Implementation

Combitech can help develop and implement a cyber security standard, framework or regulation and can assist an organisation with achieving compliance or a certification of the implementation. Combitech can provide guidance in for example ISO 27001/2, ISO 22301, PCI DSS, NIS, NIST SP800-53 & CSF, CMMC, GDPR or other standards/regulations. Our way of working with compliance in cases with multiple security requirements as well as our method of implementing new requirements will be presented in the following sections.

Combitech’s service within Compliance

Combitech will adopt the holistic perspective by combining our expertise within different areas of cyber security to, in the best way possible, aid our customers to adapt to new cyber security requirements. We often work with governance, risk and compliance as a whole, since working with governance is a part of a preparatory activity of reaching compliance. All our work within cyber security is conducted systematically, risk-based and with a long-term perspective. It is of the outmost importance not to view compliance-based security as a tick-the-box exercise. Therefore, Combitech offers a combination of our expertise on order to follow-up on the efficiency of the implemented security measures. Without any follow-up, we cannot consider ourselves to be risk-conscious which makes it difficult to make the correct strategic decisions.

How is an implementation performed?

The implementation work will always be iterative to meet the objectives of the project and to achieve the level of compliance required by the customer. The following illustration is Combitech’s view on implementation, where each step is briefly described:

Foundation

  • Within this step we will conduct different analyses in order to set the foundation for the implementation work. 

Compliance

  • The iterative compliance block consists of three different steps: Build & Govern, Test and Validate. Initially, we will implement the security measures, both operational and technical, deemed necessary from the applicable standard/regulation/framework. Thereafter, we will perform technical assessments of the implemented measures and lastly perform operational validations and checks of the implemented security measures. 
  • The content in each step will vary from each time as the process is iterative. Results from both the Test; and Validate-steps will be used to improve the compliance work by identifying areas of improvement. Within the Govern and Build-step, security measures for monitoring can be implemented, and the outcome from these should also be considered when improving the implementation.

Audit

  • The last part of the model consists of audits. The audit activities should be performed parallel to the compliance steps to improve the implementation. If the customer aims to certify against the applicable standard or framework, we can assist with a pre-audit based on the audit that a certification body will perform.

Learn more about: