ISMS, ISO 27001, risk management.
Information security management system from scratch or against your existing baseline. ISO 27001 certification preparation and audit support.
SERVICE PRACTICE · CYBERSECURITY
ISMS, ISO 27001 and NIS2 controls.
We design and operate the information security management system, prepare you for ISO 27001 certification, and implement the technical and organisational controls NIS2 requires. Penetration testing, security operations, and audit-ready evidence included.
SOC.DESK · LAST 30 DAYS● LIVE
Security incidents triagedavg 22 min47
Vulnerabilities remediated128
Patches deployed across estate342
Phishing simulations sent3.1% click rate2,840
Third-party security reviews11
Access reviews completed76
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHAT WE COVER
Security stack.
Controls, testing, monitoring.
Network segmentation, identity and access, endpoint protection, vulnerability management, penetration testing, security operations.
Article 21 measures and reporting.
NIS2 governance, risk assessment, supply chain security, incident handling, and the 24-hour CERT plus 72-hour authority reporting workflow.
IMPORTANT ENTITIES
Up to €7M or 1.4% turnover
NIS2 Article 34 administrative fines for governance and reporting failures.
ESSENTIAL ENTITIES
Up to €10M or 2% turnover
NIS2 Article 34 maximum tier. Plus personal liability of management bodies under Article 20.
§ 02 / FRAMEWORK MAPPING
ISO 27001 and NIS2.
ISO 27001 ANNEX A · CONTROL GROUPS
A.5Organisational controlsPolicies, roles, responsibilities, supplier relationships.
A.6People controlsBackground screening, awareness, disciplinary process.
A.7Physical controlsPremises, equipment, clear desk, secure disposal.
A.8Technological controlsAccess, cryptography, secure development, logging.
NIS2 ARTICLE 21 · MEASURES
Art. 21(a)Risk analysis and policyDocumented information security policy and risk approach.
Art. 21(b)Incident handlingDetection, response, recovery procedures and capability.
Art. 21(c)Business continuityBackup management, disaster recovery, crisis communication.
Art. 21(d)Supply chain securitySecurity of network and information systems acquisition.
Art. 21(e-j)Technical measuresCryptography, access control, MFA, secure communications, vulnerability handling.
§ 03 / ENGAGEMENT MODELS
Engagement models.
ISMSMOST POPULAR
ISMS Programme and ISO 27001
Build the information security management system from scratch or remediate an existing baseline. Prepared for stage 1 and stage 2 certification audits.
- →ISO 27001 ISMS build
- →Statement of Applicability
- →Internal audit programme
- →Certification audit support
NIS24-6 MO
NIS2 Compliance Programme
NIS2 Article 21 implementation: governance, risk management, incident reporting workflow, supply chain security, technical measures.
- →Article 21 measures
- →Incident reporting workflow
- →Supply chain controls
- →Management training (Art. 20)
OPSMONTHLY
Security Operations Retainer
Ongoing security operations: vulnerability management, penetration testing cycle, awareness, third-party reviews, monthly security council.
- →Quarterly pen-tests
- →Awareness and phishing programme
- →Vulnerability cadence
- →Monthly security council
§ 04 / SCOPE
Scope of work.
01 / 04
Programme and governance
- ISMS scope and policies
- Statement of Applicability
- Roles and responsibilities (RACI)
- Internal audit programme
- Management reviews and reporting
02 / 04
Risk and controls
- Risk assessment methodology
- Asset and information inventory
- Annex A control implementation
- Cryptography and key management
- Access control and identity
03 / 04
Operations and testing
- Vulnerability management
- Penetration testing cycle
- Incident detection and response
- Backup and recovery testing
- Logging and monitoring
04 / 04
People and third parties
- Security awareness curriculum
- Phishing simulations
- Supplier and contract reviews
- Management training (NIS2 Art. 20)
- Authority correspondence
§ 05 / SECURITY OPERATIONSSee sample monthly readoutPDF · 5 PP
Continuous security operations.
Security needs continuous operation between certification cycles. The retainer covers vulnerability management, awareness, third-party reviews and the monthly security council where the executive reads the current state.
Vulnerability triage
24 h
Critical patch SLA
72 h
Quarterly pen-test
Included
Authority reporting
We file
SAMPLE.MONTHLY.READOUTOCT 2026
Incidents triaged47 / 47 in SLA
Vulnerabilities open12 medium · 0 critical
Patches deployed342
Phishing tests2,840 sent · 3.1% click
Third-party reviews11 / 11 in cycle
Authority correspondence1 voluntary submission
SIGNED. JELENA NOVAK, PARTNER. CYBERSECURITY AND NIS2
§ 06 / SELECTED WORK
All case studies →Recent engagements.
CASE 01Tier-2 EU bank
ISO 27001 certification across 11 critical functions on first attempt.
11
Critical functions
9 mo
Time to cert
0
Audit findings
SCOPEISO 27001 · ISMS · Internal audit
CASE 02Energy operator · Essential entity
NIS2 Article 21 implemented before the national deadline.
34
Sites covered
5 mo
Time to compliance
0
Critical findings
SCOPENIS2 · ISMS · Supply chain controls
CASE 03SaaS · 200-person
Security operations retainer with quarterly pen-tests and awareness programme.
4
Pen-tests / year
3.1%
Click rate
47
Vendors reviewed
SCOPESecurity Operations · Pen-test · Awareness
§ 07 / WHY THIS MATTERS
Threat landscape.
€4.45M
Average cost of a data breach in the EU (2024)
277 d
Average time to identify and contain a breach
83%
Of breaches involve a human element
24 h
NIS2 Article 23 early-warning window
TREND 01
Boards are personally accountable under NIS2
Article 20 makes management bodies responsible for approving the cyber risk-management measures and overseeing implementation. Personal liability is now on the table.
TREND 02
Supply chain is the new attack surface
Article 21(d) explicitly requires assessment of suppliers and direct service providers. Authorities expect documented vendor reviews.
TREND 03
AI changes phishing economics
Generative AI lowers the cost of targeted phishing dramatically. Quarterly simulations and role-based training are now table stakes.
§ 08 / FAQ
Common questions.
01Do we need ISO 27001 if we comply with NIS2?+
No. NIS2 does not mandate ISO 27001. The two frameworks overlap heavily in Annex A controls and NIS2 Article 21 measures, so a single ISMS programme satisfies both, but certification is a business decision driven by customers and tender requirements.
02How long does ISO 27001 certification take?+
6 to 9 months for a typical mid-market organisation. Two months on scope and risk, three months on control implementation, two months on internal audit and management review, then stage 1 plus stage 2 certification audits.
03Do you do penetration testing in-house?+
Yes. Our pen-test team is internal, ENISA-aligned, and rotates between offensive and defensive engagements. Reports include CVSS scoring, exploit narrative, and remediation guidance.
04Can you cover NIS2 obligations across multiple jurisdictions?+
Yes. We deliver NIS2 programmes across 11 EU jurisdictions. The Article 21 measures are harmonised at EU level; reporting and supervisory contact differ by member state.
05What happens when an incident hits?+
We triage on a 24-hour SLA, advise on the 24-hour CERT warning and 72-hour notification, draft the regulator submission, and coordinate the crisis team. Pre-incident playbooks are part of the retainer.
06Will you work with our existing security vendors?+
Yes. We are vendor-neutral. We integrate with your existing SIEM, EDR, ticketing, and DLP rather than replacing them. Tool selection is documented but not driven by us.
§ 09 / RESOURCES
Templates and guides.
GUIDEPDF · 32 pages
NIS2 Implementation Guide
Article 21 measures translated into 60 practical controls with mapping to ISO 27001 Annex A.
Download ↓EMAIL REQUIRED
GUIDEPDF · 24 pages
ISO 27001 Roadmap
Phased plan from scope statement through certification audit. Realistic milestones for mid-market organisations.
Download ↓EMAIL REQUIRED
TEMPLATEPDF + DOCX
Incident Response Playbook
Procedures aligned with NIS2 Articles 23 and GDPR Article 33. Including authority notification templates.
Download ↓EMAIL REQUIRED
§ 10 / RELATED PRACTICES
Related practices.
NIS2 Compliance
Article 21 measures, incident reporting workflow, management training under Article 20.
Open practice →Data Protection and GDPR
Same incident, two clocks. GDPR Article 33 layers a 72-hour notification on top of the NIS2 24-hour CERT warning.
Open practice →Incident Response
Pre-built breach playbooks, authority notification templates, crisis-team coordination.
Open practice →11 / GET STARTED
Start your security programme.
Free initial meeting. Clear next steps. Indicative pricing within one business day.