Information security and cyber security are closely related, even if they have different objectives. Information security addresses the confidentiality, integrity and availability of information and ICT services’ availability, reliability and trustworthiness. Cybersecurity relates to the whole of cyberspace and is primarily concerned with protecting the lives, health and property of people and organisations, entire societies and nations.
Information Security Management System based on ISO/IEC 27001
Information and cyber security can be ensured using an Information Security Management System (ISMS) based on ISO/IEC 27001. ISO/IEC 27001 defines the requirements for organisations that wish to establish, implement, maintain and continuously improve an information security management system (ISMS). It creates an environment that resists the risk of loss, damage or another compromise of information and systems. It serves as a guide to continually reviewing the level of information and systems security, which contributes to the reliability and value of the organisation’s services.
Act No. 181/2014 Coll., on Cyber Security
Act No. 181/2014 Coll., on Cyber Security (ZoKB) entered into force on 1 January 2015. It establishes the rights and obligations of persons and public authorities in the field of cyber security, unifies rules and procedures in cyber security incidents, contributes to improving their detection and increasing protection against their occurrence. The Act is accompanied by implementing legislation, in particular Decree No. 82/2018 Coll., on security measures, cyber security incidents, reactive measures and on establishing the formalities of submissions in the field of cyber security and data disposal (VoKB).
Digital Operational Resilience Act (DORA)
The DORA Regulation was adopted by the European Parliament and the Council of the European Union on 14 December 2022, Regulation (EU) 2022/2554, and aims to harmonise and streamline regulations relating to ICT risk management and ensure consistency and coherence across the EU. It requires financial sector entities to ensure that they are able to withstand, respond to and recover from all types of ICT-related incidents, risks and threats.
Trusted Information Security Assessment Exchange (TISAX®)
TISAX® is based on the ISO/IEC 27001 standard and is an assessment and exchange program for information security assessments of companies in the automotive industry. The aim is to ensure and optimise the exchange of information related to information security between manufacturers and their suppliers in the automotive industry. It emphasises the secure processing of information from trading partners, prototype protection and data protection in accordance with the General Data Protection Regulation.
Benefits of ISMS for the organisation
- Increased credibility and competitiveness of the organisation
- Increased organisational resilience and reduced the occurrence and consequences of incidents
- Efficient management of the organisation and higher return on investment
- Protection of critical information assets and reduction of business risks
- Compliance with legal, regulatory, contractual and other societal needs and expectations
Subject of our expert services
1 | Analysis of the existing system and ISMS project planning
Analysis of the context of the organisation and gap analysis of the current state • Development of an ISMS project plan
2 | Establishment and implementation of the ISMS
Identification and description of the boundaries and scope of the ISMS • Definition of the organisational structure, roles and responsibilities of individuals and relevant committees • Design of the information security policy • Setting up and documenting ISMS processes
3 | Information security risk management and controls management
Selection and documentation of risk management methodology • Identification, analysis and evaluation of risks • Selection of risk treatment options and controls • Preparation of Statement of Applicability (SOA) • Management of risk treatment plans
4 | Documentation of topic-specific policies and procedures
ISMS documentation structure design and management • Design and documentation of topic-specific policies and procedures • Support for the implementation of specific measures • Design and performance of training and awareness-raising activities
5 | Security testing and vulnerability management
Web application security testing • Infrastructure security testing • Social engineering practices testing • Vulnerability management
6 | Internal audit, supplier audit and certification audit support
Draft and documentation of the ISMS internal audit charter • Draft ISMS audit programme and planning of audit activities • Implementation of internal audit and supplier audit • Support follow-up activities and actions after the audit • Preparation for and support during the certification audit
Advanced GRC applications
The difficulty of executing ISMS processes increases with the size of the organisation and the maturity of the ISMS and security controls. For complex organisations with complex management systems, we recommend using advanced modular tools.
More information can be found in the Applications section.
Quality of our services
During the provision of consulting services, the standards of quality of consultancy services based on ISO 20700, information security based on ISO/IEC 27001 and project management based on ISO 21502 are applied.
Competences of our consultants:
- Certified ISO/IEC 27001 Lead Implementer *
- Certified ISO/IEC 27005 Lead Risk Manager *
- Certified ISO/IEC 27002 Lead Manager
When conducting an internal audit (first-party audit) or second-party audit, the best practice of auditing management systems, as defined in ISO 19011, ISO/IEC 27007 and other relevant standards, is applied.
Competences of our auditors:
- Certified ISO/IEC 27001 Lead Auditor *
* NOTE: ISO/IEC 17024 accredited or relevant ISACA certification.