Applies to: NIS2 entities preparing baseline-obligation documentation and audit evidence.
A NIS2 documentation audit is reliable only when policy review is combined with structured interviews and evidence traceability. Document text alone often shows intent, not execution. A controlled interview-and-evidence workflow allows organizations to validate accountability, prove control operation, and prioritize remediation before October 2026 baseline milestones, while incident-notification obligations are already active.
Key Takeaways
- Interview design should follow NIS2 control domains, not ad-hoc questionnaires.
- Each interview question must map to a required evidence type.
- Evidence quality should be graded with a consistent maturity scale.
- Missing evidence is a governance risk even when policies look complete.
Scope of This Article
This article covers:
- How to structure interviews for NIS2 baseline-documentation audits.
- How to map interview answers to documentary and operational evidence.
- How to convert evidence gaps into prioritized remediation actions.
This article does not cover:
- Client-identifying findings.
- Full proprietary templates and full interview banks.
Official Reference Framework
| Source | Why it matters |
|---|---|
| Legislative Decree 138/2024 | Defines legal accountability and baseline obligations under NIS2 in Italy. |
| ACN Determination on baseline obligations | Defines measure points and expected implementation artifacts. |
| ACN Reading Guide | Clarifies how to interpret requirements and evidence expectations. |
| ACN Guidance on incident notification | Defines operational logic for incident communication and reporting readiness. |
| ACN NIS baseline page | Provides implementation context and timeline for baseline obligations. |
Why Interview-Based Validation Is Necessary
A pure document review usually misses three operational realities:
- undocumented controls that exist but are not evidenced,
- documented controls that are not operationalized,
- role-accountability gaps between governance and operations.
Interviewing process owners and control owners closes that gap by validating who does what, with which evidence, and with what periodicity.
Interview Design Model (6 Domains)
| Domain | Objective | Typical focus |
|---|---|---|
| Governance | Validate decision and approval chain | Board reporting, policy approval flow, exception handling |
| Identification | Validate risk and scope definition | Relevant-system perimeter, risk review periodicity |
| Protection | Validate preventive control evidence | Access controls, logging, patching, training records |
| Detection | Validate monitoring effectiveness | Service levels, monitoring coverage, alert triage |
| Response | Validate incident workflow readiness | Notification ownership, escalation, communication procedures |
| Recovery | Validate resilience execution | Continuity/crisis plans, recovery priorities, restoration evidence |
Evidence Maturity Scale for Audit Decisions
| Level | Classification | Interpretation |
|---|---|---|
| 0 | Absent | Evidence not available or not referenced |
| 1 | Mentioned only | Evidence declared but not traceable |
| 2 | Referenced | Evidence linked to external or supporting artifact |
| 3 | Referenced + mapped | Evidence linked and mapped to NIS2 requirement logic |
| 4 | Present and verifiable | Evidence available for direct audit verification |
This scale helps separate narrative quality from real compliance readiness.
Interview-to-Evidence Mapping Logic
| Interview output | Required evidence type | Validation question |
|---|---|---|
| "Control exists" | Procedure or standard | Is the procedure current, owned, and versioned? |
| "Control is applied" | Log/report/register extract | Is there recent execution evidence with dates and owner? |
| "Governance is aware" | Board/reporting artifact | Is there periodic reporting to governing bodies? |
| "Incident process is ready" | Notification playbook/templates | Are timing and communication steps formally defined? |
| "Recovery is covered" | Continuity/recovery plans and test evidence | Are recovery priorities and expected recovery targets documented? |
Recurrent Gaps Found in Anonymized Audits
- Policies mention required plans, but plans are missing as autonomous controlled documents.
- Evidence is referenced at high level but cannot be produced for audit verification.
- Incident-notification sections include some timing logic but omit intermediate or recurring reporting workflows.
- Recovery documentation is present as backup narrative but lacks governance-ready continuity and crisis structure.
- Approval obligations are cited in principle but not translated into explicit approval workflow artifacts.
Practical 6-Step Execution Workflow
- Build the interview plan by domain and role ownership.
- Run interviews with evidence-first questioning (ask for artifact, not only explanation).
- Classify each answer against the evidence maturity scale.
- Map each evidence gap to impacted NIS2 requirement points.
- Prioritize findings by compliance and operational impact.
- Issue a remediation backlog with owner, target date, and closure evidence criteria.
Minimum Deliverables of the Interview and Evidence Phase
| Deliverable | Purpose |
|---|---|
| Interview log by domain and owner | Traceability of statements and commitments |
| Evidence matrix with maturity level | Objective readiness baseline |
| Gap register with severity and impact | Prioritized remediation governance |
| Remediation tracker with ownership | Execution control and follow-up |
FAQ
Is interview work still useful when documents are already complete?
Yes. Interviews validate whether controls are operational and evidenced, not only documented.
Should interviews be technical only?
No. They must include governance stakeholders and process owners, because legal accountability and operational execution are both required.
Can an organization pass with many Level-1 evidence items?
Level-1 evidence is usually not enough for reliable audit closure. Organizations should move critical controls to verifiable evidence.
What if a required fact is unclear in source documentation?
Treat it as a formal gap and align to official references. Details are defined in official call and baseline documentation.
Conclusion
Interview and evidence collection is the control layer that makes a NIS2 documentation audit defensible. When structured by domain, mapped to evidence maturity, and linked to remediation ownership, it gives both operational teams and governance bodies a reliable path from documentation quality to audit-ready compliance.
Related reading
- Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview
- NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness
- NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions
- Aegister NIS2 Compliance Service
- Aegister Virtual CISO Service