JDA Advisory

NIS-2 Audit cybersecurity

NIS-2 Audit cybersecurity – Ensure security and full compliance with NIS-2.

Our NIS-2 audits provide a reliable assessment and support in meeting cybersecurity requirements – NIS-2 Audit cybersecurity.

NIS-2 Audit cybersecurity- Comprehensive cybersecurity risk analysis.

We thoroughly identify threats and system vulnerabilities to ensure effective protection of data and infrastructure.

NIS-2 Audit cybersecurity -Alignment with legal and regulatory requirements.

We assist in implementing NIS-2 compliant procedures, minimizing the risk of penalties and sanctions.

Expert support at every stage of the process.

We provide professional advisory services that facilitate the implementation of security best practices within your organization.

We provide effective support in meeting NIS-2 requirements for your organization.

We present the key challenges related to NIS-2 and how our audits help address them effectively.

NIS-2 Compliance Audit

We thoroughly assess the level of NIS-2 compliance, identifying areas for improvement and minimizing risk.

Cybersecurity Risk Assessment

We analyze threats and help implement appropriate protective measures in line with NIS-2 standards.

Support in Documentation Preparation

We assist in preparing the required documentation, facilitating compliance, and external audits.

Compliance Monitoring and Reporting

We provide continuous monitoring and reporting of compliance, supporting long-term protection.

Our NIS-2 Audit Offering

Discover our comprehensive compliance audit services, ensuring security and full support in meeting NIS-2 requirements.

Risk Assessment

We conduct a detailed NIS-2 compliance risk analysis tailored to your organization’s specific needs.

Infrastructure Audit

We offer a thorough review of your IT infrastructure to ensure full compliance with cybersecurity requirements.

Training and Advisory

We provide professional training and support in implementing NIS-2 compliant best practices.

How the NIS-2 Audit Works

We present a detailed guide to help you understand each phase of the audit and effectively prepare to meet NIS-2 regulatory requirements.

Step One: Initial Analysis

We conduct a comprehensive assessment of your current security posture, identifying gaps and areas requiring alignment with NIS-2 standards.

Step Two: Compliance Audit

We thoroughly verify implemented security measures and processes to ensure full compliance with the NIS-2 directive.

Step Three: Report and Recommendations

We prepare a detailed audit report along with practical recommendations to support the effective implementation of necessary changes.

JDA Advisory contacts

NIS-2 Audit Methodology

1. Purpose of the Audit

A NIS‑2 audit aims to:

  • Assess the organisation’s compliance with NIS‑2 cybersecurity and risk‑management obligations.
  • Evaluate the maturity and effectiveness of security controls.
  • Identify gaps, risks, and required remediation actions.
  • Support regulatory readiness for supervisory inspections.
  • Provide evidence for governance, risk management, and reporting obligations.

2. Scope of the Audit

The scope must reflect:

  • Entity classification (Essential vs Important)
  • Sector and service criticality
  • ICT and OT environment
  • Supply chain exposure
Mandatory NIS‑2 Areas

NIS‑2 requires controls across 10 core domains:

  1. Risk management and governance
  2. Policies and procedures for cybersecurity
  3. Incident handling
  4. Business continuity and disaster recovery
  5. Supply chain security
  6. Security in network and information systems
  7. Access control and asset management
  8. Cryptography and data protection
  9. Vulnerability and patch management
  10. Monitoring, logging, and detection

3. Audit Process

The audit follows six structured phases.

Phase 1 — Planning & Preparation
Objectives
  • Define audit scope, depth, and timeline.
  • Identify systems, processes, and teams involved.
  • Collect documentation.
Documents to Request
  • Cybersecurity policies and procedures
  • Risk assessments and risk register
  • Incident response plan
  • Business continuity & disaster recovery plans
  • Asset inventory (IT/OT)
  • Access control procedures
  • Vulnerability management process
  • Logs and monitoring procedures
  • Supplier list and supply chain risk assessments
  • Training and awareness records
  • Previous audit reports
Phase 2 — Documentation Review
Objectives
  • Assess formal compliance with NIS‑2 requirements.
  • Identify gaps requiring deeper verification.
Activities
  • Map documentation to NIS‑2 Articles 21–23.
  • Evaluate completeness, accuracy, and maturity.
  • Identify missing or outdated procedures.
  • Prepare interview questions.
Phase 3 — Interviews & Workshops
Objectives
  • Validate how processes operate in practice.
  • Assess organisational awareness and governance.
Typical Interviewees
  • CISO / Security Manager
  • CIO / IT Director
  • Risk Manager
  • Incident Response Lead
  • Business Continuity Manager
  • Procurement / Vendor Management
  • OT Security Lead (if applicable)
Focus Areas
  • Governance and accountability
  • Incident detection and escalation
  • Backup and recovery practices
  • Access control and identity management
  • Vulnerability management
  • Supply chain oversight
  • Monitoring and logging
Phase 4 — Technical & Operational Testing
Objectives
  • Verify the effectiveness of implemented controls.
  • Validate operational readiness.
Examples of Tests
  • Review of access rights (sample‑based)
  • MFA enforcement check
  • Backup restore test evidence
  • Patch management sampling
  • Log retention and monitoring review
  • Vulnerability scan results review
  • Incident response drill or tabletop exercise
  • OT/ICS segmentation verification (if applicable)
Phase 5 — Gap Analysis & Risk Assessment
Objectives
  • Identify non‑compliance areas.
  • Assess risk severity and impact.
  • Prioritise remediation actions.
Outputs
  • Gap analysis mapped to NIS‑2 Articles
  • Risk scoring (low/medium/high/critical)
  • Maturity assessment
  • Remediation roadmap
Phase 6 — Reporting
Deliverables
  • Suggested improvements for governance and documentation
  • Executive summary
  • Compliance assessment
  • Detailed findings (major/minor/observations)
  • Risk rating
  • Recommendations and remediation plan
  • Evidence summary

NIS‑2 Audit Checklist

1. Governance & Risk Management

  • Cybersecurity governance structure defined
  • Roles and responsibilities documented
  • Risk management methodology in place
  • Risk register maintained and updated
  • Management oversight documented
  • Policies reviewed annually

2. Cybersecurity Policies & Procedures

  • Information security policy exists
  • Acceptable use policy implemented
  • Change management procedure defined
  • Secure development practices documented
  • OT/ICS security policies (if applicable)

3. Incident Handling

  • Incident response plan documented
  • Incident classification defined
  • Incident register maintained
  • Escalation procedures in place
  • 24‑hour early warning capability
  • 72‑hour incident reporting readiness
  • Post‑incident reviews performed

4. Business Continuity & Disaster Recovery

  • BCP and DRP documented
  • RTO/RPO defined
  • Backup policy implemented
  • Backup encryption verified
  • Restore tests performed
  • Crisis communication plan exists

5. Supply Chain Security

  • Supplier inventory maintained
  • Supplier risk assessments performed
  • Security requirements included in contracts
  • Sub‑outsourcing controls defined
  • Monitoring of critical suppliers performed
  • Third‑party incident reporting defined

6. Network & Information System Security

  • Network segmentation implemented
  • Firewalls and filtering in place
  • Secure configuration baselines defined
  • OT/ICS network separation (if applicable)
  • Remote access secured

7. Access Control & Identity Management

  • MFA enforced
  • Least privilege principle applied
  • Joiner/mover/leaver process implemented
  • Privileged access management in place
  • Periodic access reviews performed

8. Cryptography & Data Protection

  • Encryption in transit
  • Encryption at rest
  • Key management procedures defined
  • Data classification implemented
  • GDPR alignment verified

9. Vulnerability & Patch Management

  • Vulnerability scanning performed
  • Patch management process defined
  • Critical patches applied within defined SLA
  • Asset inventory maintained
  • Secure configuration monitoring in place

10. Monitoring, Logging & Detection

  • Logging policy defined
  • SIEM or log aggregation in place
  • Log retention meets regulatory requirements
  • Alerting and monitoring procedures defined
  • Detection capabilities tested

11. Human Resources Security

  • Security awareness training conducted
  • Phishing simulations (optional but recommended)
  • Background checks (where appropriate)
  • Role‑based training for privileged users

12. Physical Security

  • Access to critical areas controlled
  • CCTV or monitoring in place
  • Visitor logs maintained
  • Environmental controls implemented

13. Documentation & Evidence

  • Compliance reporting prepared
  • Policies and procedures documented
  • Evidence of control operation retained
  • Audit trails maintained
NIS-2 Act