Certifying your company against standards such as ISO27001, NEN7510, TISAX, and the Baseline Information Security for Dutch Municipalities (BIO) indicates that you take cybersecurity seriously and are constantly working towards improving the level of security. The framework of these standards consists of a number of mandatory processes that need to be implemented. These include, for example, risk management, selecting measures, setting KPIs, determining your organisation's context, carrying out an internal audit, and conducting a management review. Additionally, the standard includes control measures that may or may not be applicable to your organisation.

Cyber4Z can guide you through the entire process from the start to certification. In most cases, we begin with a GAP assessment. This is because many organisations have already implemented security measures, but have not yet assessed their effectiveness. Based on the assessment, a plan is then developed, and we start implementing the processes and measures. We always do this in collaboration with the organisation, as ultimately you should be able to maintain the management system yourself. Additionally, we try to minimise the impact on your operations by only adding security-related activities. This ensures the highest level of acceptance within your organisation. Finally, we conduct an internal audit to determine the effectiveness of the measures, so that the external audit can ultimately verify the design, existence, and operation of the management system and award you the certificate.

Another option is to outsource certain parts of the certification process, so that your organisation does not have to bear additional burdens, or because the internal expertise is (still) lacking. Examples of this include:

- Conducting a GAP assessment;
- Carrying out and guiding a risk analysis session;
- Writing policy documents, processes, procedures, and standards that align with your own strategic frameworks;
- Performing internal audits;
- Implementing technical and organisational security measures.

Cyber4Z conducts penetration tests on a weekly basis for our clients. A team of technical specialists works remotely or on-site to identify risks in your assets and provide advice on how to resolve them.

A penetration test can be carried out on various platforms, such as a website or online portal, an application, servers and other systems, or an entire network.

The execution of a pentest can be black-box, where the tester does not receive any information such as a login or system information. In this case, the asset is tested from the perspective of an external hacker.

The test can be enhanced with a grey-box approach, where the tester tries to obtain unauthorised information, elevate privileges, or demonstrate that the service can be made unavailable (this is never actually performed).

After the test, you will receive a report with a summary, evidence, findings with a risk classification, and advice on how to address them.

Cyber4Z holds the CCV Pentest certification, which sets requirements for the professionalism of our approach, reporting, and pentesters. This allows us to guarantee the highest quality.