FULL CONTENTS · 77 DOCUMENTS
Every document in the NIS-2 Total Kit.
Each document mapped 1:1 to NIS-2 articles and ISO 27001 controls. Filter by bundle, type, or mandatory status — search by name.
Showing 77 of 77 documents
| Type | Document | NIS-2 article | ISO 27001 | Description | Bundle |
|---|---|---|---|---|---|
| Statement | Project Launch Decision Preview ↓ | Whole NIS-2 Directive | — | Formal management body decision to launch the NIS-2 compliance project. Establishes mandate, accountability, and resource envelope. | Governance & Setup |
| Plan | Project Plan | Whole NIS-2 Directive | — | Phases, milestones, owners, timeline. Editable Word table | Governance & Setup |
| Plan | Initial Training Plan | Art. 20(2) | Cl. 7.2; A.6.3 | Training plan to launch the project. Different from ongoing training | Governance & Setup |
| Policy | Policy on Information System Security | Art. 21(2)(a) | Cl. 5.2 | Top-level information security policy defining the organization's security objectives, scope, and management commitment. | Governance & Setup |
| Procedure | Risk Assessment Methodology | Art. 21(1) and (2)(a) | Cl. 6.1 | Methodology for identifying, analyzing, and evaluating information security risks. Defines criteria, scales, and process steps. | Risk Management |
| Register | Risk Assessment Table | Art. 21(1) | Cl. 6.1 | Excel-based register to record all identified risks with their assessment scores (likelihood, impact, residual risk). | Risk Management |
| Register | Risk Treatment Table | Art. 21(1) | Cl. 6.1 | Excel register documenting selected treatment options for each risk — mitigate, accept, transfer, or avoid. | Risk Management |
| Statement | Acceptance of Residual Risks Conditional | Art. 21(1) | Cl. 6.1 | Sign-off form. Conditional: required for certain entity types | Risk Management |
| Report | Risk Assessment and Treatment Report | Art. 21(1) and (3) | Cl. 6.1 | Annual report summarizing the risk assessment results, treatment decisions, and residual risk status for management review. | Risk Management |
| Plan | Risk Treatment Plan | Art. 20(1), 21(1) | Cl. 6.1, 6.2 | Action-oriented plan listing risk treatments with assigned owners, deadlines, and completion criteria. | Risk Management |
| Policy | IT Security Policy | Art. 21(2)(b),(c),(g),(h),(i),(j) | A.5.9, A.5.10, A.5.11, A.5.14, A.5.17, A.5.32, A.6.7, A.7.7, A.7.9, A.7.10, A.8.1, A.8.7, A.8.10, A.8.12, A.8.13, A.8.19, A.8.23 | Master technical IT security policy. Companion to F04-01 but operational | Cybersecurity Operations |
| Policy | Clear Desk and Clear Screen Policy | Art. 21(2)(g) | A.7.7, A.8.1 | User-facing policy requiring employees to secure documents, lock screens, and remove sensitive material when leaving the workstation. | Cybersecurity Operations |
| Policy | Mobile Device and Remote Work Policy | Art. 21(2)(g),(h),(i),(j) | A.6.7, A.7.9, A.8.1 | Policy covering security requirements for laptops, mobile devices, BYOD, and remote work — including endpoint protection and connectivity rules. | Cybersecurity Operations |
| Policy | BYOD Policy | Art. 21(2)(g),(i),(j) | A.5.14, A.6.7, A.8.1 | Bring Your Own Device. Conditional optional but commonly needed | Cybersecurity Operations |
| Policy | Physical Security Policy Conditional | Art. 21(2) | A.7.1-7.6, A.7.8, A.7.11, A.7.12 | Conditional: required for some entity types per CIR | Cybersecurity Operations |
| Policy | Information Classification Policy Conditional | Art. 21(2)(i) | A.5.9, A.5.10, A.5.12, A.5.13, A.5.14, A.7.10, A.8.3, A.8.5, A.8.11, A.8.12 | Defines the information classification scheme (e.g. public, internal, confidential, restricted) and handling rules for each level. | Cybersecurity Operations |
| Procedure | Asset Management Procedure | Art. 21(2)(i) | A.5.9 | Step-by-step procedure to identify, classify, track, and dispose of IT assets across their full lifecycle. | Cybersecurity Operations |
| Register | IT Asset Register | Art. 21(2)(i) | A.5.9 | Excel register to inventory all IT assets — hardware, software, data, services — with ownership, location, and classification. | Cybersecurity Operations |
| Procedure | Security Procedures for IT Department | Art. 21(2)(e),(i) | A.5.7, A.5.14, A.5.37, A.7.10, A.7.14, A.8.4-8.10, A.8.12-8.13, A.8.15-8.18, A.8.20-8.23, A.8.31-8.32 | Comprehensive operational rules for the IT department covering secure configuration, hardening, administration, and routine security tasks. | Cybersecurity Operations |
| Policy | Network Security Policy Conditional | Art. 21(2)(e) | A.5.37, A.6.7, A.8.20-8.24, A.8.32, A.8.34 | Policy covering network segmentation, firewall rules, secure configuration, and protection of network infrastructure. | Cybersecurity Operations |
| Procedure | Vulnerability and Patch Management Procedure Conditional | Art. 21(2)(e) | A.5.6, A.8.8, A.8.19, A.8.32 | Step-by-step procedure for identifying, prioritizing, and remediating vulnerabilities and applying security patches. | Cybersecurity Operations |
| Procedure | Logging and Monitoring Procedure | — | A.8.15, A.8.16 | Procedure defining which logs to collect, retention periods, monitoring rules, alert thresholds, and review responsibilities. | Cybersecurity Operations |
| Procedure | ICT Change Management Procedure Conditional | Art. 21(2)(e) | A.8.32 | Procedure for managing changes to ICT systems — change request, risk assessment, approval, testing, deployment, and rollback. | Cybersecurity Operations |
| Policy | Backup Policy | Art. 21(2)(c) | A.8.13 | Policy defining backup frequency, retention periods, encryption, off-site storage, and mandatory restoration tests. | Cybersecurity Operations |
| Policy | Information Transfer Policy | Art. 21(2)(j) | A.5.14 | Policy governing how information moves in and out of the organization — channels allowed, controls required, recipients authorized. | Cybersecurity Operations |
| Policy | Secure Communication Policy | Art. 21(2)(j) | A.5.14, A.8.20, A.8.21 | Policy on secure usage of email, instant messaging, video conferencing, and other communication channels. | Cybersecurity Operations |
| Policy | Disposal and Destruction Policy | Art. 21(2)(i) | A.7.10, A.7.14, A.8.10 | Policy and rules for secure disposal of media, decommissioning of assets, and destruction of sensitive information. | Cybersecurity Operations |
| Policy | Policy on Encryption and Cryptographic Controls | Art. 21(2)(h) | A.5.31, A.8.24 | Policy defining when encryption must be applied, which algorithms to use, and how cryptographic keys are managed across their lifecycle. | Cybersecurity Operations |
| Policy | Access Control Policy | Art. 21(2)(i) | A.5.15-5.18, A.8.2-8.5, A.8.11 | Policy defining who can access what, under which conditions — covering user accounts, privileges, and authorization workflows. | Cybersecurity Operations |
| Policy | Authentication Policy | Art. 21(2)(j) | A.5.16, A.5.17, A.5.18 | Policy defining authentication requirements — MFA, passwordless options, federation, and rules for system access. | Cybersecurity Operations |
| Policy | Password Policy | Art. 21(2)(j) | A.5.17 | Policy on password requirements: length, complexity, rotation, storage, and prohibition of sharing or reuse. | Cybersecurity Operations |
| Policy | Policy for Acquisition, Development, Maintenance of ICT Systems | Art. 21(2)(e) | A.5.33, A.8.11, A.8.25-8.33 | Policy covering security requirements throughout the software development lifecycle and ICT procurement process. | Cybersecurity Operations |
| Appendix | Appendix 1 — Specification of Acquisition / Development / Maintenance Requirements | Art. 21(2)(e) | A.8.26 | Companion checklist to the Acquisition/Development/Maintenance Policy — specifies security requirements per system type. | Cybersecurity Operations |
| Policy | Security Policy for Human Resources | Art. 21(2)(i) | Cl. 7.2, 7.3; A.6.1-6.6 | Policy covering security responsibilities for personnel before, during, and after employment — including screening and offboarding. | Cybersecurity Operations |
| Statement | Statement of Acceptance of Cybersecurity Documents Conditional | Art. 21(2)(i) | A.6.2 | Form signed by personnel to formally acknowledge they have read and understood the organization's cybersecurity policies. | Cybersecurity Operations |
| Procedure | Business Impact Analysis Methodology Conditional | Art. 21(2)(c) | A.5.29, A.5.30; ISO 22301 8.2 | Methodology for conducting Business Impact Analysis — identifying critical activities, dependencies, and impact of disruption over time. | Business Continuity & Crisis |
| Register | Business Impact Analysis Questionnaire Conditional | Art. 21(2)(c) | A.5.29, A.5.30; ISO 22301 8.2 | Excel/Word questionnaire template to collect BIA data from process owners — activities, dependencies, RTOs, RPOs. | Business Continuity & Crisis |
| Plan | Business Continuity Strategy Conditional | Art. 21(2)(c) | A.5.5, A.5.29-5.30, A.8.14; ISO 22301 8.3, 8.4.2 | Strategic plan defining how the organization will respond to disruptions — recovery options, prioritization, and resource allocation. | Business Continuity & Crisis |
| Appendix | Appendix 1 — RTOs for Activities Conditional | Art. 21(2)(c) | A.5.29-5.30, A.8.14; ISO 22301 8.3 | Table listing Recovery Time Objectives (RTOs) for each critical business activity. | Business Continuity & Crisis |
| Appendix | Appendix 2 — Examples of Disruptive Incident Scenarios | Art. 21(2)(c) | A.5.29-5.30; ISO 22301 8.3 | Reference catalog of disruptive incident scenarios (cyberattack, fire, supplier failure, etc.) for use in BC planning and testing. | Business Continuity & Crisis |
| Appendix | Appendix 3 — Preparation Plan for Business Continuity | Art. 21(2)(c) | A.5.29-5.30, A.8.14; ISO 22301 8.3 | Checklist of preparation activities required to make the business continuity strategy operational — training, resources, agreements. | Business Continuity & Crisis |
| Appendix | Appendix 4 — Activity Recovery Strategy (template) Conditional | Art. 21(2)(c) | A.5.29-5.30, A.8.14; ISO 22301 8.3 | Reusable template for documenting the recovery strategy of a single critical business activity. | Business Continuity & Crisis |
| Plan | Crisis Management Plan | Art. 21(2)(c) | ISO 22301 8.4 | Plan for managing crisis-level disruptions: roles, decision authorities, communication protocols, and recovery coordination. | Business Continuity & Crisis |
| Plan | Business Continuity Plan | Art. 21(2)(c) | A.5.29; ISO 22301 8.4 | Master Business Continuity Plan — operational playbook activated when a disruptive incident occurs. | Business Continuity & Crisis |
| Appendix | Appendix 1 — Disruptive Incident Response Plan Conditional | Art. 21(2)(c) | A.5.26; ISO 22301 8.4 | Operational response plan for disruptive incidents affecting critical business operations. | Business Continuity & Crisis |
| Appendix | Appendix 2 — List of Business Continuity Sites Conditional | Art. 21(2)(c) | A.5.29-5.30; ISO 22301 8.4 | Template table listing all sites and alternate locations relevant for business continuity, with capacity and switch-over conditions. | Business Continuity & Crisis |
| Appendix | Appendix 3 — Transportation Plan | Art. 21(2)(c) | A.5.29-5.30; ISO 22301 8.4 | Continuity plan for transportation-dependent operations during disruptive events. | Business Continuity & Crisis |
| Appendix | Appendix 4 — Key Contacts Conditional | Art. 21(2)(c) | A.5.29-5.30; ISO 22301 8.4 | Directory template for key internal and external contacts to be reached during a continuity event — escalation, suppliers, authorities. | Business Continuity & Crisis |
| Appendix | Appendix 5 — Disaster Recovery Plan | Art. 21(2)(c) | Cl. 7.4; A.5.29-5.30, A.8.14; ISO 22301 8.4 | Disaster Recovery Plan focused on IT systems — technical recovery procedures, RTO/RPO targets, and responsibilities. | Business Continuity & Crisis |
| Appendix | Appendix 6 — Activity Recovery Plan (template) | Art. 21(2)(c) | Cl. 7.4; A.5.29-5.30; ISO 22301 8.4 | Reusable template for the detailed recovery plan of a single business activity — steps, owners, dependencies, timing. | Business Continuity & Crisis |
| Plan | Exercising and Testing Plan Conditional | Art. 21(2)(c) | A.5.30; ISO 22301 8.5 | Plan defining how business continuity and disaster recovery capabilities are tested — frequency, scope, scenarios, and acceptance criteria. | Business Continuity & Crisis |
| Appendix | Appendix 1 — Exercising and Testing Report Conditional | Art. 21(2)(c) | A.5.30; ISO 22301 8.5 | Report template to document the results of each BC/DR exercise — scenarios tested, findings, gaps, and corrective actions. | Business Continuity & Crisis |
| Policy | Supplier Security Policy | Art. 21(2)(d), (3) | A.5.7, A.5.11, A.5.19-5.23, A.6.1-6.3, A.8.30 | Policy defining security requirements for suppliers and third-party service providers. | Supply Chain Security |
| Appendix | Security Clauses for Suppliers and Partners | Art. 21(2)(d), (3) | A.5.11, A.5.20, A.5.22, A.5.23, A.6.2, A.6.3, A.8.30 | Reusable contractual clauses to be included in supplier agreements — confidentiality, security obligations, audit rights, incident notification. | Supply Chain Security |
| Statement | Confidentiality Statement | Art. 21(2)(d) | A.5.20, A.6.2 | Personal NDA template for supplier personnel before they access customer data. Companion to supplier security clauses. | Supply Chain Security |
| Register | Directory of Suppliers and Service Providers Conditional | — | — | Excel register of all suppliers and service providers with their criticality, contract details, and security review status. | Supply Chain Security |
| Procedure | Measurement Methodology | Art. 21(2)(f) | Cl. 9.1 | Methodology to define, collect, and analyze security effectiveness metrics — KPIs, KRIs, and measurement criteria. | Effectiveness & Audit |
| Report | Measurement Report | Art. 20(1), 21(2)(f) | Cl. 9.1 | Periodic report consolidating security measurements and trends — input for management review and continuous improvement. | Effectiveness & Audit |
| Policy | Incident Handling Policy | Art. 21(2)(b), 23, 30(1) | Cl. 7.4; A.5.7, A.5.24-5.28, A.6.4, A.6.8 | Policy defining incident classification, severity levels, escalation criteria, and overall incident handling principles. | Incident Management |
| Procedure | Minor Incident Response Procedure Conditional | Art. 21(2)(b), 23, 30(1) | Cl. 7.4; A.5.7, A.5.24-5.28, A.6.4, A.6.8 | Procedure for responding to minor security incidents: detection, containment, eradication, recovery, and closure steps. | Incident Management |
| Register | Incident Log Conditional | Art. 21(2)(b) | A.5.27 | Excel log to record all security incidents — date, type, severity, status, owner, and lessons learned. | Incident Management |
| Register | Post Incident Review Form Conditional | Art. 21(2)(b) | A.5.27 | Template for documenting post-incident reviews: root cause analysis, corrective actions, and lessons learned. | Incident Management |
| Appendix | Significant Incident Notification for Recipients of Services | Art. 23(2) | A.5.26 | Notification template to inform service recipients about a significant incident affecting them, per NIS-2 obligations. | Incident Management |
| Appendix | Significant Incident Early Warning (24h) | Art. 23(4)(a) | A.5.26 | 24-hour early warning notification template for the competent authority — first formal report after detecting a significant incident. | Incident Management |
| Appendix | Significant Incident Notification (72h) | Art. 23(4)(b) | A.5.26 | 72-hour incident notification template — detailed report to the competent authority within 72 hours of detection. | Incident Management |
| Appendix | Significant Incident Intermediate Report | Art. 23(4)(c) | A.5.26 | Optional intermediate report to update the competent authority on a significant incident between the 72-hour and final reports. | Incident Management |
| Appendix | Significant Incident Final Report (1 month) | Art. 23(4)(d) | A.5.26 | Final incident report template — comprehensive analysis submitted to the competent authority within one month of the incident. | Incident Management |
| Appendix | Significant Incident Progress Report | Art. 23(4)(e) | A.5.26 | Progress report when incident persists beyond 1 month | Incident Management |
| Plan | Training and Awareness Plan | Art. 20(2), 21(2)(g) | Cl. 7.2; A.6.3 | Different from F03-01 (initial). This is the ongoing programme | Corrective Actions & Training |
| Procedure | Internal Audit Procedure | Art. 20(1), 21(2)(f) | Cl. 9.2; A.5.35, A.8.34 | Step-by-step procedure to plan, conduct, and report internal audits per ISO 19011. | Effectiveness & Audit |
| Plan | Internal Audit Program | Art. 20(1), 21(2)(f) | Cl. 9.2 | Annual internal audit programme template — audits planned for the year, scope, schedule, auditor assignment. | Effectiveness & Audit |
| Report | Internal Audit Report | Art. 20(1), 21(2)(f) | Cl. 9.2 | Report template documenting each internal audit — scope, findings, non-conformities, observations, and recommendations. | Effectiveness & Audit |
| Register | Internal Audit Checklist | Art. 20(1), 21(2)(f) | Cl. 9.2 | Excel checklist mapping all NIS-2 and ISO 27001 controls — used by auditors to verify implementation systematically. | Effectiveness & Audit |
| Procedure | Procedure for Management Review | Art. 20(1), 21(2)(f) | Cl. 9.3 | Procedure defining how management review meetings are planned, conducted, and documented — inputs, agenda, outputs. | Effectiveness & Audit |
| Report | Management Review Minutes | Art. 20(1), 21(2)(f) | Cl. 9.3 | Minutes template for management review meetings, covering all required ISO 27001 Clause 9.3 inputs and outputs. | Effectiveness & Audit |
| Procedure | Procedure for Corrective Actions | Art. 21(4) | Cl. 10.1; A.5.27 | Procedure for managing corrective actions from gap identification to verification of effectiveness. | Corrective Actions & Training |
| Appendix | Appendix 1 — Corrective Action Form Preview ↓ | Art. 21(4) | Cl. 10.1; A.5.27 | Form to record one corrective action lifecycle — gap, root cause, action, verification. | Corrective Actions & Training |
No documents match your filters.