Risk Services

We assess the design, existence and operating effectiveness of internal control measures around IT systems and processes. This gives management objective insight into whether controls are working as intended.

Domains

The evaluation covers the key IT control domains: logical access security, change management, IT operations, network and infrastructure security, backup and recovery, and business continuity. Per domain, we assess whether controls are adequately designed, actually exist and operate effectively over the assessment period.

Frameworks

The evaluation is performed against a relevant framework: ISO 27001, SOC 2 Trust Services Criteria, NEN 7510 or an organization-specific control framework. This provides an objective benchmark and makes results comparable over time.

Result

The evaluation delivers an overview of deficiencies and areas for improvement, including risk classification and concrete recommendations. This can serve as preparation for an external audit, as input for the annual IT audit plan or as part of management reporting.

Financial institutions are subject to increasingly intensive scrutiny by DNB and AFM on their IT management and cyber resilience. This applies not only to banks and insurers, but also to pension funds, payment service providers and investment firms.

DORA requirements

Since 17 January 2025, DORA has been in force and sets concrete requirements for ICT risk management, incident reporting, resilience testing and management of ICT third-party risks. DNB and AFM actively assess compliance and expect organizations to have a documented ICT risk management framework, to report significant incidents in a timely manner and to have mapped their critical ICT service providers.

Preparation for regulatory examinations

We support preparation for regulatory examinations by conducting a self-assessment against the regulator's expectations beforehand. This includes reviewing policy documents, testing operational execution and identifying gaps that would surface during an examination.

Our approach

We combine IT audit expertise with experience in the financial sector. We understand DNB and AFM expectations and help organizations bring their IT risk management to the required level without unnecessary bureaucracy. From gap analysis and policy development to setting up the DORA information register and preparing for threat-led penetration testing (TLPT).

Organizations increasingly outsource IT services to third parties: cloud providers, SaaS vendors, managed service providers and data center operators. This creates dependencies that must be actively managed.

Vendor assessment

We help establish a vendor assessment process: from classifying vendors based on criticality to assessing their security measures through questionnaires, certifications (SOC 2, ISO 27001) and contractual safeguards. For critical vendors, we advise on audit and access rights.

Concentration risk

A particular focus area is concentration risk: dependency on a limited number of vendors for critical services. This is also an explicit concern under DORA and NIS2/Cbw. We map these dependencies and advise on mitigating measures such as multi-cloud strategies and exit plans.