Unitas offers a number of consulting services within compliance and IT security and not least the 'glue' that binds the two areas together.
The consultants are experienced in several areas and together they constitute a very strong deep and broad professional knowledge and insight. Collaboration between the consultants ensures that you get the best overall result.
The approach for all areas is that we take an initial dialogue on the specific topic, which usually ends in a workshop that defines the final and specific course of your company. In this way you get all the benefits of Unitasexperience and tools while we take care of exactly your company's specific requirements and wishes.
Examples of areas where we typically get involved include:
There may also be other areas that are not specifically mentioned here. Feel free to contact us if you want to hear if the challenge you are facing is something that we can help you find a good solution to.
A company today must assume that they will be affected by interruptions to a greater or lesser extent. It can be anything from disconnected internet connection over ransomware attacks, theft of data to physical destruction of data center or tragic events leading to loss of vital data for the company.
In those cases, it is important to have well-developed contingency plans. These plans must include contain an overall description of roles and responsibilities, communication plans, strategic decisions, etc. followed by a number of scenarios that must be able to enable the company to handle the current emergency situation.
Unitas have extensive experience in drafting these plans as well Unitas can be helpful with testing plans and auditing tests.
The increasing requirements for documentation of compliance from customers, suppliers and legislation (eg NIS / NIS2, PCI-DSS, GDPR, ESMA, etc.) give rise to a well-proven standard for structured preparation of policies and controls. For this uses Unitas The ISO standard, as it is precisely structured, continuously modernized and widely used across most of the EU and other countries.
Unitas'consultants have been responsible for implementation in a number of large Danish companies, and are continuously in the process of preparing IT policies, risk assessments and controls based on the ISO2700x standards.
Pursuant to section 115 of the Danish Companies Act, a company's management is obliged to carry out business risk assessments of its own company. The alpha and omega is therefore to have a good risk management tool, defined risk appetite and continuously updated risk assessments. Unitas has a sharp toolbox, where we enable your company to make risk assessments with one overall clear framework tool that is generic for the entire business and its processes, workflows and (IT) systems.
A strong risk management tool also enables the company to make faster decisions and prioritize financial efforts where the greatest risks apply.
By classifying your company data, you gain a wide range of benefits. Benefits that can have a risk-reducing effect, a possible financial gain and not least the opportunity to control a wide range of safety parameters. Unitas draws up, on the basis of a well-developed model, a data classification for your particular company. A simple model with eg 4 categories which forms the basis for which data is in question, data availability and security for internal processing, requirements for external processing etc., then you are really far. Support can be done immediately in MS365 and we can help with the design of the technical setups and policies.
With our checklist, we methodically go through it all so it's done right. This also applies to your delivery terms, regardless of whether you sell to consumers or traders.
If we find discrepancies, we assess them together with you, so that you can make a decision as to whether it is within your risk tolerance.
We finally have a practical angle on things, so you avoid unnecessarily straining your legs for activities that are beneficial to the operation.
If you are an IT supplier (data processor) and you need to make documentation available to your customers (the data controllers), we can help you by preparing a supervisory statement.
The statement of supervision is prepared in accordance with ISACA's guidelines. The work is performed, among other things, and signed by one of our Certified Information Systems Auditors (CISA).
We start by defining with you what is to be investigated and thus what the statement is to deal with. Our experience shows that it will typically be the same IT security and compliance issues that need to be examined across IT vendors' delivery models. Thus, in most cases, we already have a good starting point for the work in place.
Once we have defined what is to be investigated, we ask you a number of relevant questions. If there are gaps along the way, we will help you correct the necessary things so that we can reach the goal with the statement.
With a supervisory statement, you avoid having to handle many inquiries from your customers, who will supervise you. The statement can be conveniently placed on your website.
If you are considering having an ISAE3000/3402 statement made by your auditor, then you should opt for a supervisory statement instead. Then you get the right skills to do the job.
The statement of supervision and the work associated with it is delivered in Danish or English.
Our assistance covers a review of the terms of the contract. We will of course check whether the terms are commercially balanced. In addition, we ensure that the contract gives you a realistic opportunity to comply with the requirements for IT security and compliance that your outsourcing is specifically subject to.
For example, if you are in the financial sector, we will help you carry out a due diligence process so that you are sure that the IT supplier's delivery model and IT security and compliance activities reflect the requirements that you are subject to, so that you can manage that your IT may be monitored.
Of course, our work will also be governed by your system classification: Depending on how critical the system is, the contract negotiations must concern the factors that are decisive for your operation.
IT contract negotiations must thus naturally be adjusted depending on whether the IT solution is delivered to a production company, the public sector, the healthcare sector, the financial sector or to an airport.
Finally, the terms after the negotiation must be transparent and understandable, so that you can easily put the contract into your Contract Management processes.
We work both for contracting authorities and for tenderers. With our expertise in IT, compliance and law, we typically deal with the technical appendices in the tender material as well as the negotiations and the subsequent follow-up and control.
We often find that the contracting authority has not had enough focus on the technical descriptions when preparing the tender material, as the focus has probably been too much on the legal aspects. At the same time, we know the frustration of the bidder when the material is unclear.
If you are going to start an IT procurement process, or you need to make an offer, we are happy to help you to ensure that there is control of contract terms, the technical and organizational requirements as well as outsourcing of the relevant IT security and compliance obligations. .