A practical reference library for executives and risk professionals navigating cybersecurity and compliance.
[Last updated: March 2026]
In my day to day practice and to navigate the complexity of the frameworks I assess, I need to have a strong basis on which I can rely on when I need guidance. I thought it would be useful to share these resources so that other professionals can benefit from it. Most of them are available for free and others are worth their price.
- Network & Information Security 2 (NIS2)
When: Your business operates in the EU and cybersecurity is becoming a board-level obligation
• NIS2 Technical Implementation Guidance [Free] — ENISA The authoritative technical companion to the NIS2 Directive. Use it to translate legal obligations into concrete security measures. Essential reading before any NIS2 gap assessment. Examples of documents supporting are listed for each requirement.
• The NIS2 Navigator’s Handbook – Michiel Benda— This book digests and simplifies the different requirements that organizations must comply with in NIS2. A very useful tools is the GAP assessment included in the Annexes of the book, that can be used at a high level or in depth, provides you with an understanding of your level of compliance and the steps you need to take to become compliant.
Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements [Free] ISACA – Concise but useful, this white paper compares DORA and NIS2 across several topic areas. It summarizes the main areas of concern for both Directives including the consequences of noncompliance, incident reporting timelines, and the role of third-party service requirements.
2. ISO 27001 & Basic Cyber Hygiene
When: You need to build (or demonstrate) a structured information security management system
• ISO/IEC 27001:2022 — Overview — ISO The official standard page. Use it to confirm the current version and access the standard. Worth noting: the 2022 revision restructured the Annex A controls significantly.
• ISO/IEC 27001:2022 Lead Implementer Course Udemy by Aron Lange – This course is given by Aron Lange and is the most useful resource I have found on the web to better understand how ISO 27001 is implemented. The course is well explained and structured with practical templates available.
• ANSSI — Guide d’hygiène informatique [Free] (For French professionals) – ANSSI 42 concrete security measures structured around the same logic as ISO 27001 controls. A practical complement to the standard, especially for SMEs and mid-market companies. Use it as a readiness checklist before a formal ISO 27001 gap assessment.
• CIS Controls v8 [Free] — CIS 18 prioritized security controls that map directly to ISO 27001 requirements. Use it to prioritize your implementation roadmap — start with Implementation Group 1 for the highest-impact, lowest-effort controls.
3. TPRM (Third-Party Risk Management)
When: Your business relies on vendors, partners, or subcontractors who touch your data or systems
• Good Practices for Supply Chain Cybersecurity [Free] — ENISA A practical framework for assessing and managing vendor cyber risk. Use it to build your vendor classification criteria and due diligence questionnaire baseline.
• Threat Landscape for Supply Chain Attacks [Free] — ENISA Real attack cases analyzed to understand how supply chain compromises actually happen. Use it to brief leadership on why TPRM matters — concrete examples land better than abstract risk frameworks.
• ANSSI — Cybersecurity Guide for SMEs (TPE/PME) [Free] — ANSSI 13 key questions covering foundational security practices including subcontractor and cloud risk. Particularly useful when assessing smaller vendors who may not have a formal security program — use it as a baseline expectation.
Few Tips for Using This Library
- Use ENISA and ANSSI documents as free, high-quality alternatives to expensive consulting deliverables — they are written by practitioners for practitioners. They provide clear guidance.
- Cross-reference frameworks. NIS2 obligations map partially to ISO 27001 controls. A solid ISO 27001 implementation gives you a significant head start on NIS2 compliance.
- Keep this page bookmarked. Regulatory texts and standards update. I’ll keep this list current as new versions are published.