Information Security
Governance & Strategy
Effective information security is not a product you buy. It is a governance discipline you build: structured, documented, aligned to your business objectives and regulatory environment, and measurable at every level.
Whether you are establishing accountability for cybersecurity at board level, preparing for ISO 27001 certification, meeting obligations under the Swiss Federal Act on Data Protection, or building tested resilience against operational disruptions, our Governance & Strategy team delivers outcomes that are audit-ready, business-aligned, and built for the Swiss regulatory context.
Challenges
The Governance Gaps that put Swiss Organisations at Risk
Most organisations do not lack cybersecurity awareness. They lack the governance structures, documented accountability, and tested processes that convert awareness into a defensible, auditable security programme. In FINMA-regulated financial institutions, healthcare organizations, and Swiss critical infrastructure operators, this gap carries direct regulatory and financial consequences.
The most common situations we are called to address:
- No formally appointed CISO or documented security strategy at executive level
- Lack of executive/management commitment and support
- No structured information security program in place (no established roadmap)
- Outdated or incomplete information security policies that do not withstand audit scrutiny
- ISO 27001 certification required by customers, partners, or regulators, with no implementation roadmap
- nFADP obligations outstanding since the law entered into force in September 2023
- No tested BCP or DRP, despite FINMA Circular 2023/1 or DORA obligations
- No structured crisis response capability, and no evidence of simulation or testing
Scope of Services
Seven Services. One Integrated Governance Framework.
Our Governance & Strategy practice covers the full range of information security governance needs. Each service can be engaged independently or combined into a comprehensive governance programme.
CISO as a Service
Strategic cybersecurity leadership on a full-time, interim, or virtual basis. We provide security direction, risk oversight, and executive-level reporting aligned to your regulatory context and business priorities.
Key outcome: Defined security strategy, governance framework, and documented risk management programme.
DPO as a Service
Independent external Data Protection Officer for Swiss organizations subject to nFADP and GDPR. Our multidisciplinary team of technical and legal consultants acts impartially, without conflicts of interest.
Key outcome: Full nFADP and GDPR compliance, documented processing register, and tested breach response process.
GAP Analysis
A structured assessment of your security posture against ISO 27002, NIST CSF, SWIFT, TISAX, CIS, or eight other frameworks. Evidence-based findings, maturity scores, and prioritised recommendations.
Key outcome: Objective benchmark of your compliance posture and a clear, prioritised remediation roadmap.
Risk Assessment
A methodology-driven evaluation of your information security risks. We identify threat scenarios, assess likelihood and business impact, and produce a prioritised risk register with treatment options.
Key outcome: Documented risk register, risk treatment plan, and executive-level risk communication.
ISMS Implementation
End-to-end ISO 27001 implementation support from initial gap analysis through documentation, risk integration, staff awareness, and certification audit preparation.
Key outcome: Audit-ready ISMS, complete mandatory documentation, and ISO 27001 certification readiness.
Business Continuity & Operational Resiliency
BIA, BCP, and DRP design aligned to ISO 22301, FINMA Circular 2023/1, and DORA. We define RTO and RPO targets aligned with your business, document recovery procedures, and validate plans through exercises.
Key outcome: Tested business continuity capability and regulatory-compliant resilience documentation.
Crisis Management
Structured crisis response documentation, crisis team training, and half-day or full-day simulation exercises with a formal RETEX session. Built for real use under pressure, not for compliance theatre.
Key outcome: Trained crisis team, tested procedures, and a documented improvement plan.
"We have been working with this partner, and in particular with Frédéric Noyer, for several years across CISO and data governance, in a relationship built on genuine trust. Their support is defined by a high level of professionalism, attentive listening, and a real ability to adapt to our specific challenges. Thanks to their expertise, we have been able to structure and continuously develop a robust, high-value ISMS for our organisation."
Next Step
Schedule a Governance Consultation
Not sure which service applies to your situation? We offer an initial governance consultation to identify your most pressing priorities, map applicable regulatory requirements under nFADP, FINMA, ISO 27001, or DORA, and outline a practical path forward.