Information Security and Regulation

Contact us

Information Security and Regulation

Although cyber protection is the responsibility of each individual company, it is necessary to ensure its functioning in the event of a sudden event from the point of view of the entire economy. A well-targeted attack can disable a company for months and cause tens of millions of crowns in damage. 
As cyber incidents can fundamentally threaten key infrastructure, the EU at European level, and hence the National Cyber and Information Security Authority (NCIS), is legislating on cyber security.

The impact of a cyber incident on organisations can be significant, ranging from reputational damage to operational and/or financial losses. So the message is: be vigilant and gain resilience. Organisations should focus not only on the technical aspects of information security, but also on physical security, operational resilience and overarching elements such as governance, risk management and compliance. 

  • Want an objective assessment to determine if your enterprise applications and infrastructure are resilient to cyber threats? 
  • Do you want to know if your organisation is adequately addressing regulatory requirements such as NIS2 or DORA?
  • Do you need to have a clear understanding of measures to prevent and address cyber incidents? 
  • Are you looking for the support you need in the form of training and consultation to make your stakeholders aware of the risks of cyber threats and the potential consequences?


The BDO approach

We will help you build information security in your organization from the ground up, starting with complete preparation and ending with final implementation. If you already have some parts implemented we will perform a complete audit in individual areas e.g. ISMS or compliance with the ZKB. At the same time, we also provide consulting services in sub-parts, such as the design of risk management methodologies, the establishment of security policies or the creation of security documentation.

General Regulations and Standards


While cyber protection is the responsibility of each individual company, the entire economy needs to ensure that it works even in the event of an emergency. A well-targeted attack can disable a company for months and cause tens of millions of crowns in damage.

As cyber incidents can fundamentally threaten key infrastructure, the EU at European level, and hence the National Cyber and Information Security Authority (NCIS), is legislating on cyber security.

At a time of growing digital dependence and increasing cyber threats, the European Union revised the Network and Information Security Directive, giving rise to the directive NIS2.

This Directive, which will become part of national legislation across the European Union by October 2024 at the latest, brings new rules and requirements for companies and organisations. 
 

What is NIS2?

The NIS2 regulation was created as the European Union's response to the deepening digitalisation of society and the associated growing cyber threats in the European space. It builds on the existing Network and Information Security (NIS) framework, which was adopted in 2016.

NIS2 significantly expands the scope of the current legislation and presents a new solution to strengthen and secure European cyberspace. 

The Czech Republic has a distinct advantage over some Member States as it has implemented and well-developed the Cyber Security Act (CSA)

What is ZKB?

The purpose of the Act on Cyber Security (ZKB) No. 181/2014 Coll. is mainly to increase the security of cyberspace and the state's efforts to protect that part of the infrastructure whose disruption would lead to damage or threat to the interests of the Czech Republic. 

The changes introduced by the NIS2 Directive are substantial and will have an impact on companies that have not been subject to the existing regulations. Therefore, the NCIS has taken on this task by preparing a completely new law on cyber security and its decrees, which should be approved in 2024.

 

Information is essential for the proper functioning of an organisation. Its efficient and especially secure processing is an important topic today. It is important to protect information adequately, especially against unauthorised access, leakage, destruction or loss. That is why there is an Information Security Management System (ISMS) that helps to manage information throughout its life cycle.

What is ISO 27001, ISMS? 

ISO/IEC 27001 is an internationally applicable standard or framework for information security management systems, called ISMS. It is based on the three basic principles of confidentiality, availability and integrity. In particular, the ISMS defines the requirements for information security trust management for employees, processes, IT systems and company strategy. The adoption of an ISMS should be one of the fundamental strategic decisions of an organisation.

Why do you need an ISMS?

ISO 27001 certification is an essential pillar for protecting your assets. Holding an ISMS certificate according to the standard assures your customers that they have secured not only their own data, but also client data, as well as proactively managing and handling confidential data. By implementing an ISMS, an organization can identify potential risks and threats from information leakage and loss, thereby minimizing them.

BDO's approach 

We offer our clients a complete process for implementing an information security management system into their organization, including preparation for a certification audit. Implement an ISMS into your organization with BDO in the following 5 steps.

  1. First, we will conduct an initial information review where the necessary ISMS documentation will be reviewed and we will help you modify or improve it if necessary.

  2. We will define the scope of the ISMS including the stated responsibilities for the information security management system and help you modify or create security policies.

  3. We will review your asset inventory and asset management system. If your organization does not manage assets, we will suggest an appropriate methodology and help with implementation.

  4. We will provide consulting services and support in risk identification. We will help you design or implement an appropriate methodology for their assessment and management within the ISMS.

  5. We will help your organization prepare for a certification audit to obtain ISO/IEC 27001 certification.

Other Regulations and Standards


Cyberspace has no borders, so Australia is also affected by the rapidly changing environment. Organisations need to be able to respond flexibly to existing threats and new vulnerabilities to defend against increasingly sophisticated methods of attackers. The Australian Government has therefore responded and developed the CPS 231 and CPS 234 standards.  

What is CPS? 

CPS is an Australian standard designed and implemented by the Australian Prudential Regulation Authority (APRA). The purpose of CPS is to ensure that regulated entities have sufficient information security protections implemented. Regulated entities include, in particular, the banking and insurance sectors. These requirements only apply to Australian branches.

Why do we need a CPS?

From 1 July 2020, third parties who handle regulated entities' information assets are required to comply with the CPS standard. The CPS is used to understand the sensitivity and criticality of information assets, incident management and establish security policies, among other things. By complying with the CPS, your organization will be able to objectively measure improvements in its cybersecurity posture.

BDO's approach

BDO provides companies with the ability to ensure compliance with Australian CPS standards either from the outset or to lose or consult on existing established practices. We will first review your documentation in detail and then commence verification work. Our output is a comprehensive CPS report that includes compliance sections according to the CPS standards. If you do not have the necessary documentation to verify the CPS standard, we can provide consultancy to create it in the pre-assessment phase.

What is HIPAA? 

HIPAA stands for the Health Insurance Portability and Accountability Act, which among other things sets forth privacy and security provisions for the protection of medical information. The HIPAA Privacy Rule addresses the use and disclosure of individuals' health information called "Protected Health Information (PHI)."

Why do you need HIPAA?

The HIPAA Privacy Rule is intended to ensure that an individual's health information is appropriately protected, while allowing for the protection of an individual's necessary health information that is needed to provide and support quality health care. The HIPAA Privacy Rule permits necessary uses of information while protecting the privacy of people seeking health care.

BDO's Approach 

If your organization is required to be HIPAA compliant, we can provide audit work to determine HIPAA compliance status and assist with the preparation of supporting documentation. 

Information security throughout the entire lifecycle can be classified as an important topic in the daily functioning of an organisation. The automotive industry is no exception, and here too it is advisable for suppliers and service providers to reassure customers that their information is safe. As a consequence, the TISAX Standard has been published.

What is TISAX?

The TISAX standard was developed by the registered trademark of the European Automotive Industry Association ENX. TISAX represents a certain standardisation of the level of security in the automotive sector. It also includes the key criteria of ISO 27001. Organisations in the automotive industry must prove compliance with the security criteria every three years.

Why do you need TISAX?

Assurance that their information is properly secured is important to clients. The German Association of the Automotive Industry (VDA) publishes a catalogue that contains key requirements and criteria to ensure the necessary level of security. Compliance with the VDA requirements can be demonstrated by TISAX certification. TISAX certification increases the level of security for organizations and thus their performance. TISAX is used to standardize and also to mutually recognize ISMS auditing in accordance with ISO 27001.

Main contacts

Martin Hořický

Martin Hořický

Partner • Digital Services
View bio
Tomáš Kubíček

Tomáš Kubíček

Partner, Digital Services • Advisory
View bio

Digital - other services

Related insights