Compliance
Navigating the complex complaince landscape and bridging regulatory requirements and real world implementation. All to ensure your business stays secure, reslient and audit ready.
At Forculus, our proven expertise spans the world’s leading security and compliance frameworks. Let us simplify compliance and strengthen your organization’s resilience, together.
Regulations, Standards and Frameworks
National - The Netherlands
-
We can help you with implementing:
BIO2: the Dutch government baseline for information security, risk-based controls and uniform governance across public organisations.
-
We can help you with implementing:
ABRO (Algemene beveiligingseisen voor Rijksoverheidspdrachten): general security requirements for central-government contracts (supplier screening, contract-level safeguards and supply-chain controls).
-
We can help you with implementing:
VIR (Voorschrift Informatiebeveiliging Rijksdienst): the Dutch government regulation defining baseline information security requirements for central government organisations, focusing on governance, risk management, and protective measures for handling official information.
VIR-BI (Voorschrift Informatiebeveiliging Bijzondere Informatie): the extension of VIR for protecting bijzondere informatie (classified or sensitive government data), specifying stricter measures for access control, physical security, and information handling.
We support clients by assessing compliance with VIR and VIR-BI, defining and implementing appropriate controls, developing secure procedures, and preparing for audits and accreditation.
-
We can help you with implementing:
NEN-7510: Dutch healthcare information-security standard based on ISO-27001, focused on protecting patient data and availability, integrity and confidentiality.
-
We can help you implement:
NBA-LIO: the Dutch auditors’ guideline for information security (Leidraad Informatiebeveiliging voor Organisaties), aligning security governance, risk management, and control measures with professional assurance standards.
NOREA PCF (Privacy Control Framework) — the Dutch auditors’ framework for assessing and managing privacy compliance, based on GDPR principles and professional assurance standards. It provides a structured approach to evaluate governance, risk management, and control effectiveness around personal data processing.
International
-
We can help you implement:
ISO 27001 which provides a structure for setting up and running an Information Security Management System (ISMS).
ISO 27002 — the international standard providing detailed guidance on information security controls supporting ISO 27001. It outlines best practices for implementing measures across areas such as access management, asset protection, cryptography, and incident response.
ISO 27005 which guides how to manage risks related to information security.
ISO 31000 which covers general rules and steps for managing risks in an organization.
-
We can help you with implementing:
The NIST Cybersecurity Framework (CSF) which offers a clear way to find, protect against, spot, react to, and recover from cyber threats.
The NIST Risk Management Framework (RMF) which combines security and risk steps into system development.
The NIST SP 800-53 which lists detailed security and privacy controls for government and enterprise systems.
-
We can help you with implementing:
The C‑M(2002)49 “Security within the North Atlantic Treaty Organization (NATO)”, which sets the basic principles, minimum standards and responsibilities for safeguarding NATO classified information — encompassing personnel security, physical security, communication & information system security, and industrial/contractor security.
-
We can help you with implementing:
Council Decision 2013/488/EU sets basic security rules to protect EU classified information, covering staff, physical, and information security.
NIS2 strengthens and unifies cybersecurity rules for key organizations, including governance, incident reporting, supply chain, and vulnerability handling.
CER Directive 2022/2557 requires critical entities in important sectors to improve risk management, preparedness, and cross-border cooperation.
DORA regulation demands financial firms manage ICT risks, report incidents, run operational tests, and oversee third parties.
GDPR sets data protection rules on lawful use, purpose limits, data minimization, user rights, accountability, and international data transfer.
EU AI Act imposes risk-based controls on AI, banning harmful uses, enforcing strict rules on high-risk AI, and requiring transparency for others.
-
We can help you with implementing:
CMMI (Capability Maturity Model Integration): a framework for assessing and improving process maturity across development, services, and management domains to achieve consistent quality and performance.
We assist by assessing current maturity levels, defining improvement roadmaps, embedding governance structures, and aligning processes with compliance and quality objectives.
-
We can help you with implementing:
ITIL 4 (Information Technology Infrastructure Library v4): a modern, holistic framework for IT service management that integrates value co-creation, agile practices, and continual improvement across the Service Value System. It emphasizes guiding principles, governance, and the alignment of people, processes, and technology to deliver business value.
We assist clients by designing ITIL 4-aligned security models, defining value streams, establishing incident, change, and problem management workflows, and embedding continual improvement practices to enhance service efficiency, resilience, and customer satisfaction.
-
We can help you with implementing:
CIS Controls — a prioritized set of cybersecurity best practices designed to reduce risk by guiding the implementation of essential security measures such as asset management, access control, vulnerability management, and incident response.
-
We can help you with implementing:
MITRE ATT&CK Framework — a globally recognized knowledge base of adversary tactics and techniques used to understand, detect, and mitigate real-world cyber threats.
CCF-SPR
At Forculus, we understand the complexity and challenges of the evolving regulatory landscape. To simplify this complexity, we’ve developed the Consolidated Control Framework for Security, Privacy & Resilience (CCF-SPR), a unified model that brings together compliance, risk management, process management, and maturity assessment. This framework offers a complete, practical set of controls that can be easily implemented to build a secure, resilient, and compliant organization across both digital and physical domains.
Contact us to learn more about how you can leverage the CCF-SPR framework.
High Security Domain Assurance
Highly classified information environments
Every organization, in achieving its objectives, depends on, among other things, reliable information processing, supported by information systems which are positioned within suitable environments. Depending on the origin and classification of this information, approval for processing may have to be granted. This approval, called an accreditation, must be supported and substantiated by the results of an assurance review. This is often the case when processing government information and / or information from other sources like the EU and NATO.To support this assurance review, Forculus provides governmental agencies and commercial organizations contracted to government with specialized accreditation support & advice.
What you can expect:
A project based approach to accreditation defining objective, scope and compliance requirements
Proces development and optimization
Policy reviews and adjustments
Risk analyses and treatment
Technical, functional and security design development
Self Assessments or External Auditing capability
To be able to provide these specialized services, Forculus works closely with (inter)national security authorities.
Let’s get in touch
Interested in working together? Please use the contact form.