Regulatory Compliance

We design security and governance programmes that, aligned with your environment and business, help you to be secure, vigilant and recover from a security incident.  

Our multidisciplinary team of consultants identify vulnerabilities and assess the real risk to your organisation, helping you comply with the most relevant information security standards and regulations more efficiently and effectively.  

Information Security Management System (ISMS) - ISO 27001

We assist you in implementing an Information Security Management System (ISMS) based on ISO 27001, from establishment up to certification, and including a subsequent permanent monitoring and follow-up service that ensures ongoing system maintenance.

National Security Scheme (ENS)

We offer our customers a complete diagnostic, advisory and consultancy service for adaptation and compliance with the National Security Framework (ENS – Royal Decree 3/2010, 8 January, amended by Royal Decree 951/2105, 23 October), which aims to establish the security policy for the use of electronic media and adheres to basic principles for the adequate protection of information.

Data Protection Regulation: GDPR and Organic Law on Personal Data Protection-Guarantee of Digital Rights (GDR)

All companies and public bodies that handle personal information are obliged to adopt the requirements of the General Data Protection Regulation (GDPR) – EU 679/2016 (in application since 25 May 2018) and the Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights, of 5 December 2018, approved by the Spanish Congress of Deputies.

We offer you a complete range of services aimed at covering the entire life cycle of the processing of personal data, i.e., from the phase of analysis of the current situation and adaptation plan to maintenance, including support for implementation and subsequent reviews.

Industry standards: PCI-DSS and PSD2

PCI DSS (Payment Card Industry Data Security Standard) is a security standard published by the PCI Security Standard Council and defines the requirements for the protection of payment card data and the technological infrastructure that stores, processes or transports it. It therefore applies to companies that process, transmit or store payment card data (banks, e-commerce, merchants and processors, among others).

The European Union’s Payment Services Directive 2 (PSD2) legislation, active since 13 January 2018, provides a legal framework for digital payments made in Europe and obliges financial institutions operating a bank payment account to transfer its data to third parties expressly authorised by the account holder.

Babel, as a company specialising in security services for the financial sector, offers you expert assistance and advice to ensure compliance with PCI DSS and PSD2, from the initial diagnosis phase (GAP Analysis) and implementation plan, to the certification support service, including support for the execution of the plan’s actions and ongoing support.

Critical Infrastructure Protection Act (CIP Act) and Network and Information Systems Security Act (NIS Act)

The main objective of the Critical Infrastructure Protection Act (LPIC, 8/2011) is to improve the protection of those infrastructures that are considered critical for the country.

 

The Royal Decree-Law on the Security of Networks and Information Systems (LNIS, 9/2018), transposes the European Directive NIS 2016/1148 (Security of Networks and Information Systems) into Spanish law, with the main objective of increasing protection against attacks and vulnerabilities in networks and information systems throughout the EU. It affects both operators of essential services and digital service providers.

 

Babel offers expert assistance for compliance with both laws, covering the entire project lifecycle, from the initial diagnosis phase to the design of the implementation roadmap, support for the action plan and subsequent maintenance.  

Risk Analysis and Security Master Plan

We help organisations to undertake a risk analysis that systematically and homogeneously quantifies the real risks to which information systems are subjected in the face of different threats, and which enables actions to reinforce organisational, legal, physical and technical security measures to mitigate these risks to be identified.

Security Master Plan is the range of these actions, scheduled and budgeted to mitigate the security risks identified.

Training and awareness

We must improve the security of our organisation by starting with the weakest link in the chain: people. It is vital to carry out awareness-raising initiatives with the aim of training, disseminating information and creating awareness amongst all the organisation’s employees in relation to the importance of information security and how to apply good practices to their daily activities.

We support our customers with a wide range of activities aimed at improving employee motivation, intuition and safety training.

Virtual CISO, Virtual DPO y Oficina de Gestión de Proyectos (PMO) de ciberseguridad

For those clients who, being affected by regulatory requirements, IT or information security standards, do not have sufficient internal resources to be able to address compliance or require external expertise, we offer a Technical Office specialising in consultancy. These services are generally attached to the CISO (Security Officer) or DPO (Data Protection Officer) of the Organisation, so that these profiles can count on an expert team of security technicians and consultants, who contribute to compliance with the requirements.

In addition, if you already have a roadmap or action plan with security projects in any domain (technical, organisational, physical, legal), we provide you with a Project Management Office (PMO) to manage, coordinate and ensure the execution of these projects in a timely manner.