NIS 2 Audit

Stage 1: NIS 2 Audit Scoping

The first stage establishes the audit framework and defines the organizational, operational, and technical boundaries of the review. This phase ensures that the NIS 2 compliance assessment is focused on the processes, systems, services, and stakeholders most relevant to the organization’s risk profile and regulatory obligations.

• Organizational Structure Review: Analysis of governance structure, reporting lines, management responsibilities, and decision-making mechanisms related to cybersecurity and regulatory accountability.
• Management and Leadership Interviews: Interviews with key decision-makers to understand strategic oversight, risk ownership, security priorities, and executive involvement in cyber resilience.
• Critical Business Process Identification: Identification of business services, operational processes, and supporting activities essential to service continuity and regulatory scope.
• Stakeholder and Responsibility Mapping: Review of internal functions, service owners, operational teams, and external dependencies involved in the delivery and protection of critical services.
• Key Asset and Service Review: Identification of critical information assets, systems, infrastructure components, third-party services, and supporting resources relevant to the audit scope.
• Scope Definition: Determination of the organizational entities, locations, technologies, and processes included within the audit boundaries.

Deliverable: An approved NIS 2 Audit Plan defining the audit scope, assessment criteria, relevant stakeholders, key focus areas, and planned audit activities.

Stage 2: NIS 2 Gap Assessment

The second stage evaluates the design, implementation, and effectiveness of existing cybersecurity and assurance measures against the expectations of the NIS 2 Directive. The assessment is based on documented evidence, process review, interviews, and verification of control implementation across the organization. The objective is to identify compliance gaps, assess maturity, and provide management with a clear understanding of current-state readiness.

• Policy and Documentation Review: Analysis of internal policies, standards, procedures, registers, records, and governance documents relevant to cybersecurity and NIS 2 obligations.
• Process Owner Interviews: Discussions with business and technical process owners to verify how cybersecurity controls and operational safeguards are implemented in practice.
• Specialist Interviews: Engagement with security, IT, risk, compliance, procurement, and operational specialists to assess practical execution across key domains.
• Control Effectiveness Assessment: Evaluation of management, technical, and organizational measures designed to protect networks, information systems, and critical services.
• Maturity Evaluation: Assessment of the maturity of cybersecurity governance, resilience processes, and assurance mechanisms based on evidence and operational practice.
• Gap Identification and Reporting: Documentation of findings, strengths, deficiencies, observations, and prioritized recommendations in a clear and actionable format.

The assessment typically covers the following cybersecurity and compliance domains:

• Cybersecurity governance and management accountability
• Risk management framework and risk treatment practices
• Business continuity, crisis management, and operational resilience
• Incident detection, response, escalation, and reporting processes
• Security of network and information systems
• Operational monitoring, logging, and threat visibility
• Access control, identity management, and privileged access governance
• Asset management, system inventory, and data protection measures
• Secure system acquisition, development, and maintenance
• Vulnerability management, resilience testing, and continuous improvement
• Supply chain security and third-party risk management
• Supplier due diligence, contractual security requirements, and dependency oversight

Deliverable: The NIS 2 Audit Report, including:

• Assessment of current-state alignment with NIS 2 requirements
• Identification of compliance gaps, weaknesses, and areas of good practice
• Evaluation of cybersecurity governance and operational maturity
• Risk-based recommendations for remediation and improvement
• Executive-level summary of key findings and priorities

Stage 3: Remediation Roadmap

The third stage converts audit findings into a structured and practical roadmap for improvement. Based on the identified gaps, the organization receives a prioritized action plan designed to support NIS 2 compliance, improve cybersecurity resilience, and strengthen internal governance and accountability. This stage helps management move from assessment to implementation with clarity and confidence.

• Prioritized Remediation Actions: Development of a risk-based list of corrective and improvement actions ranked by urgency, business impact, and implementation complexity.
• Responsibility and Ownership Allocation: Definition of responsible roles, accountable functions, and recommended timelines for each remediation activity.
• Implementation Guidance: Practical guidance on addressing findings through governance improvements, procedural changes, technical safeguards, and operational controls.
• Supporting Templates and Examples: Provision of example documents, registers, control structures, and policy elements to accelerate remediation activities where appropriate.
• Compliance Mapping: Clear linkage between recommended actions and the relevant NIS 2 requirements to support traceability and compliance planning.

Deliverable: A detailed NIS 2 Corrective Action Plan containing prioritized remediation measures, implementation recommendations, ownership guidance, and a practical path toward improved cybersecurity maturity.

Basis of Work

The audit is performed using recognized cybersecurity, risk management, and audit references to ensure a consistent and defensible assessment methodology.

• Directive (EU) 2022/2555: NIS 2 Directive on measures for a high common level of cybersecurity across the Union.
• ISO/IEC 27001:2022: Information Security Management Systems — Requirements.
• ISO/IEC 27002:2022: Information security, cybersecurity, and privacy protection controls.
• ISO/IEC 27005:2022: Guidance on information security risk management.
• ISO/IEC 27007:2020: Guidelines for auditing information security management systems.
• Applicable Internal Policies and Regulations: Internal governance documents, procedures, and control frameworks relevant to the scope of the audit.

This methodology aligns regulatory expectations with established information security best practices, making the results practical for organizations building, improving, or extending an existing cybersecurity governance framework, including environments already aligned with ISO 27001.