Governance, Risk & Compliance

NIS2 Directive (EU)

Cyber attacks are becoming more frequent, particularly targeting critical infrastructure with potentially severe real-world consequences. To enhance the security of Europe’s essential services, the Network and Information Security Systems Directive (NIS 2) has been introduced. Member states are required to incorporate NIS 2 into their national laws by October 17, 2024. These new regulations will take effect on October 18, 2024, replacing the existing laws established under the first NIS Directive.

We help our clients align with the NIS2 standard by providing the following services:

• Risk assessment and analysis: We assess your organisation’s cyber security risks and identify areas where they need to improve.
• Security implementation: We help your customers implement the necessary minimum security controls to mitigate their risks.
• Training and awareness: We provide training to your organisation’s employees on cyber security best practices.
• 24/7 Monitoring & Incident response: We will help your organisations to detect and respond to cyber security incidents in a timely and effective manner.
• Supply Chain Security Assessments: We assess and monitor your vendors’ compliance with the NIS2 standard to ensure that they are always up-to-date.

Our team of experienced cybersecurity compliance experts excel in international cyber security frameworks and standards. We are dedicated to ensuring our clients achieve and maintain compliance, while safeguarding their critical assets from cyber threats.

ISO 27001

We specialise in helping clients achieve certification or align with ISO/IEC 27001:2013/2022, an internationally recognized standard for best practices in Information Security Management Systems (ISMS). This certification is one of the most crucial standards for any organisation that manages information and data. Achieving accredited certification to ISO 27001 demonstrates your commitment to information security best practices and provides independent, expert verification that your information security is managed according to international standards and business objectives.

How we can help:

• Phased Approach:

  • Gap Analysis: Identify areas needing improvement.
  • Risk Assessment: Includes detailed Risk Assessment Reports and Risk Treatment Plans.
  • ISMS Alignment: Align your Information Security Management System with ISO 27001 requirements.
  • Implementation and Pre-Certification Audit: Prepare for final certification.

• Comprehensive Documentation:

  • Statement of Applicability
  • Organisation Overview
  • Information Security Policy
  • Business Continuity Management
  • Internal Audit Reports
  • Document Control Procedure
  • Corrective and Preventive Action Procedures
  • Internal Audit Procedure

• Proven Success: Our ISO 27001 clients have achieved a 100% success rate in certification by partnering with CommSec.

DORA – Digital Operations Resiliance Act

In today’s digitalised financial landscape, ensuring digital operational resilience is not just a choice but now a necessity by law. Complying with the Digital Operational Resilience Act (DORA) is a step forward in securing your financial institution against ICT-related risks.

The Digital Operational Resilience Act (DORA) is a new EU regulation that aims to strengthen the digital operational resilience of financial entities. It applies to a wide range of financial entities regulated by the Central Bank of Ireland, and introduces targeted rules on ICT risk management, incident management, testing, and third-party risk. DORA builds on existing Central Bank guidance on outsourcing, operational resilience, and IT and cybersecurity risks.

DORA is a significant piece of legislation that will have a major impact on the way financial entities manage their digital risks. Financial entities should start preparing for DORA now by reviewing their existing ICT risk management frameworks and processes. Source: Central Bank of Ireland

NCSC – Public Baseline Standards

CommSec help government, public bodies and their supply align with the NCSC public baseline cybersecurity standards by providing a comprehensive range of services, including:

• Risk assessment and analysis: We will assess your customers’ cybersecurity risks and identify areas where they need to improve, including their M365 security and mobile device security.
• Security implementation: We will help your customers implement the necessary security controls to mitigate their risks, such as implementing security policies and procedures, deploying security software, and training employees on cybersecurity best practices.
• M365 security assessment: We will assess your customers’ M365 environment to identify and fix security vulnerabilities.
• Mobile Device Security Management: We will help your customers manage their mobile devices securely, including deploying mobile device management (MDM) software, configuring security policies, and training employees on how to use mobile devices safely.
• Training and awareness: We will provide training to your customers’ employees on cybersecurity best practices, such as how to identify and report phishing emails, how to create strong passwords, and how to use security software effectively.
• Incident response: We will help your customers respond to cybersecurity incidents in a timely and effective manner.
• Compliance monitoring: We will monitor your customers’ compliance with the NCSC public baseline cybersecurity standards to ensure that they are always up-to-date.

We have a team of experienced cybersecurity professionals who are experts in the NCSC public baseline cybersecurity standards. We are committed to helping our customers achieve and maintain compliance with the standards, so that they can protect their critical assets from cyber threats.

GDPR/Data Protection

CommSec offer a broad range of services in relation to Data Protection. Many of our customers start with a comprehensive Data Protection Impact Assessment, conducted by one of our highly experienced Data Protection Consultants. The written report that follows provides a framework for continuously improving your Data Protection posture, including compliance with the General Data Protection Regulation (GDPR).

We also offer Training, including classroom and software options. Our classroom training empowers management and assigned Data Champions to communicate effectively and accurately with their teams. Software training solutions ensure that awareness is measured, employees working shifts or remotely are included, improvement metrics are reported and new hires are not missed.

Our DPO-as-a-Service offering is proving popular with customers who require a Data Protection Officer and where this is not a full-time role. Clients benefit from experienced, objective professionals who are skilled at board-level communication and have a track record of implementing effective Data Protection processes and practices, as well as associated documentation and audits. Finally, we offer the services of our Data Protection Consultants to provide support to the newly-appointed or under-resourced Data Protection Officer in many organisations.

PCI DSS Compliance

The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council to facilitate industry wide adoption of consistent data security measures on a global basis.It applies to all businesses (not just retailers) that take credit and debit cards, regardless of size or transaction volume. Any business involved in the storage, processing and/or transmission of payment card numbers must comply. It doesn’t matter whether it’s an in store transaction or online, on a mobile device or via a desktop. Requirements for certification vary depending on the number of transactions an entity processes and the way they are processed.

How Can CommSec Help Ensure You Are PCI DSS Compliant?
Failure to meet PCI compliance standards can have a terrible knock on effect on your business, as the financial implications of a breach can destroy your brand and reputation very quickly. You can mitigate this risk by maintaining compliance and providing verification and certification as required by the industry.

CommSec can help you meet you maintain PCI compliance through our analysis of your transactional processing environment. We scan your network and web applications to look for potential vulnerabilities. The scan will identify any potential threats or weaknesses that may allow an attacker to gain access to your network and potentially compromise cardholder data.