NIS2 Audit Checklist — Evidence Pack for Compliance Officers

Purpose: Your Ready-to-Use NIS2 Audit Preparation Guide

This checklist is designed for compliance officers preparing their organisation for a NIS2 compliance audit. It is structured around the ten requirement areas specified in Article 21(2) of the NIS2 Directive and provides, for each area, the control requirements, the evidence you need to assemble, where to find that evidence, and clear pass/fail criteria.

Use this as a working document. Print it, share it with your teams, and use it to track evidence collection progress. An auditor will assess whether your controls are not only documented but implemented, effective, and evidenced.

Article 21(2)(a): Risk Analysis and Information System Security Policies

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Documented information security policy approved by management body	Signed policy document with version control and approval record	Document management system; board/management meeting minutes	Pass: Policy exists, is current (reviewed within 12 months), and has documented management approval. Fail: No policy, outdated policy, or no evidence of management approval.
Risk assessment methodology defined and applied	Risk assessment methodology document; completed risk assessments; risk register	GRC platform or risk management system; information security team records	Pass: Methodology is documented, consistently applied, and risk register is current. Fail: No methodology, inconsistent application, or stale risk register.
Risk treatment plans with assigned owners	Risk treatment plan documentation; evidence of control implementation; residual risk acceptance records	Risk register; project management tools; management sign-off records	Pass: Each risk above appetite has a treatment plan with named owner and target date. Fail: Unaddressed risks, plans without owners, or no progress evidence.

Article 21(2)(b): Incident Handling

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Incident response plan covering detection, analysis, containment, eradication, and recovery	Incident response plan document; defined roles and escalation paths; communication procedures	Security operations documentation; incident management platform	Pass: Comprehensive plan exists, is current, and covers all phases. Fail: No plan, incomplete coverage, or plan not updated after organisational changes.
Incident classification and reporting procedures aligned with NIS2 timelines	Classification criteria document; reporting procedure with 24-hour early warning and 72-hour notification workflows	Incident management procedures; CSIRT contact records	Pass: Clear classification criteria exist; reporting timelines match NIS2 requirements; CSIRT contact details are current. Fail: No classification scheme, incorrect timelines, or unknown reporting channels.
Evidence of incident response testing	Tabletop exercise records; simulation results; lessons learned documentation; improvement actions	Security team records; training records; post-exercise reports	Pass: At least one exercise conducted within 12 months with documented outcomes and improvement actions. Fail: No testing evidence or testing without documented improvements.

Article 21(2)(c): Business Continuity and Crisis Management

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Business continuity plan covering backup management and disaster recovery	BCP and DR plan documents; defined RTOs and RPOs; recovery procedures	Business continuity team documentation; IT operations records	Pass: Plans exist for critical services with defined and tested RTOs/RPOs. Fail: No plans, untested plans, or undefined recovery objectives.
Backup management with regular testing	Backup policies; backup schedules and logs; restoration test results	Backup management system; IT operations logs	Pass: Regular backups with documented, successful restoration tests. Fail: No backup policy, no restoration testing, or failed tests without remediation.
Crisis management procedures	Crisis management plan; communication trees; stakeholder notification procedures; crisis exercise records	Corporate crisis management documentation; communications team records	Pass: Plan exists with clear escalation paths and has been exercised. Fail: No crisis plan or no evidence of exercise.

Article 21(2)(d): Supply Chain Security

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Security requirements in supplier contracts	Standard contractual clauses for security; signed contracts with security provisions; supplier security assessment records	Procurement/legal records; vendor management platform	Pass: Critical suppliers have contractual security requirements; assessments are documented. Fail: No security clauses in contracts or no supplier assessment programme.
Supplier risk assessment programme	Supplier risk assessment methodology; completed assessments for critical suppliers; supplier risk register	Vendor management platform; procurement records; risk management system	Pass: Critical and important suppliers assessed with documented results and risk ratings. Fail: No supplier risk assessments or incomplete coverage of critical suppliers.
Software supply chain controls (SBOM, dependency management)	SBOM generation records; dependency scanning results; approved component lists; third-party component policies	CI/CD pipeline outputs; artifact management systems; security scanning tools	Pass: SBOMs generated for delivered software; dependencies are scanned and managed. Fail: No visibility into software composition or unmanaged dependencies.

Article 21(2)(e): Network and Information System Security

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Network security controls (segmentation, monitoring, access controls)	Network architecture documentation; segmentation policies; firewall rules; network monitoring configuration	Network management systems; infrastructure documentation; SIEM platform	Pass: Network is segmented appropriately; monitoring is active; controls are documented. Fail: Flat network, no monitoring, or undocumented network architecture.
Security monitoring and logging	Logging policy; log retention configuration; monitoring rules and alerts; SIEM dashboards	SIEM platform; logging infrastructure; security operations centre records	Pass: Critical systems are logged; logs are retained per policy; active monitoring with defined alert rules. Fail: Gaps in logging coverage, insufficient retention, or no active monitoring.

Article 21(2)(f): Vulnerability Handling and Disclosure

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Vulnerability management programme	Vulnerability management policy; scanning schedules and results; remediation SLAs and tracking; exception process	Vulnerability scanning tools; patch management system; GRC platform	Pass: Regular scanning with defined remediation SLAs; critical vulnerabilities addressed within SLA. Fail: No scanning programme, no SLAs, or chronic SLA breaches without escalation.
Coordinated vulnerability disclosure process	Vulnerability disclosure policy (published); contact channel for researchers; disclosure handling procedure	Public website; security team procedures	Pass: Published disclosure policy with clear process and response timelines. Fail: No disclosure policy or no mechanism for external vulnerability reports.

Article 21(2)(g): Policies and Procedures to Assess Effectiveness

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Regular assessment of cybersecurity measure effectiveness	Internal audit reports; penetration test results; security metrics and KPIs; management review records	Internal audit team records; security testing reports; management dashboards	Pass: Regular assessments conducted (at least annually) with documented findings and improvement actions. Fail: No effectiveness assessments or assessments without follow-up actions.

Article 21(2)(h): Cryptography and Encryption

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Cryptography policy covering data in transit and at rest	Cryptography policy document; approved algorithm and key length standards; certificate management procedures; key management lifecycle documentation	Information security policy library; PKI/certificate management system; key management system	Pass: Policy exists with approved algorithms; data in transit and at rest is encrypted per policy; key management lifecycle is documented. Fail: No cryptography policy, use of deprecated algorithms, or unmanaged cryptographic keys.

Article 21(2)(i): Access Control

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Access control policy based on least privilege and need-to-know	Access control policy; role-based access definitions; access provisioning and deprovisioning procedures	IAM platform; HR onboarding/offboarding records; access control documentation	Pass: Policy exists; access is role-based; provisioning/deprovisioning is documented and timely. Fail: No access control policy, excessive privileges, or delayed deprovisioning of leavers.
Regular access reviews	Access review schedules; completed review records; remediation actions from reviews	IAM platform; access review tool; compliance records	Pass: Access reviews conducted at least quarterly for privileged access and annually for standard access; remediation is tracked. Fail: No access reviews or reviews without remediation follow-up.

Article 21(2)(i): Asset Management

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
Asset inventory covering all network and information systems	Asset inventory/CMDB; asset classification scheme; asset ownership assignments	CMDB/asset management system; IT service management platform	Pass: Comprehensive inventory exists with classification and assigned owners; inventory is regularly updated. Fail: Incomplete inventory, no classification, or unassigned ownership.

Article 21(2)(j): Multi-Factor Authentication and Continuous Authentication

Control Requirement	Evidence Needed	Where to Find It	Pass/Fail Criteria
MFA deployed for privileged access and remote access	MFA policy; MFA enrolment records; MFA enforcement configuration evidence	IAM/MFA platform configuration; access policy documentation	Pass: MFA is enforced for all privileged and remote access; enrolment is tracked; exceptions are documented and time-limited. Fail: MFA not enforced for privileged access, significant unenrolled users, or permanent exceptions without justification.
Secured authentication and communication channels	Authentication system configuration; encrypted communication channel evidence; session management policies	IAM platform; network configuration; security architecture documentation	Pass: Authentication traffic is encrypted; session management controls are in place; secure protocols are enforced. Fail: Unencrypted authentication flows or weak session management.

Red Flags That Indicate Non-Compliance

During audit preparation, compliance officers should actively look for the following red flags and address them before the auditor arrives:

• Policies without implementation evidence: Policies exist on paper but there is no evidence they are followed in practice. Auditors will look for operational evidence, not just documents.
• Stale documentation: Risk assessments, policies, or procedures that have not been reviewed or updated in over 12 months.
• No management body involvement: No evidence that the management body has approved cybersecurity measures, received risk reports, or completed required training (Article 20).
• Incident response never tested: An incident response plan that has never been exercised through a tabletop or simulation.
• Access reviews not conducted: No evidence of periodic access reviews, especially for privileged accounts.
• Unknown asset inventory: Inability to produce a current inventory of network and information systems.
• No supplier security assessments: Critical suppliers with no security assessment on record.
• Manual evidence with no integrity controls: Evidence that could easily be fabricated or modified, with no system-generated timestamps or audit trails.
• Single points of failure in key controls: Critical security functions dependent on a single individual with no backup or succession plan.
• No metrics on control effectiveness: Inability to demonstrate that security measures are actually working, not just deployed.

Evidence Integrity Requirements

The quality of your evidence matters as much as its existence. Auditors will assess whether evidence is reliable and trustworthy. To withstand scrutiny, your evidence should meet these standards:

• System-generated: Where possible, evidence should be generated automatically by systems rather than manually created. System-generated logs, reports, and records are inherently more reliable than manually compiled spreadsheets.
• Timestamped: All evidence should carry accurate timestamps showing when actions occurred, when reviews were conducted, and when approvals were granted. Ensure system clocks are synchronised (NTP) to maintain timestamp reliability.
• Tamper-resistant: Evidence should be stored in systems where it cannot be easily modified after the fact. Immutable audit logs, write-once storage, and cryptographic integrity checks all strengthen evidence reliability.
• Attributable: Evidence should clearly identify who performed each action. Individual accountability requires individual accounts — shared accounts undermine attribution.
• Retained appropriately: Evidence must be retained for a sufficient period to cover audit cycles and regulatory requirements. Define retention periods and ensure they are enforced.

Suggested Evidence Pack Structure

Compliance officers should organise their evidence pack in a structure that maps directly to the NIS2 requirements, making it easy for auditors to navigate. The following template structure is recommended:

Folder Structure

• 01 — Governance and Risk Management (Art. 21(2)(a))
  • Information security policy (current, signed)
  • Risk assessment methodology
  • Current risk register with treatment plans
  • Management body approval records
  • Management body training records (Article 20)
• 02 — Incident Handling (Art. 21(2)(b))
  • Incident response plan
  • Incident classification criteria
  • Reporting procedures and CSIRT contacts
  • Exercise records and lessons learned
  • Incident log (redacted if necessary)
• 03 — Business Continuity (Art. 21(2)(c))
  • Business continuity plan
  • Disaster recovery plan
  • Backup policy and restoration test results
  • Crisis management procedures
  • BCP/DR exercise records
• 04 — Supply Chain Security (Art. 21(2)(d))
  • Supplier security policy
  • Critical supplier register
  • Supplier assessment records
  • Standard security contract clauses
  • SBOM samples (for software delivery)
• 05 — Network and System Security (Art. 21(2)(e))
  • Network architecture documentation
  • Segmentation policies and evidence
  • Monitoring and logging configuration
  • SIEM alert rules and response procedures
• 06 — Vulnerability Management (Art. 21(2)(f))
  • Vulnerability management policy
  • Scanning schedules and recent results
  • Remediation SLAs and compliance metrics
  • Vulnerability disclosure policy
• 07 — Effectiveness Assessment (Art. 21(2)(g))
  • Internal audit reports
  • Penetration test reports
  • Security metrics and KPI dashboards
  • Management review meeting minutes
• 08 — Cryptography (Art. 21(2)(h))
  • Cryptography policy
  • Approved algorithms and key lengths
  • Key management procedures
  • Certificate inventory
• 09 — Access Control and Asset Management (Art. 21(2)(i))
  • Access control policy
  • Access review records
  • Asset inventory / CMDB extract
  • Asset classification scheme
• 10 — Authentication (Art. 21(2)(j))
  • MFA policy and enforcement evidence
  • MFA enrolment metrics
  • Secure communication channel evidence
  • Exception register (if any)

Related Resources

For additional guidance on NIS2 audit preparation and compliance, see:

• NIS2 Compliance Overview
• Before the Auditor Arrives: CI/CD Audit Readiness Checklist

---

Related for Auditors

• Glossary — Plain-language definitions of technical terms
• Audit Day Playbook
• Audit Readiness Checklist
• How Auditors Review CI/CD

New to CI/CD auditing? Start with our Auditor’s Guide.