NIS2 REQUIREMENT

Your complete security policy
in 5 days

The NIS2 directive requires an Information Security Management System (ISMS) policy for entities in scope. SYAGA delivers a complete, compliant and operational document, without tying up your teams for months.

5
Business days
20
Chapters covered
93
ISO 27001 controls
120+
Pages delivered

The problem

NIS2 changes the game for essential and important entities in scope

NIS2 requires a formalised security policy

The EU directive requires essential and important entities to formalise a cyber risk management policy, with an associated sanctions regime.

📋

Many SMEs have no ISMS policy

A large share of SMEs/mid-sized companies today have no formal information security policy document. The topic is perceived as complex and costly.

💰

Large consulting firms charge high fees

Classic security policy drafting engagements often stretch over several months, for a budget that can be hard to justify for an SME.

Your IT teams are already overloaded

Tying up your CISO or IT manager for weeks to formalise a security policy is not viable in an SME where everyone already wears several hats.

The solution: Security Policy Express

5 days, 20 chapters, 1 operational document your teams can apply the following Monday

D1
Day 1 - Scoping

Questionnaire and management interview

Interview with the CISO/IT manager or the business owner. Collection of context, scope, business stakes and current maturity level via our structured questionnaire.

D2
Day 2 - Technical analysis

IT system inventory and mapping

Inventory of assets (servers, workstations, applications), network architecture analysis, identification of critical flows, subject to prior agreement.

D3
Day 3 - Drafting

Generation of your custom security policy

Drafting of the 20 chapters using your actual data: security organisation chart, risk matrix, operational procedures, IT charter. Everything is specific to your context.

D4
Day 4 - Consolidation

Compliance mapping and annexes

Detailed mapping to NIS2, ISO 27001 and GDPR. Generation of annexes: asset inventory, compliance matrix, incident management procedures, access and change management procedures.

D5
Day 5 - Delivery

Handover and knowledge transfer

Presentation of the deliverable to the management committee. Q&A session. Delivery of editable files (HTML, PDF, DOCX) for your teams to own.

What you receive

A complete, ready-to-deploy pack with all the documents you need

📝

Security policy - 20 chapters

Complete security policy covering all ISO 27001 domains.

  • Security governance and organisation
  • Asset and data classification
  • Access and identity management
  • Network, system and application security
  • Business continuity and incident management
📈

Express audit report

Summary of your security posture with visual indicators.

  • Maturity radar (10 domains)
  • Risk matrix (impact/likelihood)
  • Top 10 critical vulnerabilities
  • Prioritised action plan (PDCA)
  • Recommended security budget
📄

Procedures and charter

Operational documents directly applicable by your teams.

  • PROC-01: Incident management
  • PROC-02: Access management
  • PROC-03: Change management
  • PROC-04: Backup and restoration
  • IT charter (ready to sign)
🎯

NIS2 mapping

Mapping between your security policy and NIS2 requirements.

  • Art. 20 Governance
  • Art. 21 Security measures (10 domains)
  • Art. 23 Incident notification
  • Coverage of criticality levels
  • Compliance matrix with status
🔐

ISO 27001 annexes

Statement of Applicability and mapping of the 93 Annex A controls.

  • SoA with justification per control
  • Detailed server inventory
  • Vulnerability register
  • Identified attack chains
  • Budgeted action plan
💻

Editable files

All documents in formats you can modify.

  • Standalone HTML (opens in any browser)
  • High-quality PDF (A4 print)
  • Editable DOCX (Microsoft Word)
  • Bilingual FR/EN (option)
  • High-resolution PNG charts

Compliance coverage

A single document to address your main frameworks

N2

NIS2 (EU Directive 2022/2555)

Coverage of Articles 20, 21 and 23. Risk management measures, governance, incident notification. Article-by-article mapping included.

ISO

ISO 27001:2022

Statement of Applicability for the 93 Annex A controls. Structure aligned with clauses 4 to 10 and the 4 themes (organisational, people, physical, technological).

AN

ANSSI Guide - IT hygiene

The ANSSI IT hygiene measures are covered across the 20 chapters. Explicit correspondence in the compliance mapping.

GD

GDPR (Art. 32)

Appropriate technical and organisational measures to ensure the security of personal data. Data classification and processing register addressed.

Clear pricing, no surprises

Choose the plan that fits your context, or request a custom quote

Essential

SME < 50 employees, single site

3,000
EUR excl. VAT (one-shot)
  • Custom 20-chapter security policy
  • 4 operational procedures
  • IT charter
  • NIS2 and GDPR mapping
  • Presentation to the management committee
  • HTML + PDF + DOCX formats
Request a quote

Premium

Mid-size/large 250+ employees, regulated sector

8,000
EUR excl. VAT (one-shot)
  • Everything in Standard +
  • Sector templates (healthcare, industry, finance)
  • Budgeted 12-month remediation plan
  • ISO 27001 certification support
  • 12-month priority support
Request a quote

Annual maintenance: 500 EUR excl. VAT/year

Annual update of the security policy (regulatory changes, IT system changes). Procedure review, compliance mapping refresh, new PDF.

Frequently asked questions

Is my company in scope for NIS2?
The NIS2 directive applies to essential and important entities based on size and sector criteria defined by the EU text and its national transposition. Contact us for an initial discussion about your situation.
What is the difference with a security policy written by a large consulting firm?
The content targets the same level: 20 chapters, same ISO 27001 coverage, same depth of analysis. The difference: we use an automated generator that produces a custom document from your actual data, whereas a classic engagement stretches over months of manual drafting. Objective: a significantly reduced timeline and budget.
Is the document valid for ISO 27001 certification?
Security Policy Express provides a foundation to start an ISO 27001 certification process. It covers the Statement of Applicability (SoA) for the 93 controls and the structure of clauses 4 to 10. Additional support remains necessary for operational implementation and the certification audit.
How much time will my teams need to commit?
A management interview on the first day and a presentation on the last day. The rest of the work is carried out by our auditors without involving your teams. If a technical scan is planned, temporary network access will be requested on day 2.
Is the annual maintenance mandatory?
No, it is optional but recommended. NIS2 expects periodic review of security measures. Annual maintenance (500 EUR excl. VAT) includes updating the document based on regulatory changes and changes to your IT system.
Why is SYAGA qualified to produce my security policy?
SYAGA CONSULTING has performed IT security audits since its founding in 2009. Our auditors work with clients of various sizes and sectors. We have built an automated generator that draws on this experience to produce structured, complete security policies.

Ready to secure your compliance?

Contact us to receive a custom quote.