Which security standards companies need to know now and how they can best prepare for audits
The threat of cyberattacks has increased dramatically in recent years, and Europe is the most affected region in the world. IBM’s 2024 X-Force Threat Intelligence Index identifies Europe as the region with the highest number of cyberattacks, with 32% of all incidents in 2023. This figure represents an increase of 31% compared to the previous year. The X-Force reports make it clear that a ‘crisis of identities’ is emerging: Cyber criminals are increasingly misusing user identities to gain access to company networks. Instead of relying on elaborate hacks, attackers are increasingly resorting to the use of valid user accounts, which is not only more difficult to recognise, but also poses a massive challenge to identity security.
Another alarming finding of the report is the high vulnerability of critical infrastructures. 85% of attacks on this sector could have been prevented by simple security measures such as multi-factor authentication or the least privilege principle. This shows that basic security measures are still difficult to implement – despite their potential to protect organisations from significant damage.
Growing IT regulations to increase cyber security
In response to the threat situation, public authorities in Europe and around the world are introducing more and more security standards and certifications. They are focussing on proactivity and demanding strict compliance with security and data protection requirements. The most important regulations include
NIS2 (Network and Information Security Directive) – The NIS2 directive aims to increase cyber security in critical infrastructures and certain economic sectors. It requires comprehensive security measures, regular risk analyses and mandatory reporting of security incidents.
DORA (Digital Operational Resilience Act) – This regulation is aimed at companies in the financial sector and ensures that they are digitally resilient and can fend off attacks without interrupting operations. DORA requires comprehensive testing and close monitoring of the IT infrastructure.
ISO 27001 and ISO 27701 – These ISO standards provide internationally recognised standards for information security and data protection management systems. Companies must analyse risks, implement appropriate security measures and ensure compliance with the GDPR.
AI Act – The EU AI Act classifies AI systems according to their risk to society. Companies must ensure that high-risk AI systems are transparent, safe and fair, which requires additional compliance measures.
Challenges for companies in implementing these regulations
Implementation and certification are a major challenge for many companies:
Complexity and documentation: Each of these regulations entails extensive documentation requirements. Companies must keep detailed reports on security measures, tests and incidents, which are often difficult to keep up-to-date and complete.
Costs and resource requirements: Compliance with these standards requires a continuous investment in security infrastructure and human resources for regular audits and updates.
Integration and automation: The multitude of requirements and the management of compliance documentation pose organisational challenges for many companies.

„Compliance is the foundation for a secure and trustworthy company.“
– Leif Bobzin, Business Development Manager Innovation
Effective GRC management as the basis for cyber security and compliance
Governance, Risk & Compliance (GRC) describes the systematic approach to corporate governance, risk management and compliance. Effective GRC management helps companies to be prepared for the challenges posed by cyber attacks and regulations by providing a clear structure for dealing with risks and regulations.
1. Governance: guidelines and strategic orientation
Governance forms the framework for all security and compliance endeavours and ensures that these are embedded in the company’s strategic objectives. In the context of IT security, this means’:
Defined roles and responsibilities: It must be clear who is responsible for which security measures and how decisions are made.
Anchoring in the corporate culture: Security awareness should extend from the management to the operational teams. This requires regular training and sensitisation in order to promote a security-oriented culture.
Strategic adaptation to regulations: Corporate policies must be flexible enough to integrate new security requirements and regulations – such as NIS2 and ISO 27001 – in a timely manner.
2. Risk: Systematic risk assessment and treatment
A key element of GRC management is the identification, assessment and management of risks. This includes:
Risk assessment and classification: Cyber risks should be regularly assessed and prioritised according to their criticality and probability of occurrence. Tools can provide support here by automatically recording and documenting vulnerabilities.
Risk mitigation and contingency planning: Specific risk reduction measures should be developed for identified risks, e.g. through multi-factor authentication or regular security updates. If these measures are not sufficient, it is important to be able to fall back on prepared emergency plans such as incident response, disaster recovery or business continuity plans.
Continuous monitoring and testing: Companies should carry out regular penetration tests and security checks to ensure that security gaps are recognised and closed at an early stage.
3.Compliance: Fulfilment of standards and documentation obligations
Compliance is the foundation for a secure and trustworthy company. It ensures that all regulatory requirements are met and that the associated processes are documented transparently.
Certifications and standards: A key objective of GRC management is certification in accordance with recognised standards (e.g. ISO 27001, ISO 27701). Compliance with such standards proves that the company is prepared for security incidents and takes proactive measures to protect data and systems.
Automated documentation: A common problem in companies is the manual and time-consuming documentation of security measures. Automated systems offer a remedy here by continuously updating and providing documentation, audits and reports. This makes it easier to fulfil documentation obligations and audits can be better prepared.
Reporting and incident response: Regulations such as NIS2 require security incidents to be reported to the relevant authorities in a timely manner. Effective GRC management ensures that companies establish clear processes for reporting and have an emergency response team that can react immediately in the event of an emergency.
GRC management in practice: best practices for companies
To implement strong and effective GRC management, organisations should consider the following steps:
Create a comprehensive GRC strategy: the strategy should define cybersecurity and compliance objectives and responsibilities and be regularly reviewed for new requirements.
Use technology for automation and documentation: Tools can help companies to systematically record risks and generate compliance documents automatically.
Conduct regular training: Employees need to be up to date on security procedures and standards to ensure they can recognise potential threats and respond correctly.
Focus on continuous improvement: Strong GRC management requires constant adjustments and improvements to respond to new threats and requirements.
Mature GRC management is therefore key for companies that want to meet the increasing demands of cyber security and compliance. It reduces risks and strengthens confidence in the company’s ability to ward off attacks and fulfil legal requirements.
Conclusion
Cyber attacks are now a reality that companies must actively and preventively counter. Compliance with the applicable regulations not only protects against sanctions, but also strengthens security and resilience to threats. A robust documentation process is essential for compliance with requirements and creates the basis for fast, efficient audit processes.
Titelbild: ©DC Studio on freepik