Governance, Risk, and Compliance: how to implement security governance?
Among the cybersecurity solutions, establishing and implementing cybersecurity governance is essential to protect the data of the company and its customers. Among our clients, we have observed 3 main reasons that lead them to seek support from the Fidens teams in this process:
- Data security : implementing appropriate security measures to protect this data against hacker attacks.
- Regulatory compliance : many laws and regulations require companies to protect the data of their customers and employees. The company must comply with these rules.
- Business continuity : in the event of a cyberattack, a company may be disrupted or even paralyzed. Governance can help minimize the impact of an incident.
Get support for your certifications ISO 27001 / ISO 27701 / HDS / GDPR
Whether to meet your partners’ requirements, facilitate the security management of sensitive assets, or simply protect your data, we can support you in choosing to adopt a generic framework such as the ISO/IEC 27001 family of standards or standards required by the relevant regulatory bodies, such as Health Data Hosting (HDS), Payment Card Industry Data Security Standard (PCI – DSS), or the requirement imposed by the European Union’s General Data Protection Regulation (GDPR).
Fidens experts provide you with optimal support throughout each phase of the project and help you maximize your chances of obtaining these demanding and internationally recognized certifications.
ISO 27001
The ISO 27001 standard is the international benchmark for cybersecurity. Based on normative requirements, it enables the implementation of an Information Security Management System (ISMS) and helps protect the core of your business while enhancing your organization’s reputation.
ISO 27701
An extension of ISO 27001, ISO 27701 enables organizations to align information security requirements with those applicable to privacy protection. Once your organization is certified, you will provide proof of compliance with the requirements and recommendations for protecting personal data to your clients, authorities, and the general public.
HDS
Health Data Hosting (HDS) certification is based on the ISO 27001 standard and includes additional measures related to the protection of health data and respect for patients’ rights.
GDPR
The GDPR, or General Data Protection Regulation, is a European regulation. It establishes a legal framework for all companies and organizations that process personal data regarding the collection, processing, and protection of personal data.
Comply with the directive
Starting October 18, 2024, the NIS2 Directive will impose new obligations to strengthen the security of networks and information systems in Europe. It expands its scope to more than 10,000 entities, including Operators of Essential Services (OES), Essential Entities (EE), and Important Entities (IE) in critical sectors such as energy, healthcare, transportation, and public administration.
At Fidens, we support you in achieving NIS2 compliance. Our experts help you identify your critical systems, map your information system, and apply cybersecurity best practices. By integrating NIS2 with ISO/IEC 27001 standards and the GDPR, we ensure a high level of security and compliance.
Is your organization affected by the NIS 2 Directive? Check now!
Check in 2 minutes whether your entity needs to comply with NIS2 and get personalized recommendations.
Implement your
security governance
As part of an ISO 27001 certification project, or more simply to document existing or future security processes, the Fidens teams support you in drafting the various Cybersecurity policies and procedures.
Our experts draft your Information System Security Policy (ISSP) while taking into account your organization’s context and challenges. Following an audit, they support you in creating your IS security master plan. For each discrepancy, nonconformity, or vulnerability identified, appropriate corrective actions should be taken. These actions will form your detailed action plan for the coming months or years.
Apply the EBIOS Risk Manager risk analysis method
This innovative and collaborative methodology launched by ANSSI positions digital security at the level of companies’ strategic challenges. Conducting a risk assessment is a fundamental and essential step in implementing cybersecurity best practices. EBIOS Risk Manager makes it possible to define the appropriate level of security for the information system based on business and customer needs.
Risk analysis, the core of ANSSI’s framework, also makes it possible to present Executive Management with a cybersecurity risk map and define the associated treatment plan. It enables leaders to assess cyber risks at the appropriate level, on the same footing as the strategic, financial, and/or human resources risks organizations face.
Designed to be tested, improved, and discussed, this dynamic approach is structured around 5 workshops:
- Scope and security baseline: based on security frameworks relevant to the state of the art and regulations
- Risk sources: assessing intentional and targeted threats that are dangerous to this baseline
- Strategic scenarios
- Operational scenarios
- Risk treatment
To strengthen your knowledge and discover the use cases for this method, we also invite you to go further by becoming certified as an EBIOS Risk Manager through our training courses offered by our experts.
Risk analysis is also the fundamental first step in any information system accreditation process, depending on the regulatory context. Whether your organization is an Operator of Vital Importance (OIV) or an Essential Services Operator (OSE), whether you own Restricted Distribution (DR) information systems or are subject to the General Security Framework (RGS), accreditation of the information system concerned is mandatory.
In this context, our team supports you through every stage of accrediting your systems, applying ANSSI recommendations according to the 9 recommended steps. The goal is to assess the so-called “acceptable” risk and evaluate security costs so that an authorized manager can determine the right balance between the two.
Benefit from tailored support
to become GDPR compliant
Today, the GDPR and compliance with various legal frameworks are a priority for companies collecting personal data from European Union residents. As part of your compliance process, our experts work with you to map all of your personal data processing activities.
We then complete our GDPR assessment, based on a document review and interviews with your employees to identify how data is used both internally and externally. This makes it possible to create the record of processing activities in order to better assess and manage risks related to data confidentiality and integrity.
Finally, an action plan is established to achieve GDPR compliance. This prioritized action plan includes the technical, organizational, and/or documentation measures to be implemented.
Legal support
- Development of processing maps and records
- Drafting of policies and procedures:
- Procedure in the event of a data breach
- Procedure for managing the rights of data subjects
- Data protection policy
- IT policy
- CNIL procedure
- Conducting data protection impact assessments (DPIAs)
- Legal monitoring
- Awareness training
Cybersecurity Support
- Integrating data protection into projects
- Change management
- Drafting policies and procedures:
- Information System Security Policy
- Access management policy
- Information protection
- Training and awareness
- Secure development
Also take advantage of our “annual legal watch” package covering changes in regulatory and legal texts, as well as key news and case law related to information systems, personal data, and health data.
If you do not have the expertise or a dedicated budget, we can also support you by outsourcing your DPO (Data Protection Officer) in order to manage these GDPR compliance issues or other regulations relating to data protection.
Get your certifications faster by contacting our Cybersecurity experts now
Define your disaster recovery and business continuity strategy (DRP and BCP)
With cyber risks on the rise, there are many examples of companies that have not survived a failure of their security system following a malicious act. Data corruption, phishing, intrusion attempts, natural disasters, human error… so many threats that can jeopardize a company’s vital assets and threaten its survival.
To best anticipate these types of situations, it is important to prepare for them with a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), as they do not cover the same scope
The DRP implements the human and material resources needed to enable the company to deal with a major IT incident, plan for the urgent restoration of systems and applications, and limit data loss. The BCP, for its part, refers to all the strategies, processes, and organizational measures designed to ensure the company’s vital functions in the event of crises (natural, health, energy-related risks, etc.) and to switch application systems to an environment without data loss.
The objective of these plans is to anticipate the actions to be implemented in order to minimize the consequences of unavailability. Here is how we propose proceeding:
- Following the identification of your critical activities, our cybersecurity experts support you in carrying out Business Impact Analyses (BIAs) by determining, together with your teams, the maximum acceptable level of impact on your organization.
- The next step in the business continuity strategy is to draft a crisis management procedure that can be tested during a simulation exercise to operationally validate the DRP / BCP processes.
In addition, Fidens experts can support you in your ISO 22301 certification project: Business Continuity Management System.
Quickly strengthen the security of your information system with our preventive measures guide
Even today, nearly 50% of executives are not aware that their company will sooner or later experience a cyberattack. And it’s better to be prepared!
