Why Do Legacy Systems Pose a Unique Challenge Under NIS 2-and What Does Audit-Proof Compensating Control Look Like?
Legacy technology isn’t a footnote; it’s the backbone of every critical environment from hospitals running 15-year-old scans to SCADA boards in energy and unpatched financial servers underpinning old money. Under the NIS 2 Directive, patching is a first line-yet often impossible for vendor-locked, safety-bound, or unsupported systems. For auditors and supervisors, “can’t patch” is not a hall pass. Your organisation’s only path is context-tuned, evidence-backed compensating controls-a set of measures so thoroughly documented and visible that your security stance survives the closest regulatory scrutiny (ENISA 2023).
When you can’t patch, every control you claim must leave digital footprints an auditor can trace-defence is no longer theoretical.
For the compliance Kickstarter and the established CISO alike, the test isn’t just “Have you controlled the risk?” but “Show us proof your controls are live, testable, and tuned to the real-world exposures of this legacy system.” Risk register notes or paper workflows alone fall flat-what matters to an auditor is the full topology: VLAN maps, approval logs, real SIEM events, and a live exception playbook.
The Non-Negotiables: Accepted Compensating Controls (And How to Prove Them)
- Network Segmentation & Isolation:
Place every legacy asset in a tightly scoped VLAN or behind a firewall-restricting communications to only what is mission-critical, and show the control with updated topology diagrams, firewall rules, and change approval logs.
- Strong Access Controls:
Remove unnecessary accounts; require “break glass” just-in-time access for maintenance, with time-limited and dual-approved controls. Demonstrate enforcement with session ticket logs and signed approval traces (ISO 27001:2022 A.5.15).
- SIEM & Monitoring:
Log all interactions, using agentless monitoring for embedded/medical/ICS environments. Provide auditors with SIEM alert events, periodic review minutes, and NDR screenshots as living evidence.
- Application Whitelisting:
Enforce only approved binaries and remove unused legacy software, evidenced by allowlist reports and change logs (NIST SP 800-53 SI-7).
- Virtual Patching / IDS/IPS:
Compensate with network intrusion detection, or virtual patching appliances. Supplement your claims with logs, signatures, and policy update history (ENISA guidance).
- Manual Review, Drills, and Training:
Escalate manual security reviews, incident simulations, and tailored team training-documentation is your best shield.
- Removable Media Lockdown:
Physically block USB ports, enforce dual sign-off for exceptions, show logs for every deviation.
Sector Snapshots: Proving It in Your Real Environment
| Environment | Legacy Asset | Compensating Control | Audit Proof Artefact |
|---|---|---|---|
| Hospital | MRI (Win XP) | VLAN, SIEM, USB lockdown | Topology, SIEM logs |
| Power Plant | SCADA PLC (EOL device) | Air-gap, protocol philtre | Routing table, NDR logs |
| Finance | DB Server (Unpatched) | Jump host, session logs | Access logs, approvals |
Every control is only as credible as the artefacts you can provide. Diagram, log, and routinely update not only your intentions but the operational heartbeat of each mitigation. A live ISMS makes sector alignment and review retrieval instant-all the more vital when your environments weakest link is hiding in plain sight.
Book a demoHow Should Risk Acceptance and Exception Cases for Unpatched Legacy Assets Be Documented to Satisfy NIS 2 (and Survive Scrutiny)?
Auditors and NIS 2 supervisors aren’t moved by promises-they audit the “paper and digital trail” of your risk journey. Every exception, every unpatchable asset, and every workaround must travel a pathway of living documentation and active ownership.
A defensible exception is not a dead-end note, but a live, revisited contract with risk-always one reviewer away from escalation or closure.
Exception Documentation Blueprint: From Policy to Audit-Ready Evidence
- Complete Asset Register
- Catalogue every legacy asset; assign business owner and process context (e.g., “MRI Scanner, Radiology – owner: Head of Radiology”).
- Tag with EOL (End of Life), support status, and unpatchable rationale (“Vendor defunct,” “Safety critical – OS locked”).
- Quantified Risk Assessment
- Use CVSS (Common Vulnerability Scoring System) or similar to rate likelihood and impact.
- Show exploit/attack paths and sector context to move beyond hand-waving.
- Fade-In Control Mapping
- For each missed standard control (e.g., vulnerability management), provide a traceable map to its compensating control (e.g., VLAN, SIEM, approval flow).
- Crosswalk compensating controls to specific ISO 27001/A.8.8 or NIS 2 Article 21 clauses.
- Management Sign-Off & Scheduled Review
- Each exception must be signed by a tier-appropriate manager or board member.
- Set periodic (e.g., quarterly, annual) reviews-plus mandatory review after incidents (ISO 27001:2022 Cl. 9.3, A.5.36).
- Evidence Portfolio
- Attach live firewall configs, change tickets, SIEM logs, meeting minutes and training records-versioned and owned in your ISMS.
- Continuous Review and Dynamic Update
- Automate reminders; review exceptions after every environmental or asset change. Retire obsolete exceptions immediately.
Traceability Table: Linking Triggers, Risk, and Evidence
| Trigger | Risk Event | Control/SoA Link | Evidence Artefact |
|---|---|---|---|
| Vendor EOL | Explicit status | A.8.8, Art. 21 | Asset register, SIEM logs |
| No patch | Exception filed | A.8.22, Art. 6.6 | Exception doc, alert rule |
| Incident log | Review accel. | A.5.36 | Drill logs, board minutes |
A living ISMS platform-such as ISMS.online-anchors everything: every exception, approval, log, and training verifiably versioned and audit-ready. Your system’s defensibility is won in daily documentation, not in last-minute Board room apologies.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What Compensating Controls Actually Reduce Risk from Unpatched Legacy Software-And How Do You Show They Work?
Effective risk mitigation for legacy creates a visible “defence mesh” that’s layered, criticality-tuned, and operationally testable. These mitigations only shield you when they move from paperwork into daily security flow-and when your evidence chain proves they’re live.
For Windows Server 2008 (or Similar):
- Network Isolation: VLAN crafts a digital fence; evidence by configuration scripts, firewall logs, and a diagram with labelled assets.
- Access Hardening: Just-In-Time access via a jump host; access logs and credential rotation tickets ready for audit.
- Centralised Logging: Feed all server activity to SIEM; maintain incident response playbooks tied to this box.
- App Whitelisting: Only necessary, vendor-approved applications permitted and tracked.
For SCADA/ICS Environments:
- Physical or Virtual Air-Gap: Remove from the corporate network; provide topological maps and records of firewall rules.
- Protocol Filtering: Only necessary protocols and ports open; gateway configs and philtre logs routinely updated and attached.
- Passive NDR Monitoring: NDR tools log all comms; anomaly events and review logs ready.
For Medical Devices:
- Vendor-Engaged Controls: Maintain documentation on official advice for unpatched status and any alternative controls.
- USB Policy: Strict port lockdown, dual approval, and logging for any override attempts.
- Scenario-Based Training: Log regular device-focused drills, incident simulations, and outcomes.
Cross-Sector Audit-Ready Comparison Table
| Sector | Legacy Asset | Live Risk | Control | Proof Artefact |
|---|---|---|---|---|
| Hospital | MRI (WinXP) | Malware/ransom | VLAN, SIEM, USB lock | Topology, SIEM log |
| Energy | SCADA PLC | Command injection | Air-gap, NDR | Routing, NDR alerts |
| Finance | DB Server | Data exfiltration | Jump host, SIEM | Jump log, SIEM event |
Demonstrable, actioned, and regularly retested controls-not just policies-are the strongest audit defence when patching is out of reach.
How Should Organisations Prepare for a NIS 2 Compliance Audit When Legacy Assets Can’t Be Patched?
Audit survival isn’t won in last-minute presentations. Auditors demand evidence of real defence-drawn from live records, not promises. Your audit-ready workflow is a daily discipline using a central platform for everything from exception templates to SIEM reports.
Every audit is a defence of practise, not intent. Audit survival is rehearsed, not improvised.
NIS 2 Audit Survival Playbook: A Stepwise, Live Checklist
A. Map Every Legacy Asset
- Intake all EOL/unpatchable systems with strict owner mapping.
- Example: MRI scanner (“Radiology – owner: CISO sponsor.”)
B. Register and Review Detailed Risk Exceptions
- Require formal exception for each asset; record quantifiable risk; rationale for “no patch.”
- Ensure Board/management signoff and policy assignment.
C. Prove Compensating Controls
- For each exception, maintain versioned firewall/VLAN configurations, SIEM/NDR log policies, training/incident drill records, and USB device monitoring artefacts.
D. Centralise Evidence Kits
- Store all documentation in a controlled ISMS with version maps and ownership logs.
E. Automated, Risk-Based Review Cadence
- Schedule reviews and escalate on incident or environment change.
F. Audit-Ready Retrieval
- Ensure two-click access to board signoffs, logs, control configs, and policy documentation.
Workflow Diagram
[Asset Register] ➔ [Exception Docs] ➔ [Control Evidence: logs, configs, signoffs]
↘ ↘
[Owner/Schedule] [Control Table]
↘ ↘
[Audit Review Ready] 🛡️
ISO 27001/NIS 2 Bridge Table
| Expectation | Operationalisation | ISO/NIS2 Ref |
|---|---|---|
| Asset owner assigned | Register, owner sign-off, review | A.5.9, Art. 21 |
| Live controls mapped | Configs, logs, training, drills | A.8.8, Art. 6.6 |
| Exceptions/workflows on | Approvals, versioned records | A.5.36, Art. 20 |
| Retire/migrate plan | Plan update, Board minutes | Art. 21, 33 |
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
How Do Compensating Controls Vary by Sector-And What Makes Evidence Audit-Resilient?
Sector context dictates both risk perception and acceptable mitigation. Auditors expect controls that mirror the unique threat landscape and operational boundaries of each domain. A finance team’s jump host access trails differ from a hospital’s PACS VLAN logs or from SCADA’s air-gaps and monitoring.
| Sector | Legacy Asset | Audit-Tolerated Controls | Evidence That Wins Audits |
|---|---|---|---|
| Healthcare | MRI/PACS Server | VLAN, SIEM, USB lockdown, signoffs | Network logs, SIEM drills, USB block logs |
| Finance | DB Server | Privilege allowlist, jump host, SIEM | Session reviews, jump logs |
| Energy/ICS | SCADA/PLC | Screened subnet, protocol philtre, NDR | Topology, philtre/NDR logs |
Tuning evidence-logs, configurations, approval flows-expressly for your sector’s live risks gives credibility when auditors, regulators, or internal seniors ask tough, context-specific questions.
The Unbreakable Thread: True Defensibility Is Audit-Ready, Living Evidence
NIS 2 and modern cyber audit culture expect every control and exception to be proven in real time-not via “policy only” but with updated ownership, logs, and review cycles.
For audits, visibility is the new security. Controls not evidenced, not version-stamped, might as well not exist.
Daily defensibility relies on practise: you must swiftly retrieve signed Board exceptions, SIEM logs, and policy sign-off records-or risk compliance drift and audit deficiency reports. Building this discipline on an ISMS platform closes the gap between intention and evidence, whatever your sector’s exposure.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
How ISMS.online Protects Your Organisation and Proves Defensible Controls-Every Audit, Every System
Legacy risk is a certainty; audit drift is not. ISMS.online helps teams operate with discipline-centralising every exception, versioning every control, mapping owners, and tracking review cycles and scheduled evidence. Your audit readiness becomes an always-on, always-reviewed system:
- All exceptions, assets, and controls versioned, tagged, and logged-never lost in ad hoc folders.
- Custom review frequencies, Board signoffs, training records, and incident logs mapped to controls.
- Evidence upload and audit kit retrieval in seconds; fast, furnished answers in the audit room.
- Policy-to-control crosswalk dashboards for ISO 27001/NIS 2/ISO 27701, aiding multi-framework audits.
Resilience Isnt Just Surviving an Audit
With ISMS.online, you dont gamble audit outcomes, you orchestrate them-making every piece of risk, exception, and control traceable, reviewable, and demonstrable. Prove your controls work, transform legacy risks into resilience capital, and own the stage the next time auditors call. Standout security isnt luck-its the discipline of daily proof.
Book a demoFrequently Asked Questions
What compensating controls satisfy NIS 2 for legacy systems that can’t be patched, and what real-world tactics actually work?
Under NIS 2, legacy systems that cannot be patched demand “live” compensating controls-technical and procedural safeguards proven to withstand real audits. These are not just paperwork-they’re operational disciplines supported by direct evidence.
Practical tactics include:
- Tight network segmentation: Place legacy assets on separate VLANs, restricting traffic only to essential paths, with denied-by-default firewall rules. Energy utilities routinely air-gap unpatchable SCADA or ICS devices, combining digital and physical isolation to reduce exposure.
- Plugging all nonessential access: Disable unused ports (USB, Wi-Fi), monitor for abnormal attempts, and deploy strict endpoint locks. Hospitals often quarantine legacy MRI or CT workstations, enforce physical port controls, and block unauthorised software to minimise exploitation risks.
- Jump hosts and privileged barriers: For finance and regulated sectors, remote management and administrative actions pass through jump servers-with session logging, approval gates, and credential rotation. Every access must be auditable.
- Live monitoring and incident drilling: Continuous log shipping to a SIEM, anomaly detection (especially in protocol-specific environments like ICS), and regular “tabletop” or threat simulation drills generate real-world proof of control effectiveness.
You protect legacy risks by showing-not just claiming-that every control is tested, logged, and reviewed.
Operational proof is crucial: up-to-date network diagrams that pinpoint isolated assets, ticket records for approved exceptions, session logs, and Board-signed reviews. A platform like ISMS.online automates the evidence chain-so you can demonstrate, on demand, that your controls aren’t theoretical but truly “alive.”
How do you document risk acceptance and exceptions for legacy assets to pass NIS 2 scrutiny (and real audits)?
NIS 2 and modern auditors expect each exception to be linked to a “living” evidence trail-not simply a static approval but a process that’s owned, reviewed, and tested. This means capturing everything in one place, from rationale to Board sign-off to periodic reviews.
Steps for robust documentation:
- Asset Inventory: Capture make, model, business owner, location, unpatchability reason, and risk score (e.g., CVSS).
- Exception Register: Record each unmitigated system, log mapped controls (e.g., VLAN, SIEM, jump host), and clearly state compensating actions.
- Formal Approval: Require time-stamped, Board or high-level management sign-off with repeat review cycles (at least yearly or after major incidents).
- Evidence Chain: Store updated diagrams, incident logs, control test results, and configuration snapshots-version-controlled in your ISMS.
- Lifecycle reviews: Audit logs must show comprehensive review cycles, triggered not just by calendar, but by any security event or environmental change.
Exception Lifecycle Table
| Phase | Evidence | Standard Reference |
|---|---|---|
| Identify | Inventory, owner, risk scoring | ISO 27001 A.5.9 |
| Exception Request | Signed exception record, risk mapping | NIS 2 Art. 21, Cl 6.1 |
| Control Mapping | VLAN/SIEM/drill documentation | ISO 27001 A.8.8 |
| Approval | Board minutes, digital signatures | ISO 27001 A.5.35 |
| Review/Closure | Test logs, review meeting records | NIS 2 Art. 20 |
A centralised ISMS.online environment replaces scattered files or emails with a complete, accessible chain, giving auditors exactly what they want-instant, “living” compliance.
Which layered controls actually reduce risk from unpatched legacy software, and what audit evidence is required?
Layered controls are the backbone of NIS 2 resilience for legacy systems. Auditors only recognise those controls that can be seen, tested, and proven in your operational environment.
Essential Controls:
- Network Segmentation: Asset sits on a protected VLAN, verified by firewall and routing tables. Diagrams must highlight paths, exceptions, and proof of restricted connectivity.
- Privileged Access Management: Enforce jump host usage, credential rotation, multi-factor authentication, and session logging for administrative access.
- SIEM and Behaviour Monitoring: Aggregate log streams across the estate, flagging suspicious events. Protocol-specific anomaly detection is vital for ICS and SCADA.
- Endpoint Hardening: Disable unused interfaces and enforce application whitelisting. Routine spot checks (with logs) confirm controls remain active.
- Drill-Based Validation: Scenario tests (e.g., ransomware attack simulation) and tabletop exercises-logged with outcomes, actions, and improvement capture.
Audit Evidence Table
| Asset-Type | Control(s) Employed | Required Evidence |
|---|---|---|
| Windows 2008 | VLAN, SIEM, jump host | Net diagrams, session logs |
| ICS/SCADA node | Air-gap, NDR, tickets | Routing tables, alert reports |
| Medical Device | USB block, drills | Config docs, drill logs |
If the evidence isn’t recent, versioned, and accessible, the control doesn’t exist in the mind of the auditor.
What ensures full NIS 2 audit readiness when unpatched legacy assets are in production?
Audit-readiness is a routine, not a one-off project. True resilience demands pre-built, dynamic evidence that covers every asset at every stage-from risk identification through to live control testing and periodic review.
Key steps for operational audit prep:
1. Map every asset. Catalogue all unpatchable systems, complete with owner, rationale, and risk scores.
2. Document exceptions. File detailed exception records, mapping to board approval, live controls, and ongoing review requirements.
3. Test compensating controls. Schedule and document SIEM alert tests, firewall validation, or scenario simulations.
4. Evidence chain: Store all artefacts centrally (change records, audit logs, meeting minutes), indexed by asset, control, and status.
5. Automate reminders and reviews. Deploy calendar-triggered (and event-triggered) review workflows, ensuring exceptions and controls never go stale.
Traceability Table
| Trigger | Risk Update | Control Added | Evidence Logged |
|---|---|---|---|
| Device found unpatchable | Risk filed | VLAN, SIEM | Approval, config, log |
| Vendor stops support | Exception made | Air-gap, ticketing | Board note, SIEM event |
| Simulated incident | Review forced | Drill/test scenario | Drill log, review |
A system like ISMS.online automates this discipline, so audit “readiness” is simply your default operating state.
How should compensating controls and audit evidence be tailored by sector-healthcare, finance, energy?
Every sector faces unique regulatory and operational scrutiny, so your controls and evidence should be sector-matched:
- Healthcare: Emphasise asset isolation (VLAN, physical access control), device logs (e.g., imaging machine login attempts), and recurring cyber-drills (mock ransomware). Prove clinical review and Board approval through hospital minutes. *(Reference: NHS Digital, HHS HITRUST)*
- Finance: Focus on privileged access control, jump host enforcement, session log review, and credential rotation cycles-backed by Board-approved exception files and continuous audit log capture. *(Reference: EBA Guidelines, PCI DSS)*
- Energy/ICS: Require air-gaps or one-way diodes, NDR protocol anomaly detection, and operational logs tied to incident ticketing. Include evidence of annual or incident-triggered drills and routing table reviews. *(Reference: NIST 800-82, ENISA)*
Sector Evidence Matrix
| Sector | Priority Control/Evidence |
|---|---|
| Healthcare | VLAN logs, drill records, board sign-off |
| Finance | Jump host/session logs, privileged approvals |
| Energy/ICS | Air-gap/NDR logs, ticketing, drill files |
The credibility of your audit depends on recent, sector-typical logs and approved digital records-not just written policies.
Why is centralised, dynamic evidence management crucial, and how does ISMS.online deliver it?
Centralised, dynamic evidence management means that every exception, control, review, and approval is captured-ready for audit or regulatory inspection at any moment. Nothing slips through the cracks, and no last-minute scramble occurs.
ISMS.online delivers this by:
- Versioning every artefact: Asset logs, control configs, Board minutes, and incident records are all date-stamped, indexed, and always accessible.
- Triggering reminders & workflows: Automated prompts for review cycles, change management, and exception updates keep controls live.
- Structuring audit kits: You can present a complete “golden thread” from asset and risk identification, to live controls, to Board-approved exceptions-all mapped to regulatory clauses and standards (e.g., ISO 27001/Annex A, NIS 2).
True resilience is proven before the scrutiny-it’s routine, not a last-minute performance.
When your system gives you instant access to every required proof, your legacy risk narrative shifts-from defensive to proactive, from uncertainty to baseline resilience, from scattered evidence to a lasting operational advantage.
