External information security officer

Ask us a question

Do you not have an information security officer (ISO), would you like to support your current ISO, or do you temporarily need extra capacity? Our specialists have the necessary expertise to fill your ISO position in a professional and practical manner.

Legal framework

Licensed financial institutions are faced with various laws and regulations that must be complied with in the field of IT. These legal frameworks can be found in the Financial Supervision Act (Wft) and European legislation such as MiFID II and Solvency II. The regulators, such as AFM, DNB, EBA and EIOPA, have often communicated guidelines or further regulations on what exactly needs to be done in the field of IT (Security) Compliance.

Topics covered by the legal frameworks include the design (‘being in control’) of:

  • IT Risk;
  • IT Security;
  • (Cloud) Outsourcing;
  • Cybercrime.

Our approach

Our information security officers help you to continuously comply with the legal requirements applicable to your organization. Because organizations differ in nature, size and complexity, we use a personal and pragmatic methodology.

We help you to optimize the design and organization of information security by making a clear translation of the current standards to your organization. We also provide a clear view of the degree of control of (IT) risks and what possible gaps there are in this area.

What to expect from an external information security officer?

The interpretation of the position of information security officer is subject to customization. The activities/support that will be offered may differ per organization. The activities and responsibilities will be presented in an ‘ISO Charter’. You can think of:

  • supporting and/or performing the risk analysis;
  • drawing up and updating the information security policy and plan;
  • supervising the implementation of and compliance with the information security policy;
  • increasing awareness of information security and cybercrime;
  • setting up a registration of security incidents, as well as handling incidents that occur;
  • advising on mitigating measures;
  • giving solicited and unsolicited advice to board/management regarding risks in the field of information security;
  • if desired, acting as contact person for supervisory authorities; and
  • reporting (periodically) on status, progress, insights and activities performed in relation to information security.