ISO/IEC 27001 & Cyber Security

Inspired by the principles dictated by the ISO/IEC 27001 standard and NIST Recommendations SP800-53, NIST SP800-171, the Information and Cyber Security activity allows you to create an information security management system and have a clear view of the company’s cyber exposure.

We provide specialist support at different stages of Information and Cyber Security management, taking into consideration the different aspects that affect information security, namely:

1. Human resource management and training
2. Relations with suppliers and third parties in general
3. Documentary framework to support security and analysis processes
4. Physical security
5. Security of information locally and when shared/transmitted
6. Secure development of systems and applications
7. Vulnerability management
8. Systems and networks management
9. Management of cyber and information incidents in general
10. Business continuity management
11. Privacy compliance (GDPR)

In particular, we support you on:

1. Assessment As – IS:

– Context definition and document analysis to identify the processes that have an influence on cyber security and their degree of formalisation

– Conducting a Gap Analysis in order to analyse the AS-IS situation regarding existing cyber security activities and highlight any criticalities.

2. Drafting of a remediation plan:

– Formalisation of the information processes and assets (people, technologies and information) involved in each individual process in order to highlight any critical points

– Drafting of an improvement plan for existing cyber security processes.

3. Support for the implementation of the improvement plan

– Specific activities to support the client in the evaluation and implementation of improvement actions

4. Gap analysis on specific perimeters or business processes

– Assessment of perimeter information security

– Definition of an adaptation plan for information security aspects

5. Evaluation of cloud services

– Security assessment of cloud provider

– Security assessment of cloud implementation of services to support corporate and business operations

6. Evaluation of services based on distributed IoT systems

– Risk analysis and overall security assessment of IoT-based service

– Security assessment of individual or groups of IoT components

7. Information & Cyber Security SCADA and process control environments

– Gap analysis based on NIST 800-82 or ISO27019

– Drafting of Remediation Plan

– Support for the implementation of the improvement plan

8. Assessment and definition of security requirements of critical suppliers

– Support in defining contractual aspects with suppliers in the field of information security

– Definition of information and cyber security requirements of suppliers/partners

– Assessment of existing security measures of business-critical suppliers

Cyber Security is a fundamental element also for the Protection of Critical Infrastructures, in fact the NIS Directive (EU 2016/1148) and the Italian transposition DLgs 65/2018 impose a series of obligations regarding Cyber Security on companies holding Critical Infrastructures.

Even in the United States, achieving a high level of security of networks, systems and information related to a Critical Infrastructure is now a priority also for those who operate, produce or provide technologies and services in the US administration. In fact, it is mandatory for all Federal Administrations to have a Cyber Security plan (Presidential Executive Order n.13800) and this is implemented following the Cyber Security framework defined by NIST (CSF V.1.1).

Our experience in projects supporting the Protection of Critical Infrastructures, and in the management of critical information makes GeRiCO a natural partner for organisations that want to address this commitment on a solid basis.

Compliance with specific sector regulations,

– Bank of Italy, ECB or FINMA recommendations in the banking sector

– Compliance with the GDPR in terms of DATA PROTECTION, where necessary carrying out DPIA