Understand Your Enterprise Requirements

Have a clear vision on the context of the enterprise and the various internal and external factors that can influence your normal operations.

Based on the understanding of your business, but more important, the surrounding context, a management decision should be taken concerning your risk appetite and a clear definition of what risk levels you are prepared to accept.

Sufficient information should be available to understand what your organization does and who in your organization is responsible for what. Don’t forget that external partners, like subcontractors, can have an influence on your cyber security.


Have a document with the general activities of your organization.


Have an up-to-date organigram with a list of relevant roles and responsibilities, including management, CISO, DPO, subcontractors that can influence your IT-Systems,...

Laws, Regulations and Industry Standards

In addition to understanding and documenting your internal organisation and external parties, companies should also be aware of specific regulations, guidelines and industry best practices that apply to their organisation.

Companies involved in processing significant personal data may be influenced by the GDPR, while companies that offer e.g. internet services may be subject to the NIS-Regulation.


Strive to comply with privacy, data handling and security legal and regulatory requirements

Respect for privacy and the protection of personal data are regulated principles to which any organization that processes personal data of persons in the EU must adhere.

The law provides a lot of obligations, including an obligation to compile a personal data register (see link to the templates in corresponding languages in the NL/FR version of this page) to adequately secure personal data and a duty to report data loss (loss, theft, personal data) to the Data Protection Authority (today the Privacy Commission).