Governance, Risk, Compliance

FAQ Governance, Risk, Compliance (GRC)

• There are so many topics in the GRC (Governance, Risk, and Compliance) field; which ones should we start with?

  To improve governance and achieve compliance, a risk-based approach is usually the most effective strategy. This allows the existing budget to be invested where the highest risks have been identified, effectively reducing the security risk. The goal is not to eliminate risks entirely, but to reduce them to an acceptable level.

• How does BNC support a quick recovery after a ransomware attack?

  To strengthen the resilience of your organization, BNC offers a combination of measures that directly and indirectly support Business Continuity Management.

  For a rapid recovery of operational activities after a major security incident, a functioning emergency and recovery plan is essential, which we will help you create based on practical experience.

  Furthermore, this plan should be regularly tested through practical exercises, for which we can offer a wide range of options, from real recovery tests to customized tabletop exercises.

  Last but not least, we can prepare all employees for emergencies with security awareness measures, thereby simplifying communication within the organization and significantly reducing the time needed to resume business operations after an incident.

  If these measures are insufficient, we also offer an Incident Retainer Service in addition to consulting, so that experienced coordinators and analysts can assist you promptly during emergencies and guide you through the emergency process.

• Which standards and regulations can BNC assist us with in achieving and maintaining compliance?

  The BNC Cyber Security Consulting Team regularly undergoes further training and expands its portfolio according to customer needs. Currently, we can provide experience and certifications for the following standards and regulations:

  • ISO/IEC 27001
  • ISO/IEC 27005
  • TISAX
  • New Swiss Data Protection Act and the European GDPR / DSGVO
  • The Swiss Information Security Act and the European NIS-2
  • ICT Basic Protection for the Federal Administration

• What is the difference between ISO 9001 and ISO 27001?

  ISO 9001 focuses on the Quality Management System (QMS) and requires suitable processes and controls to ensure consistent quality of services and products.

  ISO 27001 describes the establishment and operation of an Information Security Management System (ISMS), which helps improve the confidentiality, integrity, and availability of your data and systems.

  These two standards can be implemented independently, but they complement each other well and can be integrated into a combined management system.

• Why have we been receiving regular questionnaires about our security measures from our business customers lately?

  These are likely measures your customers have implemented to assess the security of their supply chain. The NIS-2 regulations and the Data Protection Act require specific, recurring actions to control and reduce risks across the entire supply chain. Due to these legal requirements, many industries and all organizations within critical infrastructure must maintain a management system for third-party management.

  BNC can help you integrate and maintain this third-party management within your ISMS.