NIS2Audit

NIS2 audit: the checklist we actually use in-house

52 items grouped into 10 macro-areas. One day of work for the first pass, half a day for subsequent ones.

2 min read

TL;DR

A 52-point NIS2 checklist split into 10 macro-areas, based on Article 21 and ACN guidelines. One day for the first pass, half a day for subsequent ones. Printable.

Macro-area 1 — Governance (5 points)

  1. Security policy approved by management and dated within the last 12 months.
  2. NIS2 lead appointed and registered with ACN.
  3. Formal risk assessment in the last 12 months.
  4. Cyber committee with meeting minutes.
  5. Inventory of critical systems up to date.

Macro-area 2 — Business continuity (8 points)

  1. DR plan written and signed.
  2. RTO and RPO defined per critical process.
  3. Backups verified for integrity in the last 30 days.
  4. Off-site backups encrypted.
  5. DR runbooks for each critical service.
  6. DR drill documented in the last 12 months.
  7. Failover procedure tested.
  8. BIA updated within the last 24 months.

Macro-area 3 — Incident handling (6 points)

  1. Incident detection procedure.
  2. Early warning template ready.
  3. Defined chain of responsibility.
  4. Notification exercise in the last 12 months.
  5. SIEM or equivalent active.
  6. Log retention compliant with D.Lgs. 138.

Macro-area 4 — Supply chain (5 points)

  1. Inventory of critical IT suppliers.
  2. Contracts with NIS2 clauses.
  3. Supplier risk assessment.
  4. Supplier certifications verified.
  5. Vendor change-management procedure.

Macro-area 5 — Cryptography (4 points)

  1. Cryptographic key inventory.
  2. Documented key management procedure.
  3. Data-at-rest encryption for critical systems.
  4. Data-in-transit encryption (TLS 1.2+).

Macro-area 6 — Access control (6 points)

  1. MFA mandatory for privileged accounts.
  2. MFA for remote access.
  3. User provisioning/deprovisioning procedure.
  4. Semi-annual access review.
  5. Privileged Access Management (PAM) active.
  6. Centralised login (SSO or equivalent).

Macro-area 7 — Secure development (4 points)

  1. SDLC with security review.
  2. Static analysis on produced code.
  3. Periodic vulnerability scanning.
  4. Documented patch management.

Macro-area 8 — Human resources (5 points)

  1. Annual cyber training for all staff.
  2. Targeted training for IT roles.
  3. Disciplinary procedure for violations.
  4. Background checks on critical staff.
  5. NDAs with employees.

Macro-area 9 — Monitoring (5 points)

  1. 24/7 monitoring of critical systems.
  2. Tuned alarm thresholds.
  3. Escalation procedure.
  4. Effectiveness testing of security measures.
  5. Annual penetration test.

Macro-area 10 — Documentation (4 points)

  1. All policies dated and versioned.
  2. Centralised evidence repository.
  3. Internal audit procedures.
  4. Policy review calendar.

How to use it

  • first pass: one day, marking OK / KO / partial;
  • for every KO or partial: open a corrective action with owner and deadline;
  • repeat every 6 months.

FAQ

Do I need to cover all 52 points?

Yes, but proportional to risk. An SMB can do less on points 35-37 (development) if it does not build software in-house.

Should it be shared with employees?

Not the checklist. The general policy yes.

For technical measures, NIS2 minimum technical measures. For incident notification, NIS2 incident notification.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo