Ensure Compliance
with Regulations

International information security management standard. We help implement an Information Security Management System (ISMS), prepare the organization for certification, and maintain compliance in a continuous improvement cycle. Our auditors hold ISO 27001 Lead Auditor certification.

• Gap analysis against ISO 27001:2022 requirements
• Development of security policies and procedures
• Risk analysis and management (ISO 27005)
• Implementation of required Annex A controls
• Statement of Applicability (SoA)
• Certification audit preparation
• Surveillance audits and recertification support

The NIS2 Directive (Network and Information Security) and the Polish National Cybersecurity System Act (KSC) require operators of essential and important services to implement cyber risk management measures. Penalties for non-compliance can reach EUR 10 million or 2% of annual turnover.

• Verification whether the organization falls under NIS2/KSC
• Cybersecurity maturity assessment (as-is)
• Gap analysis against NIS2 requirements
• Implementation of risk management measures (Art. 21)
• Incident reporting processes (Art. 23)
• Supply chain security
• KSC compliance audit and implementing regulations

Digital Operational Resilience Act (DORA) is an EU regulation governing the digital operational resilience of the financial sector. It applies to banks, insurers, investment firms, payment institutions, and their critical ICT providers. Requirements include ICT risk management, resilience testing, and incident reporting.

• DORA compliance gap analysis
• ICT risk management framework (Art. 5-16)
• Incident classification and reporting procedures (Art. 17-23)
• Digital operational resilience testing (Art. 24-27)
• ICT third-party risk management (Art. 28-44)
• Threat-Led Penetration Testing (TLPT)

Markets in Crypto-Assets Regulation (MiCA) is an EU regulation governing crypto-asset markets. It imposes cybersecurity, customer protection, and operational resilience obligations on crypto-asset service providers (CASPs). Providers must implement ICT security policies and are subject to regulatory oversight.

• MiCA readiness assessment
• ICT security policies for CASPs
• Incident management procedures
• Cryptographic key and wallet protection
• Customer and fund protection mechanisms
• CASP licensing preparation

The General Data Protection Regulation (GDPR) requires organizations to implement appropriate technical and organizational measures to protect personal data. We audit GDPR compliance from a cybersecurity perspective — verifying whether implemented measures are adequate to the risk and comply with the ‘privacy by design’ principle.

• Technical data protection measures audit (Art. 32)
• Data Protection Impact Assessment (DPIA)
• Encryption and pseudonymization verification
• Personal data access control review
• Breach notification procedures (Art. 33-34)
• Privacy by Design i Privacy by Default

CIS Benchmarks are globally recognized security configuration guidelines developed by the Center for Internet Security. We conduct detailed CIS Benchmark compliance audits for operating systems, databases, clouds, containers, and network devices — both automated and manual.

• Windows Server, Linux (Ubuntu, RHEL, CentOS)
• AWS, Azure, GCP — CIS Cloud Benchmarks
• Docker, Kubernetes — Container Security
• Oracle, MS SQL, PostgreSQL, MySQL
• Cisco, Palo Alto, Fortinet — Network Devices
• Apache, Nginx, IIS — Web Servers

Application Security Verification Standard (ASVS) is an OWASP framework defining web application security requirements at 3 verification levels. It provides a complete set of controls that should be implemented in applications — from authentication and session management to cryptography and attack protection.

ASVS Verification Levels

• Level 1 — basic security (for all applications)
• Level 2 — advanced security (business applications processing sensitive data)
• Level 3 — highest level (critical applications: banking, healthcare, infrastructure)

ASVS Audit Scope

• Authentication and Session Management
• Access Control and Authorization
• Input and Output Data Validation
• Cryptography and Key Management
• Error Handling and Logging
• Data Protection and Privacy
• Communication Security (API, WebSocket)

The EU AI Act introduces the world’s first comprehensive regulations on artificial intelligence. Organizations deploying AI systems must ensure their security, transparency, accountability, and legal compliance. Our AI Governance services cover the full cycle — from AI system inventory, through risk classification, to AI management framework implementation.

AI Risk Classification (AI Act)

• Unacceptable risk systems (prohibited) — social scoring, subliminal manipulation, real-time biometric identification
• High-risk systems — recruitment, credit scoring, medical diagnostics, critical infrastructure, law enforcement
• Limited risk systems — chatbots, deepfakes, content generation systems (transparency requirement)
• Minimal risk systems — anti-spam filters, recommendation systems (no additional requirements)

Framework AI Governance

We help organizations implement a comprehensive AI management framework covering organizational structures, policies, processes, and tools ensuring responsible use of artificial intelligence.

• AI system inventory — mapping all AI components in the organization (models, training data, pipelines, APIs)
• Risk classification — assessing each AI system against AI Act risk categories and potential impact on fundamental rights
• AI policies and procedures — developing ethical AI policy, model validation procedures, training data management, and drift monitoring
• Transparency and explainability (XAI) — mechanisms for documenting algorithmic decisions, explainability for end users
• Human oversight — implementing human supervision mechanisms over AI systems, escalation and intervention procedures
• Bias and fairness management — model bias auditing, fairness testing, bias mitigation procedures
• Data Governance for AI — training data quality, lineage, privacy-preserving ML, synthetic data
• Model Risk Management — model validation, A/B testing, performance monitoring, model retirement procedures

AI Security — Technical Safeguards

AI system security requires dedicated protection measures against attacks specific to machine learning and natural language processing.

• Adversarial attack protection — model robustness testing against manipulated inputs (adversarial examples)
• ML/MLOps pipeline security — protecting training, versioning, and model deployment processes
• Prompt injection and jailbreaking — LLM security testing for prompt injection, data extraction, and instruction bypass
• Model extraction and model inversion — protecting models against IP theft and training data leakage
• Data poisoning — training data integrity verification and contamination protection
• AI supply chain security — dependency audit, ML libraries, and pretrained models (Hugging Face, PyPI)
• AI Red Teaming — AI system attack simulations following NIST AI RMF and OWASP Top 10 for LLM methodology

Reference Standards and Frameworks

• EU AI Act — European Parliament Regulation
• NIST AI Risk Management Framework (AI RMF 1.0)
• ISO/IEC 42001 — Artificial Intelligence Management System
• ISO/IEC 23894 — AI Risk Management
• OWASP Top 10 for LLM Applications
• OWASP Machine Learning Security Top 10
• ENISA AI Threat Landscape