 Annex A, cross-referenced against real audit experience across 300+ engagements.

Complete NIS2 Article 21 to ISO 27001:2022 mapping

Article 21(2)(a) - Risk analysis and information system security policies

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Risk analysis methodology	A.5.1 (Policies for information security)	Direct
Information security policies	A.5.1 (Policies for information security)	Direct
Risk assessment process	A.5.7 (Threat intelligence)	Partial
Asset-based risk identification	A.5.9 (Inventory of information and other associated assets)	Direct
Risk treatment plans	A.5.10 (Acceptable use of information and other associated assets)	Partial

What auditors look for: A documented risk assessment methodology that covers all information systems in scope for NIS2. ISO 27001 auditors check the same thing. If you have a risk register that satisfies ISO 27001 clause 6.1.2, it will satisfy NIS2 Article 21(2)(a) with minimal adaptation.

Article 21(2)(b) - Incident handling

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Incident detection	A.5.24 (Information security incident management planning and preparation)	Direct
Incident classification	A.5.25 (Assessment and decision on information security events)	Direct
Incident response procedures	A.5.26 (Response to information security incidents)	Direct
Incident reporting to authorities	A.5.26 (Response to information security incidents)	Partial - NIS2 adds regulatory reporting
Post-incident analysis	A.5.27 (Learning from information security incidents)	Direct

Gap to watch: ISO 27001 does not mandate regulatory incident reporting. NIS2 requires 24-hour early warning, 72-hour incident notification, and one-month final reports. Your ISO 27001 incident process needs an additional reporting step for NIS2.

Article 21(2)(c) - Business continuity and crisis management

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Business continuity planning	A.5.29 (Information security during disruption)	Direct
Backup management	A.5.30 (ICT readiness for business continuity)	Direct
Disaster recovery	A.5.30 (ICT readiness for business continuity)	Direct
Crisis management procedures	A.5.29 (Information security during disruption)	Direct

Article 21(2)(d) - Supply chain security

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Supplier risk assessment	A.5.19 (Information security in supplier relationships)	Direct
Supplier security requirements	A.5.20 (Addressing information security within supplier agreements)	Direct
Supply chain monitoring	A.5.21 (Managing information security in the ICT supply chain)	Direct
Supplier incident notification	A.5.22 (Monitoring, review and change management of supplier services)	Partial

Article 21(2)(e) - Security in network and information system acquisition, development, and maintenance

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Secure development lifecycle	A.8.25 (Secure development life cycle)	Direct
Security requirements in procurement	A.8.26 (Application security requirements)	Direct
Vulnerability handling	A.8.8 (Management of technical vulnerabilities)	Direct
Security testing	A.8.29 (Security testing in development and acceptance)	Direct
Vulnerability disclosure	A.8.8 (Management of technical vulnerabilities)	Partial

Article 21(2)(f) - Assessing effectiveness of cybersecurity risk management measures

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Security audits	A.5.35 (Independent review of information security)	Direct
Penetration testing	A.5.36 (Compliance with policies, rules and standards for information security)	Partial
Metrics and KPIs	No direct Annex A equivalent	Gap - NIS2 expects measurable effectiveness

Gap to watch: ISO 27001 requires internal audits (clause 9.2) and management review (clause 9.3), but NIS2 is more explicit about demonstrable effectiveness metrics. If your ISO 27001 program only does annual checkbox audits, that may not satisfy NIS2’s expectation for ongoing effectiveness assessment.

Article 21(2)(g) - Basic cyber hygiene practices and cybersecurity training

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Security awareness training	A.6.3 (Information security awareness, education and training)	Direct
Cyber hygiene practices	A.5.10 (Acceptable use of information and other associated assets)	Partial
Role-based training	A.6.3 (Information security awareness, education and training)	Direct

Article 21(2)(h) - Policies and procedures for use of cryptography and encryption

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Cryptography policy	A.8.24 (Use of cryptography)	Direct
Encryption of data in transit	A.8.24 (Use of cryptography)	Direct
Encryption of data at rest	A.8.24 (Use of cryptography)	Direct
Key management	A.8.24 (Use of cryptography)	Partial

Article 21(2)(i) - Human resources security, access control, and asset management

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
Background checks	A.6.1 (Screening)	Direct
Access control policy	A.5.15 (Access control)	Direct
Privileged access management	A.8.2 (Privileged access rights)	Direct
Asset inventory	A.5.9 (Inventory of information and other associated assets)	Direct
Identity management	A.5.16 (Identity management)	Direct
Multi-factor authentication	A.8.5 (Secure authentication)	Direct

Article 21(2)(j) - Multi-factor authentication and secure communications

NIS2 Requirement	ISO 27001:2022 Annex A Controls	Relationship
MFA for critical systems	A.8.5 (Secure authentication)	Direct
Secure voice/video/text	A.5.14 (Information transfer)	Partial
Emergency communication systems	A.5.14 (Information transfer)	Partial

Key gaps between the frameworks

Even with strong overlap, three areas require additional work for NIS2 beyond what ISO 27001 covers:

1. Regulatory incident reporting: NIS2 mandates specific reporting timelines (24h/72h/1 month) to national CSIRTs. ISO 27001 has no equivalent requirement.

2. Measurable effectiveness: NIS2 Article 21(2)(f) expects demonstrable, measurable effectiveness of security measures. ISO 27001 audits check for process existence, not always for quantified outcomes.

3. Supply chain breadth: NIS2 Article 21(2)(d) requires consideration of supply chain security beyond direct suppliers - extending to the full ICT supply chain. ISO 27001 A.5.21 addresses this but many organizations interpret it narrowly.

How to use this mapping

If you already have ISO 27001 certification, start your NIS2 compliance effort by:

1. Mapping your existing ISO 27001 Statement of Applicability to NIS2 Article 21 requirements using the tables above.
2. Identifying the three gap areas (incident reporting, effectiveness metrics, supply chain depth).
3. Extending existing controls rather than building new ones.
4. Documenting the cross-references so auditors can see the relationship.

AuditFront shows these cross-framework mappings on every control page. When you assess an ISO 27001 control, you immediately see which NIS2 (and GDPR, SOC 2) requirements it also satisfies. Start a free assessment to see the mappings for your organization.