This website uses cookies. View our cookie policy
Select regional store:

NIS Directive Consultancy

The EU Directive on Security of Network and Information Systems (NIS Directive) requires operators of essential services and digital service providers to implement “appropriate and proportionate technical and organisational measures” to manage the risk posed to the security of the network and information systems they use in their operations.

The Directive calls for “effective, proportionate and dissuasive” penalties for infringements, as does the General Data Protection Regulation, which stipulates fines of up to €20 million or 4% of annual global turnover (whichever is greater) for non-compliance. Some member states have already stated that they intend to implement a similar penalty regime.

IT Governance can help you implement and maintain the measures you need to ensure the security and continuity of your systems, in compliance with the new law.

Speak to an expert


How we can help you comply with the NIS Directive

Operators of essential services and digital service providers can demonstrate that they have applied the measures required by the Directive by implementing an organisational cyber resilience programme that combines information security and business continuity best practice.

Article 19 of the Directive states that member states should “encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems”.

There are two relevant international standards that we recommend: ISO/IEC 27001:2013, the international standard for an information security management system (ISMS), and ISO 22301:2012, the international standard for a business continuity management system (BCMS).

An integrated management system (IMS) based on these two best-practice standards will protect your networks and information systems from the majority of threats, and help you recover quickly and efficiently if and when an incident occurs.

Drawing on our unique blend of practical information security know-how and proven management system consultancy expertise, our team will help you implement an IMS that combines the best of ISO 27001 and ISO 22301.

Click here for more information about our consultancy services >>


ISO 27001

The NIS Directive’s incident reporting requirements are not limited to cyber security incidents, but include any incident that affects the security of network and information systems, including physical events.

An ISO 27001-compliant ISMS addresses information security risks in all forms, and encompasses people, processes and technology, in line with the Directive’s requirement for a “culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced”.

Better still, ISO 27001 is the only relevant international standard against which organisations can achieve independently audited certification, which will demonstrate that you have taken the “appropriate and proportionate technical and organisational measures to manage the risks posed to the information systems” you use in your operations.


ISO 22301

A BCMS that conforms to ISO 22301 provides a well-defined incident response structure that ensures that when an incident occurs, responses are escalated in a timely manner and the right people take the right actions to respond effectively.

An important aspect of ISO 22301 is the need to plan to return to business as usual after an incident.

Although it is, of course, good business practice to implement a BCMS that covers the entire organisation, for the purposes of NIS Directive compliance the network is the only thing that will be in scope, so achieving certification to ISO 22301 might not be necessary.

Click here for more information about our ISO 22301 consultancy services >>


Penetration testing

Many cyber attacks could easily be prevented by keeping software and systems up to date. Vulnerabilities are discovered and exploited all the time by opportunistic criminal hackers who use automated scans to identify targets. Making sure you close these security gaps and fix vulnerabilities as soon as they become known is essential to keeping your networks and information systems safe and secure.

Regular penetration testing is the most effective way of identifying exploitable vulnerabilities in your infrastructure, allowing appropriate mitigation to be applied.

Click here for more information about our CREST-accredited penetration testing services >>


Why use IT Governance for your NIS Directive compliance needs?

We offer a hassle-free service and transparent pricing.


You can keep control over your ISMS because we teach you how to maintain it following certification*.


Our methodology and tools have been honed over 15 years.


We support independently accredited certification – you can use the certification body you want.


Our team led the world’s first successful certification to BS 7799, the forerunner of ISO 27001.


Our implementation approach and methodology is pragmatic, proven and straightforward.


You receive crucial input to help you develop a business case, allowing you to secure the necessary information security investment.


You receive a 100% guarantee of successful certification.

* Alternatively receive ongoing support for your ISMS with our managed support contracts.


How we’ve helped companies just like yours implement best-practice management systems

Click on a case study below to find out how we have helped companies just like yours comply with ISO 27001:

Click here to read all of our ISO 27001 case studies >>


Some of our clients

We’ve helped more than 400 organisations across many different industries and sectors achieve ISO 27001 certification.


What our clients say

“Having IT Governance on hand to guide our swift adoption of the ISO 27001 standard and provide ongoing expert support has been invaluable. They really understood the needs of a technology enterprise like ours.”

- Paul Green, Wirefast


“I would have no hesitation in recommending IT Governance to others. The main advantage was their flexibility. IT Governance tailored their services, (whether it be training or consultancy) to our specific needs.”

- Paul Berry, Senior Project Manager, Martin Dawes Solutions


“On behalf of myself and colleagues, a sincere thank you for all your input helping us achieve certification to the ISO 27001 standard. Here we are, just 6 months after we started the project and the outcome has been described by the auditor as ‘a delight to audit’. Much of this has been down to the mentoring and coaching style IT Governance has used to steer us to our goal.”

- David Gilbert, Global Business Development Manager at Goal Group of Companies


For more client testimonials and details of projects we’ve undertaken, please see our consultancy case studies page >>


Our credentials

IT Governance is widely recognised as a leading consultancy by certification bodies such as BSI, LRQA, NQA and DNV.


Deep technical expertise. Business-focused results.

We combine deep technical expertise and ISO 27001 best practice with a practical understanding of the realities of running a business. We’ll help you transform your information security by working closely with you to achieve your goals. Download our ISO 27001 consultancy brochure here >>


Let’s work together to get things moving

Whatever the nature or size of your problem, we are here to help. Click the button below to request a call and one of our experts will get in touch as soon as possible.


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us