Why an Integrated HSMS Is the Cure for Certification Overlap
Companies that have to satisfy ISO 27001, ISO 9001, NIS2, DORA and—soon—the Cyber Resilience Act (CRA) can quickly drown in parallel audits and duplicated work. The Holistic Security Management System (HSMS) described in MPbv’s recent study shows there’s a smarter way. By folding every baseline into a single framework and providing a clear cross-walk between laws and standards, each control is executed once yet credited across multiple certificates.
Objective – DRY (Don’t Repeat Yourself): capture every policy, process and control once inside the HSMS and reuse it for ISO 27001, NIS2, DORA and the CRA. This eliminates redundant documentation and duplicate audit effort while boosting consistency and traceability.
1 Evidence: 80 % of CRA Requirements Already Covered
A cross-walk analysis reveals that roughly 80 percent of the new CRA obligations can be met directly with existing controls from ISO 27001, NIS2 and (optionally) EUCC. The HSMS matrix shows which structures are already “green” and where only a limited GAP remains—such as a missing SBOM procedure in asset management.
Result: a single consolidated audit programme is enough to prove compliance with NIS2, maintain ISO certificates and produce the CRA conformity statement.
2 Key Measures Inside the HSMS
| Measure | Why It Matters | Links to HSMS / CRA |
|---|---|---|
| Establish and automate an SBOM policy | Essential for supply-chain transparency and mandatory classification under the CRA | CRA Arts. 10, 13 |
| Formalise the 24-hour incident-reporting rule | Aligns ISO A.6.8 with the tighter CRA and NIS2 timeframes | CRA Art. 16; NIS2 Art. 23 |
| Embed patch lifecycles in H7.2 | Replaces ad-hoc “security updates” with lifecycle support ≥ 5 years | CRA Art. 10(2)(d) |
| Add secure-by-design requirements to the design policy | Bridges ISO controls to CRA Art. 10 | CRA Art. 10(1)(a) |
These four “quick wins” slash audit overlap and improve the organisation’s risk posture.
3 Risk Control as the Common Thread
The HSMS uses a single risk method (Likelihood × Impact × Probability) for all frameworks. New CRA risks—such as absent SBOM processes or slow patching—are automatically fed into the existing risk matrix. A consolidated dashboard reviews these risks each quarter and routes improvement actions straight to executive management.
4 Management & Continuous Improvement
Every item on the action list is assigned to an owner, given a deadline and mapped to the correct CRA article. This prevents “ownerless controls” and makes planning audit-proof. The same loop supports ISO 27001’s PDCA cycle and DORA’s yearly resilience testing.
Conclusion
By orchestrating ISO 27001, ISO 9001, NIS2, DORA and the upcoming CRA in a single HSMS—and applying the DRY philosophy rigorously—you:
- Eliminate duplicate controls and audit paperwork
- Accelerate GAP closure through one clear action list
- Strengthen governance because risks are monitored centrally
For organisations subject to NIS2, an integrated approach is not just efficient; it is the fastest route to demonstrable compliance in 2026 and beyond.
