Cibersecurity IT, Industrial and IoT

• Systems arquitecture.
• GAP analysis regarding best practices of the sector.
• Risk assessment (Identification, Analysis, Evaluation).
• Identification of the Agenda, Initiatives, Projects and Tasks.
• Security Master Plan (SMP).
• Management support.

NOTA: El ENS también es de aplicación a ciertas empresas proveedoras de las AAPP por ello se incluye aquí este servicio.

• Information Security Management System (ISMS) implementation.
• Determination of the organization’s context.
• Risk assessment (Identification, Analysis, Evaluation).
• Risk Treatment Plan (PTR).
• In company training, e-Learning and Performance appraisal.
• Definition of Switch panels and Risk Indicators (KRIs).
• Internal auditing.
• Management review.
• Consulting during the certification process.
• ISMS maintenance.

• Definition or update of the Security Plan.
• Record of the processed information, with its rating.
• Record of services provided, with its rating.
• Record of personal data.
• System category determination.
• Risk assessment (Identification, Analysis, Evaluation).
• Statement of applicability of the measures indicated in annex II of the ENS.
• Gap Analysis.
• Security Plan Improvement (SPI).

• Continuous improvement: Information Security Management System (ISMS) implementation required.
• Support to the Organizational framework Implantation.
• Support to the Operational Framework Implantation.
• Support to the Implantation of the Protection Measures.
• In company training, e-Learning and Performance appraisal.
• Definition of Switch panels and Risk Indicators (KRIs).
• Preparation for ENS certification.
• Consulting during the certification process.
• ISMS maintenance.

• Support to the CISO in the development of its functions at a strategic and operational level.
• Outsourcing of the CISO function as support to the CIO or CTO.
• Generation and Management of the Cybersecurity Strategy.
• Generation and Improvement of the Cybersecurity Government Framework.
• Alignment with legal, regulatory and contractual requirements.
• Support for internal and external audits.
• Monitoring of remediation plans until the end.
• Drafting of Compliance Reports and Recommendations.
• Active participation in the Security initiatives carried out in the Organization.

• Definition of multi-standard Incident Management procedures (GDPR, ENS, ISO 27001, PSD2, SREP, SWIFT, PCI-COUNCIL, VISA, MASTERCARD).
• Definition of Multi-standard Crisis Committees.
• Definition of Incident Triage and Escalation Procedures.
• Definition of Crisis Management Procedures.
• Definition of Communication Procedures (Regulators, Reference CSIRTs, Security Forces, Press, Social Media, Employees, Customers, Suppliers and other Interested Parties).
• Definition of Exercises and Tests.
• Internal audit of incident management processes.
• Alignment with best practices (ISO 27035, ENISA, NIST).
• Support for continuous improvement.
• In Project or Technical Office mode insite / offsite with continuous support.

• Professionals specifically certified in CSA-STAR.
• Proven experience in adaptation projects to CSA-STAR.
• Extension of the ISMS to the requirements of the Cloud Controls Matrix.
• Support for the Open Certification Framework Level 1: Self-assessment.
• Determination of Maturity: Bronze, Silver, Gold.
• Support for Open Certification Framework Level 2: Certification by Third Parties (certification entities). Proven experience in accompanying clients.
• Consulting during the Open Certification Framework Level 1: Continuous Monitoring-Based Certification.

• Professionals specifically certified in ISO 27018.
• Proven experience in adaptation projects to ISO 27018.
• Extension of the ISMS to the requirements of the ISO 27018.
• Determination of Responsibilities of the Cloud Data Processor (CDP).
• Determinants of the Cloud service typology (IaaS, PaaS, SaaS, hybrid models, software-defined, etc.).
• Consulting durinf the certification ISO 27001 – ISO 27018.

• Extensive verifiable experience in Unification of Risk Methodologies (PSD2, SREP, SecurePay and others).
• Extensive experience comparable to Unified Threat Catalogs.
• Extensive verifiable experience in unified Control Frames.
• Risk Assessment in PSD2 environments.
• Risk Assessment in environments with transactions under SecurePay scope.
• Scorecards and Key Risk Indicators (KRIs).
• Integration with GDPR / LOPDyGDD.
• Adaptation to requirements of Internal Control and Internal Audit.
• Support compliance with circulars and regulatory guidelines.

• Situational analysis of the state of Industrial Cybersecurity.
• Master Plans of Industrial Cybersecurity.
• Implementation of Industrial Cybersecurity Management Systems (SGCI).
• Modeling of Industrial Automation Architectures (ICS – Industrial Control Systems).
• Integration of Safety architectures.
• Plant survey: SCADA, DCS (Distributed Control Systems), PLCs.
• Implementation of ISA 99 guidelines.
• Adoption of IEC 62443 practices.
• Adoption of recommendations from sectoral agencies and regulators.

• Systems Architecture Maps, Components and Data Flow.
• Determination of legal, regulatory and contractual criteria that condition safety.
• Assessment (Identification, Analysis, Evaluation) of technological risk scenarios, depending on the technology.
• Assessment of legal risk scenarios based on technology.
• Determination of requirements for data-at-rest and data-in-motion protection.
• Analysis of systems cyber-resilience and maturity.

• Management system implantation.
• Context analysis.
• Process map IT in compliance with ISO 20000 / ITIL.
• In company training.
• Performance appraisal.
• Performance indicators identification.
• Internal auditing.
• Consulting during the certification process.
• Management system maintenance.

• Differential analysis.
• Implantation of the processes.
• Formación in company.
• In company training.
• Performance appraisal.
• Performance indicators identification.
• Internal auditing.
• Consulting during the certification process.
• Management system maintenance.