What is an ISMS and do I need one for NIS 2?
An ISMS is not a piece of software. It is the way your organisation decides on, runs, and improves its security controls. NIS 2 never uses the word, but Art. 21(2) requires exactly what an ISMS does.
Why people get this wrong
ISMS is one of the most misused words in NIS 2 conversations. The most common confusion is treating it as a tool to buy. It is not. An ISMS is the way an organisation manages information security: how policies are decided, how risks are assessed, how controls are picked, how incidents are handled, how all of it is reviewed.
NIS 2 itself never uses 'ISMS' as a term. The directive talks about 'policies', 'measures', 'risk-management', and 'governance'. Art. 21(2) lists ten requirements that together describe exactly what an ISMS does. ISO 27001 calls this same thing 'an information security management system'. IT-Grundschutz calls it an 'Informationssicherheitsmanagementsystem'. The substance is identical.
The practical question is not whether you have an ISMS but how much weight it has. A 60-person Mittelstand running on a one-page policy plus a small risk register plus an annual review meeting can satisfy NIS 2. A 6000-person bank cannot. Both are running an ISMS; one is just heavier than the other.
Art. 21(1) and 21(2) NIS 2
Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks. The measures shall include at least the following: policies on risk analysis and information system security; incident handling; business continuity; supply chain security; security in network and information systems acquisition; policies and procedures to assess the effectiveness of cybersecurity risk-management measures; basic cyber hygiene practices and training; cryptography; human resources security, access control policies and asset management; use of multi-factor authentication.
Read together, the ten points describe a management system. 'Policies', 'procedures', 'assess effectiveness' — those are ISMS verbs. NIS 2 does not require ISO 27001 certification, but it requires the substance ISO 27001 covers.
§30 BSIG (German transposition of Art. 21)
Wesentliche und wichtige Einrichtungen ergreifen geeignete, verhältnismäßige und wirksame technische und organisatorische Maßnahmen, um Störungen der Verfügbarkeit, Integrität und Vertraulichkeit der von ihnen für die Erbringung ihrer Dienste genutzten informationstechnischen Systeme, Komponenten und Prozesse zu vermeiden.
The German transposition uses 'geeignete, verhältnismäßige und wirksame' — appropriate, proportionate and effective. Effective is the word that makes the management system necessary: you can only show effectiveness if you measure and review.
BSI IT-Grundschutz BSI 200-1, §3
Ein Informationssicherheitsmanagementsystem (ISMS) ist die Gesamtheit der Regelungen, die zur Steuerung und Überwachung der Aufgaben des Informationssicherheitsmanagements in einer Organisation dienen.
The shortest legal definition of an ISMS in German. It is the set of rules that govern how information security is steered and overseen. Not a tool, not a project, not a one-off audit. A way of working.
Defined scope
Which parts of the organisation does the ISMS cover, what are the boundaries, what is explicitly out. Without scope, every conversation drifts.
Documented policy
A written information security policy signed by the management body. One page is enough for a small entity. It commits the organisation to specific principles and assigns responsibility.
Risk-based decisions
Controls are chosen because they address identified risks, not because they appear on a checklist. The risk register is the link from inventory to control.
Periodic review
At least annually. The management body looks at what worked, what did not, what changed in the threat landscape. A static ISMS is not an ISMS, it is a snapshot.
Not a software tool
Tools support an ISMS, they do not replace it. You can run an adequate ISMS in a binder; you cannot replace governance decisions with a SaaS subscription.
Not a one-time project
Setting up the ISMS is a project. Running it is ongoing work. The annual review is the moment that turns a project deliverable into a system.
Not the same as an audit
Audits test whether the ISMS works. They do not constitute the ISMS. An audit without an underlying management system has nothing to test.
If your entity is in scope of NIS 2, the substance of an ISMS is required regardless of what you call it. Without a documented policy, risk-based decisions, and a review cycle, you cannot demonstrate that the measures under Art. 21(2) are 'appropriate, proportionate and effective' as §30 BSIG requires.
What is not required is ISO 27001 certification. Many auditors expect it because it is the most-recognised proof, but a self-built ISMS aligned to IT-Grundschutz or a sector standard is equally valid. Choose the standard you can sustain, not the one that looks heaviest on a slide.
1. Scope statement
Which legal entities, which sites, which services are covered. One paragraph signed by the management body.
2. Information security policy
Five to seven principles. Examples: classify data by sensitivity, restrict admin access to named individuals, train all staff annually, report incidents within agreed timelines, review risks annually.
3. Risk register
One row per identified risk. Description, likelihood, impact, treatment decision, owner, review date. Ten to twenty rows for a small entity.
4. Review schedule
A document that says the management body reviews the ISMS once a year, who attends, what evidence is presented. Without this, the ISMS is decoration.
- Directive (EU) 2022/2555 (NIS 2), Art. 21(1) and 21(2), www.eur-lex.europa.eu
- Act on the Federal Office for Information Security (BSIG), §30, www.gesetze-im-internet.de
- BSI IT-Grundschutz Standard BSI 200-1, §3 (ISMS definition), www.bsi.bund.de
- ISO/IEC 27001:2022 (international ISMS standard, voluntary under NIS 2)
This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, BSI IT-Grundschutz, ISO/IEC 27001). It does not constitute legal advice within the meaning of §2 RDG. For specific cases consult an admitted lawyer. As at 2026-06-04.