77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
IT risk analysis according to NIS-2: method, steps and evidence
IT Security & NIS-2

IT risk analysis according to NIS-2: method, steps and evidence

11 June 202613 min readBy Lena Vogt
CIVAC

Section 30 NIS2UmsuCG obliges affected companies to carry out a documented risk analysis. The article describes step by step how to capture, assess and treat assets, threats, protection objectives and risks, including the interface to ISO/IEC 27005.

The NIS 2 Implementation Act requires in Section 30 NIS2UmsuCG that essential and important institutions take suitable and proportionate technical and organisational measures for risk management. The legislator names ten minimum areas, from risk analysis concepts to supply chain security and multi-factor authentication. The basis for each of these measures is a documented risk analysis that clearly shows which assets are worth protecting, what threats they are exposed to and what residual risk management accepts.

This article describes an audit-proof method for IT risk analysis according to NIS-2, aligned with ISO/IEC 27005:2022 and compatible with ISO/IEC 27001:2022. You will learn the five main steps, the typical stumbling blocks in the assessment and the minimum documentation that the BSI will first see during an audit. The deadline is running, the scope of application is broad, the method decides whether to pass or require a supplement.

Key Takeaways

  • Section 30 NIS2UmsuCG requires a documented risk analysis as the basis for all further protective measures; without it, no other obligation applies.
  • ISO/IEC 27005:2022 provides the internationally recognised method that is accepted as a standard in the German supervisory process.
  • The Asset Inventory, Threat Catalog, Risk Matrix, and Treatment Plan are the four documents an auditor asks for first.

What Section 30 NIS2UmsuCG specifically requires

§ 30 NIS2UmsuCG obliges essential and important facilities to implement risk-based security management. Paragraph 2 lists ten minimum areas: concepts for risk analysis and security for information systems, management of security incidents, business continuity including backup management and recovery, security of the supply chain including security-related aspects of relationships with direct suppliers, security in acquisition, development and maintenance, assessment of the effectiveness of risk management measures, cyber hygiene and training, cryptography and encryption, personnel and access security and multi-factor authentication.

The measures must be appropriate, proportionate and state of the art be appropriate. Suitable means: the measure addresses the identified risk. Proportionate means: the effort is in relation to the size of the facility and the potential for damage. State of the art means: recognised industry procedures such as ISO/IEC 27001:2022, BSI-Grundschutz or industry-specific standards. Without a risk analysis, there is no basis for the suitability and proportionality test. Regulators and auditors therefore require the risk analysis as an initial document. An Information Security Officer is the natural responsible for this process, even if management has formal responsibility.

Choice of method: ISO/IEC 27005 as anchor

The method determines the resilience. ISO/IEC 27005:2022 is the leading international standard for information security risk management and is recognised as a standard by the BSI and certifying auditors. Alternatively, BSI-Grundschutz with Standard 200-3 can be considered, which describes a protection needs-oriented approach and is particularly suitable for German authorities and critical sectors.

ISO/IEC 27005:2022 distinguishes between six steps: context definition, risk identification, risk analysis, risk assessment, risk treatment and risk acceptance. Each step produces a defined artifact. The method can be used asset-based or scenario-based. Asset-based starts with the asset (database, server, application) and asks what threats affect it. Scenario-based starts with an event (ransomware, data leak, supplier failure) and asks which assets are affected. A combination has proven successful for those subject to NIS 2: an asset-based basic analysis with scenario-based stress tests for the most critical business processes. The method is defined once, documented and applied consistently throughout the entire analysis cycle. A change of method in the middle of the analysis renders results comparably worthless and is viewed as a fundamental deficiency in the audit.

Step 1: Context setting and protection goals

The context definition defines the scope of the analysis. Which business processes fall within the NIS 2 scope? What additional legal requirements apply (GDPR, KRITIS regulation, industry-specific regulation)? Which internal and external stakeholders are affected (management, works council, customers, supervisory authorities)? Which acceptance criteria apply to residual risks? The management determines the risk appetite in a written resolution. Without this requirement, any subsequent assessment remains subjective.

Protection goals are based on the classic three dimensions of confidentiality, integrity, availability, supplemented by authenticity, liability and verifiability. A protection needs scale is created for each dimension, typically with four levels: normal, high, very high, critical. The protection needs of an asset arise from the maximum protection needs of the data and functions it carries. An example: a mail server of an energy supplier subject to NIS 2 carries operational control emails (availability high, integrity very high) and personnel data (confidentiality high). The mail server therefore inherits the protection requirement of high availability and confidentiality, and very high integrity. The maximum principle avoids undervaluation. The context definition concludes with a signed scope document.

Step 2: Asset inventory with operational depth

There is no reliable analysis without a complete asset inventory. Inventory includes primary assets (business processes, information) and supporting assets (hardware, software, networks, people, locations, suppliers). At least five fields are maintained for each asset: unique identifier, designation, person responsible or responsible, need for protection in the defined dimensions, dependencies on other assets. The depth decides: an entry like the SAP system is not enough because different modules have different protection requirements.

Consolidating existing sources helps in practice: CMDB for hardware and software, Active Directory extract for access rights, HR system for personal data, contract database for suppliers and processors. Anyone who uses an external data protection officer connects the directory in accordance with Art. 30 GDPR with the asset inventory because both are based on the same data flows. The supplier illustration deserves special attention. Section 30 paragraph 2 number 4 NIS2UmsuCG explicitly requires the supply chain to be taken into account. Every processor, every cloud provider, every subcontractor with access to relevant systems belongs in the inventory. Maintenance is continuous: every procurement, every personnel change, every architectural adjustment leads to an update. The inventory is the only data source from which all subsequent steps are derived.

Step 3: Threat Catalog and Vulnerabilities

Threats are recorded systematically, not collected ad hoc. Established sources are the BSI-IT-Grundschutz component catalogue with the associated threats, the ENISA Threat Landscape, the MITER ATT&CK Framework and the STRIDE approach (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). A consolidated list of 30 to 60 threats has proven useful for the NIS 2 analysis, depending on the industry complexity.

Vulnerabilities are the entry points for threats. They arise from technical deficiencies (lack of patches, weak encryption), organisational deficiencies (lack of training, unclear responsibilities) and physical deficiencies (access control, fire protection). Sources include internal audits, vulnerability scans, pentests, awareness measurements and lessons learned from previous incidents. The cross matrix Asset × Threat × Vulnerability is built for each asset. Not every combination is plausible, so filtering is based on experience. The result is a list of concrete risk scenarios such as: Ransomware attack via unpatched VPN software on the production data server. Such sentences are the analytical atoms of the next level of evaluation. Blanket formulas such as cyber risk in general do not provide any control information and are not accepted in the audit.

Step 4: Assessment and risk matrix

Each risk scenario is assessed in two dimensions: probability of occurrence and impact of damage. The probability of occurrence can be depicted qualitatively (rare, possible, likely, very likely) or quantitatively (frequency per year). Damage impact is broken down into financial, regulatory, operational and reputational damage and put on a comparable scale. A four-stage scale (minor, noticeable, severe, existence-threatening) is standard practice.

The combination of the two dimensions results in the risk matrix, usually as a 4×4 or 5×5 grid. Risks in the top right corner (high probability × high damage) are prioritised. The risk acceptance limit is determined in advance: for example, management only accepts risks if the probability of occurrence is assessed as low and the damage is assessed as minor or noticeable. Anything above that needs to be addressed. Important: the assessment is first gross, without existing controls, then net, with the measures already implemented. The difference shows the impact of the existing security and makes the assessment in the audit comprehensible. Each review is provided with the reason, date and person who did the review. Subjective individual opinions without evidence are replaced by structured workshops with IT, departments, data protection and compliance. Others run compliance like a filing cabinet. We run it like software.

Step 5: Treatment, acceptance and residual risk

For each unacceptable risk, a treatment option is chosen: avoid, reduce, transfer or accept. Avoidance means discontinuing the risky process or function. Reducing means implementing technical or organisational measures that reduce the likelihood or damage. Transferred by insurance or by outsourcing to third parties with contractual liability. Acceptance is a conscious decision by management to bear the remaining risk.

The treatment plan lists the selected option, the specific measure, the person responsible, the target date, the budget and the success criteria for each risk. Measures are linked to the Annex A controls from ISO/IEC 27001:2022 so that the Statement of Applicability remains consistent. The management signs the treatment plan and the risk acceptance for the remaining residual risk. This signature is the central document in the audit for the personal liability question according to Section 38 NIS2UmsuCG, which holds the management directly liable. Failure to comply with NIS 2 can result in fines of up to 10 million euros or 2 percent of group sales, whichever is higher. The risk analysis is updated at least annually and as necessary (in the event of significant changes or incidents). The appointment certificate, signed, filed, verifiable.

Documentation: What regulators want to see first

For an NIS 2 exam, the BSI typically requires four documents in this order. First: the risk analysis method with scope and evaluation logic. Second: the asset inventory with protection needs assessment. Third: the risk matrix with all scenarios, assessments and the risk acceptance limit. Fourth: the treatment plan with measures, those responsible, appointments and success checks.

In addition, the interface for incident reporting is checked in accordance with Section 32 NIS2UmsuCG: is it ensured that the risk analysis results in the detection capability required for the 24-hour early warning and the 72-hour follow-up report? Is the connection to the supply chain documented in accordance with Section 30 Paragraph 2 Number 4 NIS2UmsuCG? Are management's training obligations in accordance with Section 38 NIS2UmsuCG proven? Are the measures linked to Annex A of ISO/IEC 27001:2022 so that later certification remains compatible? Each document has a version, date, author and approver. Every change produces a new version with justification. Audit-proof, documented, Section 30-proof. The auditor calls, the evidence is ready.

Turn reading into an assignment

IT risk analysis is the foundation of every NIS 2 compliance program. The method, asset inventory, threat catalogue, risk matrix and treatment plan must be consistent with each other and continuously maintained. CIVAC provides a compliance platform and officer-as-a-service for exactly this task. The platform provides the methodological structure according to ISO/IEC 27005:2022, the asset inventory schema, ready-made threat catalogues based on BSI and ENISA, and a configurable risk matrix. Licence the workspace for your internal representatives, or have our representatives order it.

Turn reading into a mandate. Write to info@civac.de with the NIS 2 status of your company (essential, important, unclear), the industry, the approximate number of employees and the status of an existing risk analysis. Within 48 hours you will receive a mock plan, an estimate of the effort and the draft appointment certificate for an external information security officer if you wish to outsource the responsibility. The workspace is available for access two working days after the conclusion of the contract. The deadline begins as soon as we become aware of it.

FAQ

Who has to carry out an IT risk analysis according to NIS-2?

All essential and important facilities within the meaning of Annexes 1 and 2 NIS2UmsuCG are obliged. This includes around 29,500 companies in Germany from sectors such as energy, transport, banking, health, digital infrastructure, public administration, food, chemicals and others. The management bears personal responsibility.

Which method is prescribed for risk analysis?

Section 30 NIS2UmsuCG does not prescribe a specific method, but requires a procedure that corresponds to the state of the art. ISO/IEC 27005:2022 is the internationally recognised standard. Alternatively, BSI-Grundschutz with Standard 200-3 is possible, especially for German authorities and KRITIS sectors.

How often does the risk analysis need to be updated?

At least annually and when necessary in the event of significant changes such as new business areas, new critical systems, changes of suppliers or after a security incident. The update frequency is specified in the risk management policy and checked in the audit.

What documents does the BSI require in the audit?

Usually four documents: the method description with scope, the asset inventory with identification of protection needs, the risk matrix with all scenarios and assessments and the treatment plan with measures, those responsible, dates and success checks. All documents versioned with date and release.

How long does an initial complete risk analysis take?

For a medium-sized company with 200 to 500 employees, the effort is four to eight weeks, depending on the maturity of the asset inventory. An ISMS that has already been maintained significantly reduces the effort. Without preparatory work, an additional four weeks can be expected for the asset inventory.

What fines are threatened without a risk analysis?

Important facilities risk up to 10 million euros or 2 percent of global group sales, important facilities up to 7 million euros or 1.4 percent. The management is personally liable according to Section 38 NIS2UmsuCG, which affects insurability and financial liability.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles