Marc Laneve | Consulting & Audit Services

Category: Blog

Your blog category

  • NIS2 roadmap: the 4 phases of a successful compliance project

    Reading time: ~6 min

    The NIS2 directive significantly expands the scope of organisations subject to cybersecurity requirements across Europe. For SMEs and mid-sized companies that haven’t yet structured their approach, the question is no longer “should we act?” but “where do we start without wasting 6 months in scoping meetings?”

    Here is the roadmap I use to manage a NIS2 project end to end — pragmatic, sequenced, and adapted to the realities of organisations without a dedicated security team.

    Before you start: clarify your scope

    NIS2 doesn’t apply to all organisations in the same way. The distinction between essential entity and important entity determines obligations, incident notification timelines, and potential sanctions. This point must be established before anything else — it sets the ambition and pace of the entire project.

    Covered sectors are broad: energy, transport, healthcare, water, digital infrastructure, managed IT services, public administrations, and many more. If you’re unsure whether you fall within scope, that’s the first thing to resolve.

    The 4 project phases

    Phase 1 · Weeks 1–2 Scoping and gap analysis

    Objective: know exactly where you stand before deciding what to do.

    We start by confirming the regulatory scope, then conduct a gap analysis against the technical and organisational measures required by NIS2. I work with a control framework aligned to the directive’s 10 domains: governance, risk management, supply chain security, incident management, business continuity, network security, cryptography, access control, incident response, and HR security policies.

    Deliverable: gap analysis report with domain-level scoring and regulatory risk mapping.

    Phase 2 · Weeks 3–4 Risk treatment plan

    Objective: turn the diagnosis into a realistic action plan.

    Based on the gap analysis, we prioritise actions along two dimensions: regulatory risk level (what could trigger a sanction) and internal feasibility (what the existing teams can absorb). We separate quick wins — measures deployable within 30 days using current resources — from medium-term workstreams that require budget or external support.

    Deliverable: prioritised remediation plan with owners, deadlines, and tracking indicators.

    Phase 3 · Months 2–4 Implementing priority measures

    Objective: concretely reduce regulatory exposure.

    This is the execution phase. Priority goes to governance measures (designating a NIS2 owner, formalising the security policy, setting up an incident notification procedure) and high-impact technical measures (access management, MFA, tested backup and recovery, monitoring of critical systems). I lead or co-lead implementation depending on available internal resources.

    Deliverable: documentation of implemented measures, compliance tracking dashboard.

    Phase 4 · Month 4+ Embedding and continuous improvement

    Objective: protect the gains and keep improving.

    NIS2 compliance is not a fixed-date project — it’s an ongoing process. This phase focuses on integrating practices into day-to-day operations: periodic reviews, business continuity tests, documentation updates, and monitoring of regulatory developments. We also plan the next internal audit cycles.

    Deliverable: NIS2 internal audit programme, maturity indicators, review calendar.

    Mistakes to avoid

    After several NIS2 engagements, here are the most common pitfalls I see:

    • Treating NIS2 as an IT project only — it’s a governance issue. Senior leadership must be involved from day one.
    • Starting with documentation before assessing actual risks. You end up producing policies that don’t reflect operational reality.
    • Overlooking the supply chain — NIS2 explicitly requires you to demonstrate control over risks coming from your vendors.
    • Never testing the incident notification procedure — in the event of a real incident, timelines are extremely tight (24 hours for initial notification to the national authority).

    Want to launch your NIS2 project without losing time on endless scoping?

    I help SMEs and mid-sized companies structure and drive their NIS2 compliance in a practical, operational way. Get in touch for a 30-minute call on your situation — no commitment.

  • Building a TPRM programme from scratch: where to actually start

    Reading time: ~6 min

    You’ve decided to structure the way you manage risks from your vendors and suppliers. Good. But in front of you: a list of 150 providers, contracts that haven’t been reviewed in years, and no formal process in place. Where do you start without drowning?

    Here’s the method I use to build an operational TPRM programme — even when starting from zero.

    Why TPRM has become non-negotiable

    Most significant security incidents in recent years involve a third party: a compromised IT provider, a subcontractor with overly broad access, a SaaS vendor with no serious encryption policy.

    NIS2, DORA, ISO 27001 — all of these frameworks now require you to demonstrate that you control your exposure through your partners. This is no longer an optional best practice. It’s a regulatory requirement.

    The 5 building blocks of a solid TPRM programme

    Block 1 — Map your existing vendors

    Before any assessment, you need to know who is in scope. The goal: build an exhaustive list of your third parties, noting for each one the type of access they hold (data, IT systems, physical premises) and their business criticality. This mapping is the foundation of everything else. Without it, you’re assessing in a vacuum.

    Block 2 — Define a risk classification framework

    Not all vendors deserve the same level of scrutiny. I work with 3 tiers: critical (access to production systems or sensitive data), sensitive (partial or occasional access), standard (no direct access to critical assets). This classification determines the depth of assessment and the review frequency for each vendor.

    Block 3 — Build a proportionate assessment process

    The classic mistake: an 80-question questionnaire sent to every supplier, which ends up being ignored. The right approach: a short, targeted questionnaire (10 to 15 questions) for standard vendors, and a structured interview plus document review for critical ones. The assessment process must be sustainable over time — otherwise it simply won’t happen.

    Block 4 — Embed TPRM into your contractual processes

    A TPRM programme without contractual grounding remains cosmetic. Security requirements must be integrated from the vendor onboarding stage, with clear clauses covering: audit rights, incident notification, and subcontracting commitments. That’s when you have leverage — not after the contract is signed.

    Block 5 — Set up continuous monitoring

    An initial assessment is just a snapshot. A vendor can change its policies, be acquired, or suffer an incident. Continuous monitoring means, at minimum: an annual reassessment of critical vendors, alerts on major public incidents, and tracking of certifications (ISO 27001, SOC 2) approaching expiry.

    Where to start concretely

    If you’re starting from scratch, here’s the sequence I recommend:

    1. Weeks 1–2 — Map your vendors and classify them by criticality level.
    2. Weeks 3–4 — Prioritise assessment of your 5 to 10 critical vendors. That’s where risk is concentrated.
    3. Month 2 — Document the process, build questionnaire templates and risk summary sheets.
    4. Month 3 — Integrate security clauses for new vendors. Schedule reassessments for existing ones.

    Want to build your TPRM programme without spending 6 months on it?

    I help SMEs and mid-sized companies structure their third-party risk management quickly and operationally. Get in touch and we’ll assess your situation together — no commitment required.

  • My Go-To Resources for NIS2, ISO 27001 & TPRM

    A practical reference library for executives and risk professionals navigating cybersecurity and compliance.

    [Last updated: March 2026]

    In my day to day practice and to navigate the complexity of the frameworks I assess, I need to have a strong basis on which I can rely on when I need guidance. I thought it would be useful to share these resources so that other professionals can benefit from it. Most of them are available for free and others are worth their price.

    1. Network & Information Security 2 (NIS2)

    When: Your business operates in the EU and cybersecurity is becoming a board-level obligation

    NIS2 Technical Implementation Guidance [Free] — ENISA The authoritative technical companion to the NIS2 Directive. Use it to translate legal obligations into concrete security measures. Essential reading before any NIS2 gap assessment. Examples of documents supporting are listed for each requirement.

    The NIS2 Navigator’s Handbook – Michiel Benda— This book digests and simplifies the different requirements that organizations must comply with in NIS2. A very useful tools is the GAP assessment included in the Annexes of the book, that can be used at a high level or in depth, provides you with an understanding of your level of compliance and the steps you need to take to become compliant.

    Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements [Free] ISACA – Concise but useful, this white paper compares DORA and NIS2 across several topic areas. It summarizes the main areas of concern for both Directives including the consequences of noncompliance, incident reporting timelines, and the role of third-party service requirements.

    2. ISO 27001 & Basic Cyber Hygiene

    When: You need to build (or demonstrate) a structured information security management system

    ISO/IEC 27001:2022 — Overview — ISO The official standard page. Use it to confirm the current version and access the standard. Worth noting: the 2022 revision restructured the Annex A controls significantly.

    ISO/IEC 27001:2022 Lead Implementer Course Udemy by Aron Lange – This course is given by Aron Lange and is the most useful resource I have found on the web to better understand how ISO 27001 is implemented. The course is well explained and structured with practical templates available.

    ANSSI — Guide d’hygiène informatique [Free] (For French professionals) – ANSSI 42 concrete security measures structured around the same logic as ISO 27001 controls. A practical complement to the standard, especially for SMEs and mid-market companies. Use it as a readiness checklist before a formal ISO 27001 gap assessment.

    CIS Controls v8 [Free] — CIS 18 prioritized security controls that map directly to ISO 27001 requirements. Use it to prioritize your implementation roadmap — start with Implementation Group 1 for the highest-impact, lowest-effort controls.

    3. TPRM (Third-Party Risk Management)

    When: Your business relies on vendors, partners, or subcontractors who touch your data or systems

    Good Practices for Supply Chain Cybersecurity [Free] — ENISA A practical framework for assessing and managing vendor cyber risk. Use it to build your vendor classification criteria and due diligence questionnaire baseline.

    Threat Landscape for Supply Chain Attacks [Free] — ENISA Real attack cases analyzed to understand how supply chain compromises actually happen. Use it to brief leadership on why TPRM matters — concrete examples land better than abstract risk frameworks.

    ANSSI — Cybersecurity Guide for SMEs (TPE/PME) [Free] — ANSSI 13 key questions covering foundational security practices including subcontractor and cloud risk. Particularly useful when assessing smaller vendors who may not have a formal security program — use it as a baseline expectation.

    Few Tips for Using This Library

    • Use ENISA and ANSSI documents as free, high-quality alternatives to expensive consulting deliverables — they are written by practitioners for practitioners. They provide clear guidance.
    • Cross-reference frameworks. NIS2 obligations map partially to ISO 27001 controls. A solid ISO 27001 implementation gives you a significant head start on NIS2 compliance.
    • Keep this page bookmarked. Regulatory texts and standards update. I’ll keep this list current as new versions are published.

  • The NIS2 “Panic” – Breathe, Structure, Relax

    I’m not gonna lie, I was scared when I first started to read the ENISA guidelines and tips to meet the NIS 2 Directive requirements. The flood of webinars, consultants, and alarming headlines didn’t help. The complexity of the directive, the feeling that “everyone else has it figured out” (they don’t) neither. Nevertheless Panic is counterproductive: it leads to rushed decisions, wasted budgets, and overlooking what actually matters.

    Start here – Part 1: Let’s BREATHE – Reality Check

    First thing to do obviously is to determine if you’re actually In scope:

    • Essential vs. important entities
    • Sector classification (don’t self-inflict compliance)
    • Size thresholds and exemptions

    Ok, you just found out you are in scope. Read further:

    You Probably Have More Time Than You Think

    • Clarify actual deadlines vs. perceived urgency
    • Most organizations aren’t starting from zero – you likely have foundational security measures already

    It’s Not As Mysterious As It Seems

    • NIS2 is fundamentally about good cybersecurity hygiene, something that you probably know about (I hope).
    • Strip away the basic jargon: risk management, incident response, supply chain awareness, basic security measures
    • Many requirements overlap with what responsible businesses should already be doing

    Part 2: STRUCTURE

    Step 1: Assess Where You Stand Today

    • Gap analysis against the 10 minimum security measures
    • What do you already have in place?
    • Honest inventory of current practices (no judgment, just facts)

    Step 2: Prioritize Based on Risk, Not Fear

    • Not everything needs to be done at once
    • Focus on high-impact, high-risk areas first
    • Quick wins vs. long-term projects

    Step 3: Build Your Roadmap

    • Quarterly milestones, not a giant launch date
    • Assign clear ownership (governance matters)
    • Budget realistically – avoid panic-buying expensive solutions

    Step 4: Document and Communicate

    • Governance is half the battle
    • Board-level awareness and responsibility
    • Incident reporting procedures
    • Document everything

    FOCUS: What is a Gap Analysis and why it’s important

    A NIS2 gap analysis is a health check for your organization’s cybersecurity measures It helps you identify the differences between what you’re currently doing and what the NIS2 Directive requires.

    The Core of NIS2 Gap Analysis:

    • Mapping Current Security Controls Against NIS2 Requirements

    Time to roll up your sleeves and take stock of your current security measures:

    1. Start by documenting what you already have in place and create a complete inventory of all network and information systems within scope. Be structured.
    2. Go through all your existing documentation – security policies, incident response plans, risk assessments, the works. Look at certifications you already have, like ISO 27001 as they might already satisfy some NIS2 requirements, saving you time and effort.
    3. Don’t overlook previous security assessments and audit findings either. There’s often valuable information buried in those reports that can inform your current analysis.
    • Evaluating Management Body Responsibilities

    NIS2 puts specific responsibilities on the shoulders of management. First, have your executives formally approve your cybersecurity risk management measures as required by Article 20. Ask yourself, do we have mechanisms in place for management to oversee implementation? Check whether your management team has received cybersecurity training. NIS2 requires this, along with similar training for employees. 

    In addition, do you have documentation showing management’s involvement in cybersecurity decisions and governance? Are there regular reporting processes keeping them informed?

    Make sure your leadership team understands they could be personally liable for compliance failures. The auditor will.

    • Assessing Risk Management Frameworks

    Risk management is central to management system, and it shall also here. Take a critical look at your risk analysis policies and procedures. Do they match what NIS2 requires? 

    Areas specifically addressed by NIS2:

    • Information system security policies should be comprehensive and actually working in practice, not just existing on paper.
      • Effectiveness of your cybersecurity measures. Is there a formal process, or is it more ad hoc? 
      • Basic cyber hygiene practices are consistently applied throughout your organization – these fundamentals are often the backbone of good security. Refer to ENISA and local authorities guides for basic cyber hygiene practices.
      • Multi-factor authentication or continuous authentication solutions are used where appropriate. 
      • Access control policies are reviewed
      • Security in HR processes
      • Asset management practices. 
    • Reviewing Incident Response Capabilities

    When it comes to incident response, NIS2 has clear expectations:

    • Evaluate your incident handling procedures against these requirements. 

    Do you have a clearly documented process for responding to and reporting cybersecurity incidents?

    • Check your notification procedures for alerting Computer Security Incident Response Teams (CSIRTs) or authorities when something goes wrong.

    Do you have a process for notifying service recipients if an incident might affect them?

    Look at your documentation for early warnings, incident notifications, status updates, and final reports. 

    • NIS2 requires final incident reports within one month – does your timeline align with this?
    • Don’t forget to assess your emergency communication systems. If an incident occurs, can people within your organization communicate securely?
    • Analyzing Supply Chain Security Measures

    Supply chain vulnerabilities have become a major attack vector, and NIS2 recognizes this reality:

    • How do you manage security in your relationships with suppliers and service providers? Do you assess their cybersecurity practices before signing contracts?
    • Look at your security measures for acquiring, developing, and maintaining systems. 
    • Do you consider each supplier’s specific vulnerabilities? 
    • Review how you evaluate their secure development procedures and overall cybersecurity practices.
    • Check whether your contracts include security requirements and how you monitor suppliers’ compliance with these requirements. 

    A chain is only as strong as its weakest link, and in cybersecurity, that weak link is often in the supply chain.

    Part 3: RELAX – This Is Manageable

    You’re Not Alone

    • Entire industries are figuring this out together
    • Frameworks and guidance are there

    Focus on Resilience, Not Just Compliance

    • The real goal: being able to prevent, detect, and respond to incidents
    • Compliance follows naturally from good security
    • This makes your business stronger, not just compliant

    Avoid Common Traps

    • Don’t start by throwing money at expensive tools and fancy dashboard with traffic lights without strategy
    • Don’t copy-paste someone else’s compliance program
    • Don’t neglect the human element (training, culture)

    Closing: The Path Forward

    End with empowerment:

    • NIS2 is an opportunity to mature your security posture
    • Start small, build momentum
    • The organizations that approach this calmly and systematically will emerge stronger
    • One step at a time beats paralysis

  • ISO 27001 Gap Analysis Guide: For Small & Medium Enterprises.

    When I first got into audit, I always wondered why companies would hire consultants to perform gap analysis. I mean they know better their company, their processes, applicable standards and frameworks. For me, it was a waste of money, something you could easily do yourself.

    Turns out I was wrong. That’s the lesson I learned over the years.

    Let’s start with « What is a gap analysis »? Simply a rehearsal for your coming real ISO 27001 audit. This is where you will find all the issues before they become pricey, uncomfortable issues in front of the auditor assigned by the certification body.

    By definition, an ISO 27001 gap analysis is a systematic approach to figure out the distance between where your organization’s information security is right now and where it desired to be to get certified. That’s it. Nothing more complex than that. It’s a structured comparison exercise.
    But here’s what makes this exercise extremely valuable: it’s the difference between showing up to a certification audit hoping to pass versus showing up with a clear understanding of the security situation in the organization and knowing your will pass.

    Why do a gap analysis? A gap analysis gives you a clear roadmap: what’s missing, how to fix it and how long it will take. It is the best exercise to avoid failing your certification audit, including wasting time, losing money, and creating Executive crisis.
     
    Gap Analysis: An almost Binary Approach
    A gap analysis asks a simple question for each requirement: 

    You’re either compliant, partially compliant, or non-compliant. It’s comparable to a pass/fail test. The goal is to identify what needs to be fixed to achieve certification.

    When to use a gap analysis:
    – Preparing for initial certification
    – Needing to know exactly what workload is required before planning for certification
    – Needing clarity when your ISMS has got out of hand following significant changes in personnel and organization

    What you get at the end:
    – A clear list of gaps
    – Prioritized remediation actions
    – Resource and timeline estimates
    – A roadmap to certification
     


    A 5-Phase Process:

    Phase 1: Get Together and Prepare (Preparation)
    Get a Sponsor: Make sure someone from top management is clearly involved. It’s not an IT or a security team only project. If top management see this as an IT initiative, it’s lost. This is a business initiative that happens to involve information security.

    Build a Team: The worst gap analyses are conducted by a single person (usually from IT) working in isolation. They produce technically accurate reports that no one understands or acts on. The best gap analyses involve cross-functional teams (IT, Security, HR and other business people) that bring different perspectives and build organizational buy-in.
    Consider Hiring an external Consultant: If internal ISO 27001 expertise is lacking, an experienced consultant can accelerate the process and help avoid common mistakes. Just make sure they’re there to transfer knowledge, not to do everything for you.

    Define Your Scope: Decide what part of the business you’re certifying. Be specific. The scope is a strategic decision, not a technical one. It’s common to see companies struggle with technical details while missing the big picture.
    The scope can always be expanded in future recertification cycles. Start with something manageable.

    Make a Plan & Develop the Assessment Questionnaire
    Figure out who you’ll talk to, what you’ll ask, and how long it will take (hint: from 8 to 14 weeks). Build a questionnaire to ease the process. Don’t overdo it but make sure you cover all the ISMS. The right balance is a comprehensive but usable questionnaire —typically 150-250 questions covering all requirements.

    Establish the timeline
    Typical timeline for a medium-sized organization:
    – Preparation and planning: 1-2 weeks
    – Document review: 2-3 weeks
    – Interviews and observations: 2-4 weeks
    – Analysis and gap identification: 1-2 weeks
    – Report writing: 1-2 weeks
    – Review and finalization: 1 week
    Total: 8-14 weeks

    Larger organizations or broader scopes will take longer. Smaller organizations or narrower scopes might be faster.
    These estimations consider for scheduling challenges, unexpected findings, and stakeholder availability.
    It’s not unusual to see organizations and consultant try to do a gap analysis in two weeks. It’s possible but then it’s very high level and ends up with a superficial assessment that misses important gaps. Most probably a waste of time. Then, the certification audit is a failure, and the whole thing must be done over again. Slow down to speed up.

    Communicate the Plan
    Often overlooked, poor communication brings anxiety and resistance. Clear, honest communication prevents this. Explain what’s being done and why. Make it safe for people to be honest about gaps.
    Emphasize that the goal is organizational improvement, not individual blame. The objective is to identify and fix problems before they become expensive problems.

    Phase 2: The Investigation (Fieldwork and Assessment)
    Read Existing Documentation: Gather all existing policies, procedures, and records.

    What to look for: Does it exist? Is it current? Is it approved? Is it complete? Is it accessible? Is it being followed?
    At this step, common findings include long-forgotten requirement, procedures that describe processes that no longer exist, evidence of good intentions that were never followed through.
    This is usually where time is wasted and the project is delayed, chasing people for documents, screenshots, logs, and records. People forget. Try to give enough time between document request and the effective start of the review.

    Talk to People/The interviews: Interview everyone relevant to the ISMS from the CEO to the IT help desk. It is usually at the bottom of the chart that you discover what really happens. Interviews are where the truth is discovered. People will say things they’d never write down. You’ll hear about workarounds, shortcuts, and “the way we really do things.”
    Most importantly, walkthroughs with interviewees is where “shadow ISMS” is discovered—the informal processes and workarounds that people actually use instead of the official procedures. Those are important to understand.

    On-Site visits: Look around and observe. Some things can only be learned by looking. Walk the floors. Are workstations locked? Are passwords on sticky notes? Reality often differs from policy. Observations reveal the gap between policy and practice. The policy says workstations must be locked when unattended. The observation reveals that in the sales department, no one locks their workstation because “it’s inconvenient.”
    That’s valuable information. It indicates that either the policy needs to change, the culture needs to change, or the technology needs to change (hello, automatic screen locking).

    Complete the questionnaire and pull it all together : As document reviews, interviews, and observations are completed, systematically complete the assessment questionnaire. The completed questionnaire is the foundation of the gap analysis report. Take your time. Be thorough. Be honest. This is not the time for wishful thinking.

    Phase 3: Make Sense of What We Found (Analysis & Gap Identification)
    Categorize/Use Traffic Lights: Categorize every requirement as Green (Compliant), Yellow (Partially), or Red (Non-Compliant). It’s simple and everyone gets it. The traffic light system is simple and effective. Everyone understands red/yellow/green. It makes findings immediately accessible to non-technical stakeholders.

    Find the Root causes – The “Why”: For every Red and Yellow, figure out the root cause. Is it a lack of training? No budget? A bad process?

    Assess Risk and Impact, Prioritize: Not all gaps are created equal. Focus on the high-risk stuff first—the things that could actually cause a breach or an audit failure. Risk assessment is where the urgent is separated from the merely important. A missing policy might be a compliance gap, but an unpatched, internet-facing server is an existential threat.
    Some organizations spend months perfecting their documentation while ignoring critical technical vulnerabilities. Don’t do that. Fix the things that could actually cause harm first.
     
     
     
    Phase 4: Write It Down (Reporting)
    Write for Your Audience: The work is done. Now the findings need to be communicated clearly and compellingly. Create a short, punchy Executive Summary with charts and numbers for the C-suite. They won’t read the rest. Don’t’ be overly technical. Be factual and understandable by all parties.
    The main body of the report is for the implementation team and should be detailed enough that for each gap, technical teams understand what’s wrong, why it matters, and how to fix it. Be specific and actionable.

    Phase 5: Actually Fix Things (Remediation)
    The report isn’t the end. It’s the beginning. Now a plan is needed to close the gaps

    Make a To-Do List: Create a detailed action plan with tasks, owners, and deadlines.

    Focus on Quick Wins: Knock out a few easy, high-impact items first to build momentum.

    Track Everything: Use a project plan to monitor progress and hold people accountable.

    The Bottom Line: A gap analysis is a strategic investment, not a cost. It’s the difference between hoping you’ll pass your audit and knowing you will.