As an ISO 27001:2022-certified organisation, Damovo has established a comprehensive information security management system (ISMS) that aligns with the stringent requirements of ISO 27001 and the NIS2 Directive. Our certification ensures we follow best practices for managing information security, risk treatment, and incident management across our organisation.
Damovo’s Information Security Office, Chief Information Security Officer (CISO), and Data Protection Officer (DPO) have thoroughly reviewed the NIS2 requirements to ensure that our existing ISO 27001-based information security program meets or exceeds these new obligations. This review process ensures that we are not only compliant with NIS2 but are also well-prepared for any future cybersecurity challenges.
This exercise was a critical step in aligning with NIS2 but was equally important in demonstrating to our customers that we are proactively maturing our security program. By continuously enhancing our security posture, Damovo maintains and strengthens the trust placed in us by our clients and partners, ensuring that we remain a leader in secure communications and ICT services.
Below is an outline of how Damovo complies with key NIS2 requirements, leveraging our ISO 27001 framework.
Damovo takes governance seriously, ensuring that all aspects of information security are managed according to clear, well-defined policies. The following table illustrates the specific ISO 27001 controls that align with the governance requirements of NIS2:
NIS2 Requirement | ISO 27001 Control |
Policies for governance | Annex A: A.5.1 Policies for information security |
Compliance with legal and regulatory requirements | Annex A: A.5.31 Compliance with legal, statutory, regulatory, and contractual requirements |
Independent review of security | Annex A: A.5.35 Independent review of information security |
Employee awareness and training | Annex A: A.6.3 Information security awareness, education, and training |
These measures ensure that Damovo maintains a strong governance framework, ensuring accountability and oversight over all information security processes.
Damovo implements a robust risk management framework to ensure the early identification, assessment, and treatment of information security risks. Below are the ISO 27001 controls that correspond to the NIS2 risk management requirements:
NIS2 Requirement | ISO 27001 Control |
Risk assessment | 6.1.2 Information security risk assessment procedures |
Risk treatment | 6.1.3 Information security risk treatment processes |
Information security policies | A.5.1 Policies for information security |
Damovo’s risk management procedures enable the organisation to proactively address vulnerabilities and mitigate risks, ensuring our operations remain resilient against cybersecurity threats.
Damovo’s approach to incident handling ensures a swift and effective response to cybersecurity incidents. The table below highlights the ISO 27001 controls relevant to this requirement:
NIS2 Requirement | ISO 27001 Control |
Incident management | A.5.24 Information security incident management planning |
Response to incidents | A.5.26 Response to information security incidents |
Learning from incidents | A.5.27 Learning from information security incidents |
By continually learning from incidents, Damovo strengthens its security posture and ensures that future incidents are managed more efficiently.
Maintaining business continuity is critical to Damovo’s operations. We employ the following ISO 27001 controls to align with NIS2 business continuity requirements:
NIS2 Requirement | ISO 27001 Control |
Continuity management | A.5.29 Information security during disruption |
Backup procedures | A.8.13, A.8.14 Information backup procedures |
Logging and monitoring | A.8.14, A.8.15 Logging and monitoring activities |
These measures ensure that Damovo’s operations remain stable and resilient even during disruptions, safeguarding the continuity of our services.
Damovo recognises the importance of securing its supply chain to prevent vulnerabilities affecting our services. The following ISO 27001 controls support our approach:
NIS2 Requirement | ISO 27001 Control |
Supplier relationships | A.5.19 Information security in supplier relationships |
Supply chain security | A.5.21 Managing security in the ICT supply chain |
Cloud services security | A.5.23 Information security for the use of cloud services |
By maintaining rigorous security standards throughout our supply chain, Damovo ensures we can deliver secure, uninterrupted services to our customers.
In summary, Damovo’s risk management practices, backed by ISO 27001, align with the NIS2 Directive, ensuring proactive management of cybersecurity risks and business continuity protection.
Damovo’s network and information system security measures are designed to safeguard our digital infrastructure. We achieve this through the following ISO 27001 controls:
NIS2 Requirement | ISO 27001 Control |
Network security | A.8.20 Network security controls |
Technical vulnerabilities | A.8.8 Management of technical vulnerabilities |
Security of network services | A.8.21 Security of network services |
These measures ensure that Damovo’s network remains protected from external threats, securing the integrity and availability of our information systems.
At Damovo, we recognise that human resources security is a key component of cybersecurity. We employ the following ISO 27001 controls to meet the requirements of NIS2:
NIS2 Requirement | ISO 27001 Control |
Identity management | A.5.16 Identity management |
Authentication | A.5.17 Authentication information |
Privileged access | A.8.2 Privileged access rights |
Employee training and awareness | A.6.3 Information security awareness, education, and training |
Through these measures, Damovo ensures that employees and contractors are granted appropriate information access and regularly trained to mitigate security risks.
Cryptography and encryption are fundamental components of our data protection strategy at Damovo. The following ISO 27001 control ensures alignment with NIS2:
NIS2 Requirement | ISO 27001 Control |
Use of cryptography | A.8.24 Use of cryptography |
By adhering to this control, Damovo ensures the protection of sensitive data, both at rest and in transit, safeguarding against unauthorised access.
Damovo complies with NIS2 reporting obligations by implementing the following ISO 27001 controls:
NIS2 Requirement | ISO 27001 Control |
Incident reporting | A.6.8 Information security event reporting |
Information transfer | A.5.14 Information transfer protocols |
By following these procedures, Damovo ensures rapid and accurate reporting of cybersecurity incidents, enabling swift responses and minimising potential impact.
Damovo actively manages third-party risk and certification through the following ISO 27001 control:
NIS2 Requirement | ISO 27001 Control |
Supplier agreements | A.5.20 Security within supplier agreements |
This ensures that our third-party partners adhere to the same high-security standards as Damovo, safeguarding our information and systems.
Damovo’s ISO 27001:2022 certification provides a strong foundation for compliance with the NIS2 Directive. By mapping our existing ISO 27001 controls to NIS2 requirements and engaging in a thorough review process, we ensure that we are well-prepared to meet the evolving regulatory landscape, protect our assets, and maintain the highest standards of information security across our operations.
Please get in touch with your account manager for more detailed guidance or consultation on our approach to NIS2 compliance and how a similar exercise could benefit your organisation.
You may also enjoy our webinar series for additional information on preparing your organisation for NIS2 Compliance in 90 days.
Important maintenance work on our service portal is scheduled for Sunday, 15th September from 8 am – 11 am CEST. This service will be temporarily unavailable. If you have any questions or concerns during this time, please contact our Call Centers.