Building a modern and digitalized Information Security Management System compliant with the European NIS2 regulation
Ahonen, Jasu (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202601191499
https://urn.fi/URN:NBN:fi:amk-202601191499
Tiivistelmä
The European Union’s NIS2 Directive introduces stricter cybersecurity governance requirements for organizations operating in or supporting critical sectors. Many small and medium-sized enterprises lack a centralized and systematic approach to information security, which complicates compliance and governance.
This thesis described the initiation and implementation of a modern, digitalized Information Security Management System (ISMS) for Visy Oy based on the ISO/IEC 27001:2022 standard. The objective was to demonstrate how a risk-based management system approach could be used to support compliance with the control objectives defined in the NIS2 Directive. The focus was on building an ISMS that functions in practice and can be maintained as the organization grows, rather than on achieving immediate certification.
The study combined an overview of regulatory requirements with hands-on implementation. The main information security challenges were identified, NIS2 Article 21 requirements were mapped to ISO/IEC 27001 controls, and policies, procedures, and monitoring activities were implemented using existing Microsoft 365 and SharePoint tools. The results showed that the introduction of a structured ISMS improved security governance, enhanced traceability, and made compliance easier to demonstrate. The findings indicate that a practical ISMS approach supports continuous improvement and provides a sustainable founda-tion for future compliance and organizational development.
This thesis described the initiation and implementation of a modern, digitalized Information Security Management System (ISMS) for Visy Oy based on the ISO/IEC 27001:2022 standard. The objective was to demonstrate how a risk-based management system approach could be used to support compliance with the control objectives defined in the NIS2 Directive. The focus was on building an ISMS that functions in practice and can be maintained as the organization grows, rather than on achieving immediate certification.
The study combined an overview of regulatory requirements with hands-on implementation. The main information security challenges were identified, NIS2 Article 21 requirements were mapped to ISO/IEC 27001 controls, and policies, procedures, and monitoring activities were implemented using existing Microsoft 365 and SharePoint tools. The results showed that the introduction of a structured ISMS improved security governance, enhanced traceability, and made compliance easier to demonstrate. The findings indicate that a practical ISMS approach supports continuous improvement and provides a sustainable founda-tion for future compliance and organizational development.