• English
  • Русский
8 (800) 505-34-91
(звонок из регионов бесплатный)
TUV SUD in EEU countries
150 years of inspiring trust
 

Information Security

It is hard to imagine today's business without information technology and big data of various types: internal critical information, clients' and partners' information.

The level of security a company can maintain for such information has a direct impact on its competitive strengths and bottom lines.

The range of information security challenges is constantly increasing and includes both internal threats — data losses from users, misuse of information and processing tools, etc., and external ones, such as competitive intelligence, interception of information transferred via insecure channels.

Adoption of a comprehensive information security management system embracing organizational and technological information security safeguards and controls will ensure an adequate level of data protection in the organization.

Our services are designed to enable you to make sure at any time that your information security management system is effective, and to adjust any deviations and non-conformities, if any, in a timely manner.

Our information security services include:

Gap Analysis for Information Security Compliance

As part of this service, our experts audit the customer's information management and security system for compliance with applicable information security requirements.

The following requirements can be included in the audit scope:

  • International information security standards and best practices (ISO 27001, ISO 27018, ISO 27031, etc.).
  • Legislative and regulatory requirements.
  • Shareholders' and holding companies' requirements (corporate regulations and standards).
  • Clients' and partners' requirements in the field of information security.
  • Internal information security requirements.

The gap analysis is strongly recommended if:

  • You are going to introduce an information security management system and further certify its compliance with international standards, and you have to identify its current level of compliance with the standards you selected.
  • Your have already launched a project for creating an information security management system in line with international standards but you have doubts about the design of some processes or their compliance with the standards and requirements you selected.
  • You are going to do business with new customers and partners, which require you to meet their expectations in the field of information security.
  • Your company is going through reorganization and/or your shareholders and holding companies are imposing new information security requirements on your company.
  • You are a newcomer in the company and you would like to assess the compliance of the company's information security management processes with relevant internal requirements.

The gap analysis enables you to define your current level of compliance with relevant requirements and benefit from its findings by making a plan of actions to meet the applicable set of standards.

The gap analysis procedure comprises the following steps:

  • The gap analysis procedure comprises the following steps;
  • Defining the audit scope (local sites, business-processes, business-units, etc.), methods and duration of the audit;
  • Making and coordinating a gap analysis plan;
  • Performing the gap analysis on the site;
  • Preparing a report on gap-analysis findings.

ISO/IEC 27001:2013 Compliance Certification

ISO/IEC 27001:2013 is a de facto standard in information security management. Its requirements can be applied by any organization regardless of its industry and business area or technology it uses.

The adoption of an information security management system compliant with ISO/IEC 27001:2013 makes it possible to:

  • Optimize costs of information security.
  • Minimize risks of potential damage to the organization's assets if the threat is carried out.
  • Reduce OpEx on information security by making information security more transparent.
  • Ensure that the information security level is in line with legislation, industry regulations, contract requirements, internal rules and business goals.

The ISO/IEC 27001:2013 certification is strongly recommended if:

  • You provide services to your customers. It is especially important if you render services that involve processing your customers' critical information. Examples may include banking, insurance, outsourcing, consulting services, etc. The ISO/IEC 27001:2013 certification will help you gain trust of your customers in the services you offer.
  • You do business with large partner companies, including foreign ones, and your interactions with them are both frequent and extensive. With the ISO/IEC 27001:2013 compliance certificate, you will be able to raise their esteem for you.
  • You are planning to enter the global market. The ISO/IEC 27001:2013 certification is a great way to boost the confidence of new foreign partners and customers in your company.
  • You are planning to issue IPO. The ISO/IEC 27001:2013 certification will contribute a lot to your company's capitalization and help to make information security management processes more transparent.
  • You are a public company. Being a great contribution to the company's capitalization and to the transparency of its information security management processes, the ISO/IEC 27001:2013 certification will make it easier for you to handle financial audits.
  • You are doing business in a rather competitive market. Delivering marketing and competitive advantages, the ISO/IEC 27001:2013 certification will help you to stand out of other market players.
  • You have business-critical nonpublic information (know-how, proprietary developments, etc.). With the ISO/IEC 27001:2013 certification, you will get an independent external assessment and verification of the efficiency of processes you use to manage and protect your business critical information.
  • You have frequent interactions with regulators and other inspection authorities. The ISO/IEC 27001:2013 compliance certificate makes you feel more confident during regulators' audits and inspections, and sometimes even simplifies those procedures.

We offer services on certification audits for compliance with ISO/IEC 27001:2013 requirements. Further information is available in the ISO 27001 CERTIFICATION section.

Training in Information Security Management and ISO/IEC 27001:2013 Requirements

Further information about our information security trainings is available on the web-page Our Training Courses.

 

Analysis and Assessment of Information Security Risks

Information security risk management is a core process within the information security management system. Being at the interface of two tiers of information security management—strategic and tactical, this process bridges the business decision making level with information security level, and enables you to:

  • Determine the level of criticality of the organization's information assets, including its business processes and data;
  • Identify areas of vulnerability in the organization's infrastructure;
  • Prioritize the activities intended to ensure information security;
  • Draw up and reason the information security budget.

The procedure for identification and assessment of information security risks involves:

  • Coordinating the method of information security risk analysis and assessment;
  • Determining the scope of the information security risk analysis and assessment;
  • Collecting input data on business processes, information assets and methods of protection applied;
  • Analyzing and assessing information security risks using an automated risk analysis system;
  • Generating a report on findings of the information security risk analysis and assessment.

Instrumental Analysis of Vulnerability and Penetration Testing

We provide services of instrumental analysis of vulnerability and penetration testing. These services may include both internal and external scanning and penetration tests.

  • The external penetration testing: is carried out via the Internet to detect and analyze any vulnerabilities at the external perimeter of the customer's corporate computer networks.
  • The internal penetration testing: is conducted from the mobile working station connected to the customer's local computing station to detect and analyze any technical vulnerabilities of the internal information systems.

These services are based on the world's best practices in carrying out operations of that kind, including such methods as OSSTMM v3.0 and OWASP Testing Guide v3.