NIS-2 Directive
WHO IS AFFECTED BY INFORMATION SECURITY COMPLIANCE?
Whereas previously only selected sectors were subject to regulatory requirements (KRITIS, DORA) for information security compliance, the field of affected companies is expanding massively with the introduction of the NIS2 directive. And even companies that are not directly affected by the law themselves will be indirectly forced to comply with the same requirements via the supply chain.
In addition to the legal requirements for cybersecurity, selected industries have long been obliged to comply with standards via industry standards such as VDA TISAX or PCI DSS, which raises the question of how companies should position themselves in this environment.
STANDARDS PROVIDE ORIENTATION
As diverse as the legal requirements or industry standards may appear at first glance, they are ultimately all based on the same best practices, which describe an Information Security Management System (ISMS) in order to reduce information security risks through relevant controls. The most widespread standard for such an ISMS can be found in ISO standard 27001/27002, which describes organizational and technical control objectives and controls, as well as the organizational anchoring of the ISMS.
THE GOAL IS COST OPTIMIZATION
The central aspect of an ISMS is information security risk management, which aims to minimize risk costs while taking into account the costs of security measures. It is important to understand that although all standards and laws describe control objectives and controls, they rarely describe their specific design. The basic approach is always that the controls must be appropriate to the specific risk to be avoided. Appropriateness is ultimately measured in EUR, i.e. the cost of a loss event vs. the cost of implementing and operating controls.
From this perspective, the establishment of an ISMS is in the best interest of every company with the aim of optimizing business costs.
THE PATH TO COST-OPTIMIZED COMPLIANCE
Establishing an ISMS in a company for the first time is typically a multi-year program that must achieve intermediate goals in several stages to bring measurable business benefits as quickly as possible.
The priorities and milestones typically result from the risk and gap analysis. The risk analysis highlights the specific threat scenarios that endanger the company. The gap analysis focuses on the formal implementation level of the controls against the applicable standard and legal requirements, e.g. ISO 27001 and NIS2. Both dimensions together result in a heat map along which the development path of the ISMS and the control implementation can be planned.
Planning the development path and milestones requires a broad understanding of both the more organizationally driven part of the ISMS and the necessary technical controls, which consist of many coordinated building blocks.
The goal is compliance and cybersecurity with simultaneous cost optimization.
Information Security Compliance
A strategic approach to information security
Our Services:
Requirements elicitation:
Gap analysis
Defining the solution architecture
-
We create a gap analysis against security best practices and specific standards
-
Carry out a risk analysis to assess the specific cyber security risks.
-
The result is processed as a heat map of the entire control standard.
-
We create an action plan with prioritization and milestones.
-
Consulting and implementation planning to eliminate audit issues
-
IS policies: creation of company-specific information security guidelines
Project Management
-
Business Plan (Scope, Costs, Benefit, Risik, Roadmap)
-
Project Organisation,
-
Project Management,
-
Programm Management,
Certificates:
Prince2 (classic & agil)
Scrum Product Owner
Scrum Master
ITIL4
CISSP
Business Analysis
Requirements Engineering
Arrange a consultation appointment:
Dr. Johannes Faassen
mobil: +49 170 4168039