NIS2 Art.21.2a: Policies on Risk Analysis and Information System Security
What This Control Requires
The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security.
In Plain Language
Policies are where your cybersecurity programme moves from intention to commitment. Without formal, documented policies governing how you conduct risk analysis and maintain information system security, everything else is improvisation. NIS2 requires these policies to be endorsed at the highest management level.
Your risk analysis policies need to spell out which systems and processes are in scope, the methodology for identifying and evaluating risks, acceptable risk thresholds, how often assessments run, and what triggers an unscheduled reassessment - a major incident, a new threat, or a significant infrastructure change.
Information system security policies cover the technical and organisational controls that protect confidentiality, integrity, and availability. Think access control, data classification, change management, secure configuration baselines, and security monitoring. These policies must reach the people who need to follow them and be reviewed regularly to stay relevant.
How to Implement
Draft an overarching information security policy that states your organisation's commitment to cybersecurity, defines the scope, and establishes roles and responsibilities. Get it approved by the board or equivalent management body.
Build out supporting policies for specific domains: access control, data classification and handling, acceptable use, change management, network security, cryptography, physical security, and third-party management. Each policy should clearly state its purpose, scope, requirements, and what happens when someone does not comply.
Write a risk analysis policy defining the methodology you will use, the frequency of assessments, risk evaluation and acceptance criteria, and reporting requirements. Align this with your chosen risk management framework (ISO 27005, NIST SP 800-30, or similar).
Set up a policy review schedule with clear ownership. Review policies at least annually and whenever significant changes occur. Use version control and keep an audit trail of all changes.
Get policies in front of staff through training, intranet publication, and onboarding processes. Have employees formally acknowledge their understanding and acceptance of key policies.
Monitor compliance through internal audits, automated checks, and management reviews. Track non-compliance, report it, and address it through defined escalation procedures.
Evidence Your Auditor Will Request
- Approved information security policy document with management sign-off
- Risk analysis policy defining methodology, scope, and frequency
- Supporting security policies (access control, data classification, etc.)
- Policy review and version control records
- Staff acknowledgement records for key security policies
Common Mistakes
- Policies exist but are outdated and have not been reviewed in over a year
- Policies are overly generic and do not reflect the organisation's actual risk profile
- No evidence of policy communication or staff awareness training
- Risk analysis policy does not specify triggers for ad-hoc reassessments
- Policies lack clear ownership and accountability for maintenance
Related Controls Across Frameworks
Frequently Asked Questions
How detailed should our risk analysis policy be?
Must policies be in a single document or can they be spread across multiple documents?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment