Minimum viable cybersecurity: from the insurance questionnaire to ISO 27001, SOC 2 and NIS2

Most companies treat cyber insurance and regulatory compliance as two separate projects. One is owned by the broker or the CFO, the other by the IT lead or an outside consultant. The result is that many companies end up paying twice to build the same foundation, or worse, find out after an incident that the insurer won’t pay because they were missing a control any auditor would have demanded too.

This article flips the usual order of thinking. Instead of starting from the framework, we start from the claim. Because the set of controls an insurer requires to issue a policy and, above all, to pay a claim is the most pragmatic minimum that exists in the market. It’s not an ideological or theoretical minimum. It’s calibrated against real loss data, and the denial figures prove it.

On top of that minimum you build the compliance layers. ISO 27001 and SOC 2 once you start selling to clients who ask for it during due diligence. NIS2 when you operate in regulated sectors. The good news is that all three layers share most of their backbone. The bad news is that orchestrating them day to day, keeping them alive, and being able to demonstrate them to an auditor or a loss adjuster is where most companies break.

Layer 1: the non-negotiable minimum cyber insurance demands

The cyber insurance market has changed entirely in the last four years. Until 2021, underwriting a policy was a formality. You filled out a short questionnaire, declared two or three basic measures and the policy was issued. After the 2021–2023 ransomware wave, insurers started losing money at a pace the market had never seen. Their response was to hire technical underwriters, lengthen the questionnaires, demand evidence and, above all, start denying claims when the controls declared weren’t actually in place.

Today, according to industry data, around 40% of cyber claims are denied in whole or in part. By far the most frequent cause is the absence or partial implementation of controls the insured declared in the questionnaire. 82% of the denials Coalition identified in 2024 were tied to companies without multi-factor authentication fully deployed.

What follows are the controls that appear in practically every questionnaire from Stoïk, Hiscox, Zurich, AIG and the rest of the carriers operating in the Spanish market. They aren’t recommendations. They’re the questions that decide whether a claim gets paid.

Multi-factor authentication on every access point

The most demanded control and the most misunderstood. The insurer doesn’t ask whether you have MFA available. It asks whether it’s mandatory. And not just on email — also on VPN, remote desktop, cloud admin panels, access to critical SaaS tools and any privileged account.

The typical mistake is to answer yes because Microsoft 365 has MFA enabled, while the VPN still has no MFA or a legacy server has an admin account with a simple password. There’s a public case, Travelers vs International Control Services, in which the insurer rescinded the policy after discovering MFA was on the firewall but not on the remote-access system the attackers actually used. The questionnaire declaration was deemed material misrepresentation and coverage disappeared.

Endpoint detection and response (EDR or MDR)

Traditional antivirus is no longer enough to underwrite. Roughly 88% of insurers require EDR or MDR-class tooling deployed across all endpoints, servers included. The difference versus classic AV is that EDR doesn’t look for known signatures, it looks for anomalous behaviour, and it lets you isolate a compromised device before the attacker moves laterally.

What underwriters check is not just that you have the tool. It’s coverage. If you have 200 devices in the organisation, they expect to see 200 active agents on the EDR console. 85% deployment is a frequent reason for objection.

Immutable, tested backups

The rule insurers now ask for fairly consistently is the so-called 3-2-1-1: three copies of the data, on two different media types, one of them off the production environment, and one in an immutable or air-gapped state. Immutability matters because much of modern ransomware deliberately hunts down backups before encrypting in order to prevent recovery.

The second point checked frequently is whether restores are tested. A backup that has never been restored is not a backup, it’s a hope. Insurers increasingly ask for logs of quarterly or semi-annual restore tests.

Documented and tested incident response plan

Documented means there’s an actual document, with assigned roles, identified legal and forensic contacts, notification deadlines for the insurer, and communication procedures for clients and authorities. Tested means at least one tabletop exercise or simulation has been run in the last twelve months, with results documented.

An insurer doesn’t expect a fifty-person company to have an in-house response team. It expects them to know what to do in the first 72 hours and who to call.

Awareness training and phishing simulations

Marsh McLennan has been pointing to awareness training and phishing simulations as controls associated with lower claim frequency. That’s why they appear in questionnaires. What’s measured is not whether training exists, but the completion rate among employees. 60% of employees trained means 40% untrained, and that gets read as a partial control.

Patch and vulnerability management

Insurers usually demand an explicit commitment to apply critical patches within defined windows, typically 30 days, with shorter windows for internet-facing systems. It’s one of the most frequent questions in renewal questionnaires.

Privileged access management

Using admin accounts for everyday tasks is the number-one red flag in insurer assessments. The expectation is that privileged accounts are separated from day-to-day accounts, have strengthened MFA, and that their access is logged.

Supply chain risk

More and more questionnaires include questions about critical vendors. The concrete question is usually whether you require security evidence from vendors that touch your data or systems, ideally certifications like SOC 2 or ISO 27001 where applicable.

These eight blocks are the foundation. Meeting them doesn’t guarantee a low premium, but failing to meet them guarantees high premiums, specific exclusions or, worst case, a claim that goes unpaid after years of paying premiums.

Layer 2: what ISO 27001 and SOC 2 add when a client asks for it

The difference between layer 1 and layer 2 is not the type of control, it’s organisational maturity. The insurer asks if you have MFA. An ISO 27001 auditor asks whether you have an approved policy defining which accounts must have MFA, who is responsible for enforcing it, how access is reviewed, how often, and what documentary evidence you keep of those reviews.

In other words, layer 1 verifies the control exists. Layer 2 verifies the control is governed.

ISO 27001:2022, the international reference

The current version of the standard, published in 2022, has reorganised the Annex A control catalogue. Where the 2013 version had 114 controls across 14 domains, the 2022 version has 93 controls across four large groups: organisational (37), people (8), physical (14) and technological (34). The transition period for companies certified under the 2013 version ended on 31 October 2025. After that date, every active certification is under the 2022 version.

What ISO 27001 adds on top of the insurance questionnaire concentrates in three areas. First, the existence of an Information Security Management System, which implies a documented risk-analysis process, a Statement of Applicability that justifies which controls you apply and why, and a continuous improvement cycle. Second, formal coverage of areas the insurance questionnaire doesn’t touch in detail: information classification, employee lifecycle management, physical security, supplier management with specific contractual clauses. Third, the existence of documentary evidence proving that each control not only exists on paper but is executed and reviewed.

The 11 new controls introduced in the 2022 version reflect the current threat landscape: threat intelligence, security for the use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, secure information deletion, data masking, data leakage prevention, activity monitoring, web filtering and secure coding. If any of these sound new, that’s a good signal of where current market maturity is moving.

SOC 2, the Anglo-Saxon logic

SOC 2 is an audit report, not a certification. The difference matters: ISO 27001 says “this company meets a standard”. SOC 2 says “this company operates this way, and an auditor has verified it operates this way over a defined period of time”. It’s designed for corporate clients, especially in the United States, who want to see how you manage your security rather than accept a stamp.

It’s structured around five Trust Services Criteria: security (mandatory), availability, processing integrity, confidentiality and privacy. The company chooses which criteria it includes in its report. SOC 2 Type II is the format most demanded by serious clients, because it covers an observation period of at least six months during which the controls are monitored and evidence is generated.

The overlap between ISO 27001 and SOC 2 is around 80% of controls. That’s why companies that first certify ISO 27001 and then add SOC 2 save between 30 and 40% of the total cost of dual certification compared with implementing them separately.

When each one matters

ISO 27001 is the clear reference for European and Latin American markets, especially when public tenders or European corporate clients are asking for certification. SOC 2 enters the picture as soon as a company starts selling to US corporations or to companies that have grown under that standard. For a Spanish agency or startup operating in the European market with domestic clients, ISO 27001 is the first choice.

Layer 3: what changes with NIS2

NIS2 is the European directive (2022/2555) that replaces the original NIS and raises the bar for mandatory cybersecurity for essential and important entities. The transposition deadline into national law expired on 17 October 2024. Spain didn’t make it. The Draft Bill on Coordination and Governance of Cybersecurity was approved by the Council of Ministers in January 2025 and, as of this article, remains pending parliamentary processing. The European Commission already sent Spain a reasoned opinion in May 2025 — the first step before a possible infringement procedure before the EU Court of Justice.

The fact that the national law isn’t published doesn’t protect affected companies. When it is published, adaptation timelines will be short, and companies that already have the article 21 measures in place will start with a considerable head start.

Who it affects

NIS2 dramatically broadens scope compared to NIS1. By default, it affects entities of more than 50 employees or more than 10 million euros in turnover operating in any of the 18 sectors defined in the directive’s annexes. Those sectors include energy, transport, banking, digital infrastructure, managed ICT services, healthcare, water, food, manufacture of critical products, postal services, waste management, chemicals and others.

Two things stand out. First, certain entities can fall within scope regardless of size, if they’re the sole provider of a critical service in a Member State or if an interruption would have significant public impact. Second, NIS2 introduces the supply-chain concept: even if your company isn’t directly subject, if you sell ICT services to an essential or important entity, you’ll receive contractual requirements from your client that effectively pass the directive’s obligations down to you.

The 10 measures of article 21

Article 21 lays out ten groupings of minimum measures every affected entity must implement. Summarised:

1. Risk-analysis and information-system security policies.
2. Incident management, including detection, containment, notification and recovery, with legal deadlines of 24 hours for early warning, 72 hours for notification and one month for the final report.
3. Business continuity and backup management.
4. Supply chain security.
5. Security in acquisition, development and maintenance of systems, including vulnerability management.
6. Policies and procedures to assess the effectiveness of risk-management measures.
7. Basic cyber-hygiene practices and cybersecurity training.
8. Policies and procedures on the use of cryptography and, where applicable, encryption.
9. Human-resources security, access-control policies and asset management.
10. Use of multi-factor or continuous authentication, secure communications and emergency communication systems.

Anyone reading this list alongside the insurance questionnaire and the ISO 27001 Annex A will quickly see they speak about the same universe of controls, organised in three different ways. The difference is the level of documentary rigour and the sanction regime.

Sanctions and personal accountability

NIS2 contemplates fines of up to 10 million euros or 2% of annual worldwide turnover for essential entities, and up to 7 million or 1.4% for important ones. More importantly, it transfers direct accountability to management bodies, which must formally approve the measures, oversee their implementation and receive specific training. Article 20 explicitly states that this responsibility cannot be delegated. It’s one of the strongest levers in the directive: it turns cybersecurity into a board matter, not an IT one.

In Spain, the transposition includes the option to demonstrate compliance through certification under the National Security Framework (ENS) at medium or high category, offering a formal path of evidence.

The real map: how everything overlaps

Once you put all three layers on the same page, it becomes clear they aren’t alternatives, they’re progressions. The backbone is practically the same:

• MFA, EDR, immutable backups and response plan appear in the insurance questionnaire, in ISO 27001 Annex A (controls 5.17, 8.5, 8.7, 8.13, 5.24 to 5.27) and in NIS2 article 21.
• Formal risk analysis appears as a prerequisite in ISO 27001 and as an explicit obligation in NIS2.
• Supplier management appears in incipient form in the insurance questionnaire, with detail in ISO 27001 (controls 5.19 to 5.23), and with special weight in NIS2.
• Training, privileged-access management, patch management and monitoring appear at all three levels.

The difference between levels comes down to three axes: the documentary depth required, the organisational scope (more formal controls on the people and process side as you move up the stack) and the verification regime (questionnaire for insurance, external audit for ISO 27001 and SOC 2, administrative supervision with sanctions for NIS2).

The practical consequence is that companies that build layer 1 well already cover between 60 and 70% of the work for layers 2 and 3. And companies that already have a mature ISO 27001 typically pass the insurance questionnaire without surprises and enter NIS2 with few gaps.

Why most companies fail at this

The problem is rarely picking the right control. The problem is keeping it alive and being able to prove it when needed.

The insurance questionnaire is filled out once a year at renewal, almost always in a hurry, and frequently declares controls that were 100% at some point but have since degraded. A legacy admin account without MFA. A server the IT team forgot to include in the latest EDR rollout. A backup that hasn’t been restored in eight months. A new critical vendor that came in without going through the assessment list. Any of these gaps, at the wrong moment, voids coverage.

ISO 27001 and SOC 2 force continuous evidence. Auditors ask for screenshots, exported configurations, test logs, committee meeting minutes. If they don’t exist as a routine, they get built in a rush two weeks before the audit, with the cost and risk that implies.

NIS2 goes one step further: it establishes active supervision by the competent authority, with the power to audit and sanction even without an incident.

Where it all breaks is the operational layer. Not the paper. The typical mid-market Spanish company, with no in-house CISO, no dedicated team, doesn’t have the capacity to keep the control inventory alive, run the verifications, generate the evidence and review the risks every month. And if it tries to do it with people, it does it with an overhead that ends up degrading the system.

That’s the real conclusion of the analysis. Minimum viable cybersecurity exists and is fairly clear. What doesn’t exist in most companies is the engine that keeps it running and demonstrable on a continuous basis. And without that engine, none of the three layers works as it should: the insurer doesn’t pay, the auditor finds gaps, the regulator arrives at a company without evidence.

How Axyom approaches it

The way Axyom frames this is deliberate. The financial layer is covered by cyber insurance, transferring the residual risk once the operational base is under control. The operational layer is covered by AI CISO, which continuously monitors whether the controls the insurer demands and the frameworks add are actually in place, generates the evidence automatically and orchestrates remediation when a deviation appears.

This doesn’t replace an ISO 27001 consultant when a company wants to certify, nor a legal team specialised in NIS2 when a sector-specific transposition has to be addressed. What it does is solve the daily problem that breaks most companies: keeping the foundation alive, knowing at any given moment where you stand against what your insurer demands, and being able to prove it in an audit, in a renewal, or in the worst case, in a claim.

Before picking frameworks, before considering certifications, and even before renewing the next policy, the most useful thing a company can do is know precisely which controls are active today, where the gaps are, and what impact they have on its insurability. That’s the starting point of the digital risk analysis we run at getaxyom.com/en/risk-analysis. Thirty seconds to begin, a real picture of your exposed surface and an honest conversation about what to do next.