Oltre la Conformità: dalle scelte strategiche ISO e NIST 2.0 alla gestione proattiva del rischio

Authors

  • Giovanni Comandè
  • Chiara Nasi

DOI:

https://doi.org/10.32091/RIID0268

Keywords:

Cybersecurity, Compliance, Security Measures, ISO/IEC 27001:2022, NIST CSF 2.0

Abstract

Beyond Compliance: from ISO and NIST 2.0 strategic choices to proactive risk management
Today’s digital landscape requires a strategic approach to cybersecurity. This study presents a model (hereinafter also “Smartlex Model”), an operational and pragmatic model designed to simplify complex regulatory compliance into an easily applicable business management system. The Model is based on a multi-level alignment between operational security measures and the two international regulatory pillars: ISO/IEC 27001:2022 and the NIST Cybersecurity Framework (CSF) 2.0. The methodology generates an innovative mapping that associates operational measures with ISO controls and NIST categories. The practical usefulness of the Model is demonstrated as a crucial adaptation tool for organisations (known as “NIS entities”) subject to the obligations of the NIS2 Directive. This allows for the operational implementation of the essential risk management elements required by the regulation. The Model is designed to be scalable to any regulatory framework, reducing compliance costs and maximising operational effectiveness. Looking ahead, the Smartlex Model aims to evolve into a quantitative IT security measurement system, providing organizations with a tangible means of demonstrating their cybersecurity posture.

Author Biographies

  • Giovanni Comandè

    Full professor of Comparative Private Law at the Scuola Superiore Sant’Anna and the founder of Smartlex s.r.l. and Inlesi s.r.l.

  • Chiara Nasi

    Expert in European Union regulation and compliance at Smartlex s.r.l.

References

ACN–Agenzia per la Cybersicurezza Nazionale (2025), Linee guida NIS. Specifiche di base. Guida alla lettura, in can.gov.it, 2025

M. Alshar’e (2023), Cyber security framework selection: comparision of nist and iso27001, in “Applied computing Journal”, vol. 3, 2023, n. 1

F. Casarosa, G. Comandè (2025), Il percorso di implementazione della Direttiva NIS 2: verso l’armonizzazione o una maggiore frammentazione?, in “Annuario di Diritto Comparato”, 2025, in corso di pubblicazione

Enisa–European Union Agency for Network and Information Security (2025), ENISA Threat Landscape 2025, in enisa.europa.eu, 2025

Enisa–European Union Agency for Network and Information Security (2019), Reinforcing trust and security in the area of electronic communications and online services. Sketching the notion of “state-of-the-art” for SMEs in security of personal data processing, in enisa.europa.eu, 2019

A. Lokare, S. Bankar, P. Mhaske (2025), Integrating Cybersecurity Frameworks into IT Security: A Comprehensive Analysis of Threat Mitigation Strategies and Adaptive Technologies, in Arxiv, arXiv:2502.00651, 2025

M. Malatji (2023), Management of enterprise cyber security: A review of ISO/IEC 27001:2022, in “International Conference On Cyber Management And Engineering (CyMaEn)” (Bangkok, 26-27 gennaio 2023), 2023

A. Obi, O.V. Akagha, S.O. Dawodu, A.C. Anyanwu, S. Onwusinkwue, I.A. Ahmad (2024), Comprehensive review on cybersecurity: Modern threats and advanced defense strategies, in “Computer Science & IT Research Journal”, vol. 5, 2024, n. 2

S. Rose, O. Borchert, S. Mitchell, S. Connelly (2020), Zero Trust Architecture, NIST Special Publications 800-207, 2020

S. Schmitz-Berndt (2023), Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive, in “Journal of Cybersecurity”, vol. 9, 2023, n. 1

A. Shaji George, A.S. Hovan George, T. Baskar (2023), Digitally Immune Systems: Building Robust Defences in the Age of Cyber Threats, in “Partners Universal International Innovation Journal (PUIIJ)”, vol. 1, 2023, n. 4

O. Vakhula, Y. Kurii, I. Opirskyy, V. Susukailo (2024), Security-as-Code Concept for Fulfilling. ISO/IEC 27001:2022 Requirements, in “Cybersecurity Providing in Information and Telecommunication Systems”, vol. 3654, 2024

P. Wanecki, R. Jasek, I. Drofova (2023), The Contribution of the European NIS2 Directive to the Design of the Cyber Security Model, in “2023 International Conference on Information and Digital Technologies (IDT)” (Zilina, 20-22 giugno 2023), 2023

Downloads

Published

2026-04-17

Issue

Volume 8 , Issue 1 (2026)

Section

Systems and applications

License

Copyright (c) 2026 Rivista italiana di informatica e diritto

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

How to Cite

[1]
Comandè, G. and Nasi, C. 2026. Oltre la Conformità: dalle scelte strategiche ISO e NIST 2.0 alla gestione proattiva del rischio. Rivista italiana di informatica e diritto. 8, 1 (Apr. 2026), 26. DOI:https://doi.org/10.32091/RIID0268.