Has management been formally trained on cyber risks and approved your risk-management measures (Art 20)?
Demonstrate that the management body has received documented cybersecurity risk training and has formally approved the organization's cybersecurity risk management measures in compliance with NIS2 Article 20.
Description
What this control does
This control requires that the management body (board of directors or equivalent executive leadership) of entities subject to NIS2 receives formal, documented training on cybersecurity risks, threat landscape, and the organization's cybersecurity posture. Management must then formally approve the risk management measures proposed or implemented by the organization, typically through board resolutions or documented decisions. This ensures executive accountability and informed governance over cybersecurity investments and strategic decisions. The control directly addresses NIS2 Article 20's mandate for management oversight and accountability.
Control objective
What auditing this proves
Demonstrate that the management body has received documented cybersecurity risk training and has formally approved the organization's cybersecurity risk management measures in compliance with NIS2 Article 20.
Associated risks
Risks this control addresses
- Management makes uninformed strategic decisions on cybersecurity investments, leading to inadequate resource allocation for critical security controls
- Board-level ignorance of cyber threat landscape results in failure to prioritize incident response capabilities during a major breach
- Unapproved or unauthorized risk management measures are implemented without executive oversight, creating governance gaps and liability exposure
- Lack of management accountability enables a culture where cybersecurity is treated as purely technical rather than business-critical, leading to systematic underinvestment
- Regulatory non-compliance with NIS2 Article 20 results in administrative fines up to €10 million or 2% of global annual turnover
- Inadequate management training prevents effective crisis leadership during cyber incidents, resulting in prolonged downtime and reputational damage
- Management fails to understand third-party cyber risks, approving vendor relationships or supply chain dependencies without adequate due diligence
Testing procedure
How an auditor verifies this control
- Obtain the list of individuals constituting the management body as defined under NIS2 (board members, C-suite executives with governance authority).
- Request all cybersecurity training records for management body members for the audit period, including attendance registers, training agendas, materials provided, and completion certificates.
- Review training content to verify it covers cyber risk taxonomy, current threat landscape relevant to the organization's sector, incident scenarios, and the organization's specific risk profile and security posture.
- Identify the organization's formal risk management framework document, risk register, and documented risk treatment plans or security roadmaps requiring management approval.
- Obtain board meeting minutes, management committee resolutions, or formal decision records where cybersecurity risk management measures were presented and approved.
- Cross-reference approved measures with implemented controls to verify alignment between management decisions and operational execution.
- Interview at least two management body members to assess comprehension of key cyber risks and their rationale for approving specific risk treatments.
- Verify the recency and frequency of training and approval activities to confirm ongoing compliance rather than one-time attestation.