NIS2 ISO 27001 Mapping: Excel Checklist Download

ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.
ISO 27001 covers approximately 70 percent of NIS2 requirements under §30 BSIG. The NIS2 ISO 27001 mapping shows you at a glance which controls are already in place — and where the regulatory gap remains. The Excel mapping template from the NIS2Compass Template Library structures this comparison for your team.
How Does ISO 27001 Cover NIS2 Requirements Under §30 BSIG?
ISO 27001:2022 and NIS2 share similar goals but speak different languages. ISO 27001 is an international management system standard with 93 Annex A controls. NIS2 is enforceable German law (NIS2UmsuCG, in force since December 2025) with ten mandatory obligation areas under §30 BSIG. Approximately 70 percent of these obligation areas map directly to ISO 27001 controls.
For certified organizations, this means: much is already done — but not everything. The BSI registration obligation (§33 BSIG), personal management liability (§38 BSIG), and the three-stage reporting deadlines (§32 BSIG) are obligations without ISO equivalents that must be implemented separately.
According to the BSI Annual Report 2025, more than 60 percent of affected companies have not yet fully completed NIS2 implementation — despite existing ISO 27001 certifications.
Which §30 BSIG Obligations Are Covered by ISO 27001?
§30 Abs. 2 BSIG defines ten mandatory areas — seven of them are directly covered by ISO 27001 controls. The NIS2 ISO 27001 mapping assigns the relevant Annex A controls to each obligation area:
- Risk analysis and security concepts (No. 1): A.5.15–A.5.19 (Access Control), A.8.8 (Vulnerability Management), A.5.36 (Compliance). These controls form the foundation — standardly present in ISO 27001 projects.
- Incident handling (No. 2): A.5.24–A.5.28 (Information Security Incident Management). ISO 27001 requires a process; NIS2 specifies it with statutory deadlines (24h/72h/1 month under §32 BSIG).
- Business continuity (No. 3): A.5.29–A.5.30 (BCM). Largely covered, but §30 No. 3 explicitly requires crisis management that can go beyond ISO 27001 BCM scope.
- Supply chain security (No. 4): A.5.19–A.5.22 (Supplier Relationships). ISO 27001 covers the basic principle; NIS2 requires full Tier 1/Tier 2 risk classification.
- Security in acquisition and development (No. 5): A.8.25–A.8.34 (Secure Development). Good coverage for software-developing organizations.
- Cryptography (No. 8): A.8.24 (Cryptography). ISO 27001 sets the framework; NIS2 does not require specific algorithms beyond this.
- Personnel security, access control, asset management (No. 9): A.5.9–A.5.14, A.6.1–A.6.6, A.8.1–A.8.7. One of the most thoroughly covered areas under ISO 27001.
The NIS2 Guide from NIS2Compass walks through all ten §30 obligation areas with concrete implementation steps — including alignment with existing ISO 27001 work.
What Does the NIS2 ISO 27001 Mapping Excel Contain?
The mapping Excel from the NIS2Compass Template Library structures the complete comparison across four worksheets. It is designed for ISO 27001-certified organizations that want to systematically plan the path to NIS2 compliance. An overview of all NIS2 compliance templates is available on the dedicated templates page.
- Sheet 1 — §30 to ISO mapping: All ten obligation areas under §30 BSIG with assignment of relevant ISO 27001:2022 Annex A controls, a coverage assessment (fully/partially/not covered), and input fields for implementation status.
- Sheet 2 — ISO to §30 mapping: The reverse view: all 93 ISO 27001 controls with a reference to the corresponding §30 obligation area. Useful for ISMS teams mapping the NIS2 scope from the ISO context.
- Sheet 3 — Gap register: Automatically populated list of NIS2 requirements not covered by existing ISO controls. Includes columns for responsible person, target date, and implementation status.
- Sheet 4 — NIS2-only obligations: Areas with no ISO 27001 equivalent: BSI registration (§33), reporting obligations (§32), management liability (§38) with direct references to the legal texts.
The template is available to Pro subscribers of the NIS2Compass platform. Pro subscribers also receive access to more than 45 additional Word and Excel templates and the full Knowledge Hub with 40+ expert articles.
"The most common question from ISO 27001-certified companies is: what do we still need to do? The mapping Excel makes the delta effort transparent in one hour instead of several workshop days." — NIS2Compass Compliance Team
What NIS2 Gaps Remain Despite ISO 27001 Certification?
Three §30 obligation areas are only partially or not at all covered by ISO 27001. Missing these gaps risks fines of up to EUR 10 million under §65 BSIG.
- Reporting obligations (No. 2, §32 BSIG): ISO 27001 requires incident management processes, but no statutory deadlines. NIS2 mandates an early warning within 24 hours, an initial report after 72 hours, and a final report after one month. Missing deadlines alone can trigger fines of up to EUR 5 million.
- Registration obligation (§33/34 BSIG): No ISO 27001 equivalent. The BSI registration deadline of March 6, 2026 has already passed. Unregistered companies are already in violation.
- Management liability (§38 BSIG): ISO 27001 requires management support, but not personal liability with private assets. §38 BSIG holds managing directors and board members personally responsible — a liability waiver through shareholder resolution is prohibited by law.
The detailed comparison is covered in the article NIS2 vs. ISO 27001: What Is the Difference?. The legal framework on fines and liability is explained in NIS2 Fines: What Penalties Do Companies Face?.
How Do I Use the ISO 27001 Mapping in Practice?
The mapping is not an end in itself — it saves your team three to five analysis workshops. A structured four-step approach:
- Inventory (Day 1): Export the evidence from your last ISO 27001 certification. Open the mapping Excel and enter the current status for each of the 93 controls (implemented/partial/not implemented).
- Gap identification (Day 2): The gap register sheet automatically shows all NIS2 obligations for which no fully implemented ISO control exists. Priority: the three NIS2-only obligations (reporting, registration, liability).
- Action planning (Weeks 1–2): For each gap, the responsible team enters the owner, target date, and implementation steps. The NIS2 Guide provides ready-made substeps and templates for the most common gaps.
- Management approval: §38 BSIG requires management to actively approve and supervise security measures. The completed mapping Excel serves as the basis for approval documentation.
The Pre-Check from NIS2Compass complements the mapping with an automatic assessment: it evaluates your answers to 20 security questions and shows which NIS2 Guide steps you can mark as pre-checked based on existing ISO 27001 implementations.
Frequently Asked Questions About the NIS2 ISO 27001 Mapping
Does ISO 27001 automatically make a company NIS2-compliant?
No. ISO 27001 covers approximately 70 percent of NIS2 requirements under §30 BSIG. The remaining 30 percent — particularly BSI registration (§33), statutory reporting obligations with fixed deadlines (§32), and personal management liability (§38) — are obligations without ISO equivalents that must be implemented separately.
Which ISO 27001 version is relevant for the NIS2 mapping?
The NIS2 ISO 27001 mapping refers to ISO 27001:2022 (the current version with 93 Annex A controls). Organizations still certified under ISO 27001:2013 (114 controls) should note that the transition deadline to the 2022 version expired on October 31, 2025.
Can I use the mapping Excel without a NIS2Compass subscription?
The Excel template is available to Pro subscribers of the NIS2Compass platform. The subscription costs EUR 29 per month and includes access to more than 45 templates, the full Knowledge Hub, and the NIS2 Guide with approximately 124 implementation steps.
How long does the ISO 27001 NIS2 comparison take with the mapping Excel?
With the mapping Excel and exported certification evidence, experienced ISOs complete the inventory in four to eight hours. Without a structured template, the same process typically takes two to three workshop days.
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.
Get startedÄhnliche Artikel
NIS2 BSI Registration: Missed the Deadline — What Now?
The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.
9 Min. Lesezeit
NIS2 Checklist as an Excel Template: the 10 §30 Obligations
Turn the 10 minimum measures from §30 BSIG into an Excel checklist: a 6-step build, ISO 27001 mapping, and common mistakes. With the free NIS2Compass Pre-Check.
8 Min. Lesezeit
Implementing NIS2 Without a Consultant: A Guide for SMEs
Implementing NIS2 without a consultant: SMEs handle around 80% of the §30 BSIG duties on their own. The five phases, the realistic effort, and when external help is genuinely needed.
8 Min. Lesezeit