Rethink Cyber Security - Risk Management

LIFEBLood – The innovative solution for intelligent and automated cyber risk management

Compliance Cockpit

LIFEBLood's Compliance Cockpit

LIFEBLood - The compliance cockpit for complete transparency and control

LIFEBLood offers companies a central platform that provides an overview of the current compliance status of various stakeholders. This gives management, compliance officers and auditors a clear overview of compliance with all regulatory requirements at all times

With LIFEBLood, global and local compliance requirements can be individually tailored to processes and services. This flexible allocation opens up new opportunities to analyze risks in a targeted manner and set priorities. Our integrated assessment system takes into account the importance of compliance issues at an organizational level and feeds directly into our comprehensive cyber risk assessment.

LIFEBLood stands for transparency, efficiency and security in compliance monitoring – for a company that always remains in line with the latest regulatory standards.

Discover our solution for NIS2

Learn how you can meet NIS2 requirements with minimal effort and cost. Our solution offers:

  • Automated risk management and risk analysis
  • Automated emergency and crisis management
  • Ensuring supply chain security
  • Management of vulnerabilities in systems and processes
  • Cyber hygiene and IT security training
  • Fast , semi-automated reporting process
  • Integrated industry solution (energy suppliers/Healtcare/Automotive/etc.)

Download our detailed document now and discover how LIFEBLood can support your company in implementing the NIS2 requirements.

Low cost level – Minimal personnel deployment – Fast implementation

Secure, compliant and resilient - with LIFEBlood to meet your safety standards

RIMIAN starts by providing you with comprehensive information on the key standards and norms that are essential for the security and resilience of modern organizations. From the Digital Operational Resilience Act (DORA) to the NIS 2 Directive, ISO 27001, TISAX, ASPICE and WIBA – each of these frameworks helps to make companies more secure and better positioned in the digital age.

With LIFEBLood, we specifically support companies in complying with these standards and guidelines and ensuring seamless monitoring of requirements. Our solution simplifies the implementation, monitoring and continuous improvement of your security processes so that you always have an overview of risks, compliance and the security status of your company. By combining technical monitoring, procedural management and automated risk analysis, we help you achieve and maintain the highest standards of information security and business continuity.

Discover how LIFEBLood can help you efficiently meet regulatory requirements and cybersecurity best practices and strengthen your digital resilience.

The best-known compliance requirements at a glance:

The Digital Operational Resilience Act (DORA) is a European Union regulation designed to make the financial sector more resilient to digital risks. It responds to the growing threat of cyber attacks and ensures that financial companies and their IT service providers have a high level of digital resilience. DORA aims to establish uniform standards for cyber resilience in the financial sector across Europe and focuses on comprehensive risk management and clear reporting obligations.

The most important requirements are:

  • Risk management and crisis planning: Companies must actively monitor risks and be prepared to respond to digital disruptions.
  • Obligation to report: Safety incidents must be documented immediately and reported to the responsible authorities.
  • Review and control of third-party providers: The compliance and resilience of critical IT service providers must be ensured.
  • Regular load tests: Systems must be tested regularly in order to identify weak points at an early stage and ensure resilience.
  • Business continuity management: Companies must develop strategies to maintain business operations even in the event of an attack.
  • Training and awareness-raising: Employees should receive regular training on digital risks and be made aware of how to recognize threats.

Who is affected:

  1. Credit institutions
  2. Payment institutions, including payment institutions exempted under Directive (EU) 2015/2366
  3. Account information provider
  4. Electronic money institutions, including electronic money institutions exempted under Directive 2009/110/EC
  5. Investment firms
  6. Provider of crypto services and issuer of value-referenced tokens
  7. Central depository
  8. Central counterparties
  9. Trading places
  10. Trade repositories
  11. Manager of alternative investment funds
  12. Management companies
  13. Data provisioning services
  14. Insurance and reinsurance companies
  15. Insurance intermediaries, reinsurance intermediaries and insurance intermediaries in secondary employment
  16. Institutions for occupational retirement provision
  17. Credit rating agencies
  18. Administrators of critical reference values
  19. Crowdfunding service provider
  20. Securitization register

In addition, DORA includes third-party ICT service providers that provide information and communication technology services for the above-mentioned financial companies. In particular, this includes providers of cloud computing services, software developers, data analysis services and data centers.

It is important to note that DORA does not apply to certain companies. Excluded are, among others:

  • Alternative investment fund managers within the meaning of Article 3(2) of Directive 2011/61/EU
  • Insurance and reinsurance undertakings within the meaning of Article 4 of Directive 2009/138/EC
  • Institutions for occupational retirement provision that operate pension schemes with fewer than 15 members in total
  • Natural or legal persons exempted in accordance with Articles 2 and 3 of Directive 2014/65/EU

The European Union’s NIS 2 Directive (Network and Information Security Directive 2) aims to improve cyber security in critical sectors and ensure a higher level of protection against cyber threats. It extends the original NIS Directive and sets stricter requirements for companies operating in critical sectors. The directive aims to ensure that organizations are adequately prepared for security incidents and build the necessary resilience to meet digital challenges.

The most important requirements are:

  • Risk management and prevention: Companies must implement robust risk management that includes both technological and organizational measures to defend against cyber threats.
  • Obligation to report security incidents: Cyber incidents that could have a significant impact on operations must be reported immediately to the relevant authorities.
  • Security measures for third-party providers: The security of third-party providers and their compliance with the NIS 2 directive must be ensured and continuously checked.
  • Continuous monitoring and analysis: Companies are obliged to continuously monitor their networks and systems and to detect and analyze threats at an early stage.
  • Incident response plans: Organizations need to create detailed cyber incident response plans to ensure they can respond to incidents quickly and effectively.
  • Training and awareness: Regular training and awareness programs should ensure that employees are aware of current threats and know how to respond appropriately

Who is affected?

Large and medium-sized companies from the following sectors:
(but also small companies – see below)

Sectors with high criticality:

  • Energy
  • Transportation
  • Banking*) (DORA has priority over NIS2)
  • Financial market infrastructures*) (DORA has priority over NIS2)
  • Healthcare
  • Drinking water
  • Waste water
  • Digital infrastructure
  • Management of ICT services B2B
  • Public administration
  • Space

Other critical sectors:

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food processing
  • Processing/manufacturing industry**)
  • Digital service providers
  • Research (optional)

Companies which are obliged to use NIS2 regardless of their size and turnover:

  • Trust service provider
  • Providers of public electronic communications networks or providers of publicly available electronic communications services
  • TLD name registries and DNS service providers, except operators of root name servers
  • Companies that are the sole provider of a service in a Member State that is essential for the maintenance of critical social or economic activities.

Large companies = at least 250 employees or annual turnover of over 50 million and annual balance sheet total over 43 million

Medium-sized company = at least 50 employees or annual turnover over 10 million and annual balance sheet total over 10 million

ISO/IEC 27001 is an internationally recognized standard for information security management systems (ISMS). It provides companies with a structured method to protect information from threats, minimize risks and ensure the confidentiality, integrity and availability of information. The standard is suitable for companies of all sizes and industries and helps them to systematically improve their security practices and meet regulatory requirements.

The most important requirements are:

  • Risk assessment and risk management: Companies must systematically identify and analyze security risks and develop and document risk mitigation measures
  • Security policies and procedures: Clear security guidelines must be defined that specify how information and sensitive data is handled.
  • Roles and responsibilities: All employees and relevant parties must be given clear responsibilities and accountabilities with regard to information security.
  • Training and awareness-raising: Regular training and awareness-raising measures for employees should ensure that awareness of cyber risks is heightened and that security guidelines are implemented in everyday working life.
  • Documentation and verification: All processes and measures in the area of information security must be documented in order to be able to prove compliance with ISO standards and the continuous improvement of the ISMS.
  • Regular review and auditing: The information security management system must be regularly reviewed and evaluated in order to identify weaknesses at an early stage and make improvements

Who is the standard relevant for?

Affected organizations:

ISO/IEC 27001 is aimed at companies and organizations of all sizes and industries that want to ensure the protection of sensitive information. The standard is particularly important for:

  • Regulated industries: Banks, insurance companies, energy suppliers, hospitals or telecommunications providers that are subject to legal requirements for information security.
  • IT and technology service providers: Companies that process data or provide digital infrastructures, such as cloud providers or software-as-a-service (SaaS) companies.
  • Organizations with customer data: Companies that manage personal or confidential business information and must comply with the highest data protection standards
  • KRITIS operators: Operators of critical infrastructures that are obliged by legal regulations such as the IT Security Act to implement an ISMS.

Is ISO/IEC 27001 mandatory?

In many cases, certification to ISO/IEC 27001 is not required by law, but is often indirectly mandatory:

  • Customer requirements: Companies that operate internationally or work with sensitive data are often asked by their business partners to provide proof of ISO 27001 certification.
  • Industry-specific regulations: In areas such as critical infrastructure (KRITIS) or the implementation of the NIS 2 directive, ISO 27001 serves as a recognized standard for meeting legal requirements.
  • Competitive and market requirements: In tenders, especially in the public sector, ISO 27001 certification is increasingly seen as a prerequisite for awarding contracts.

TISAX (Trusted Information Security Assessment Exchange) is an information security standard developed by the automotive industry that is specifically tailored to the requirements and security standards of this sector. TISAX is based on ISO/IEC 27001 and the VDA-ISA requirements (German Association of the Automotive Industry – Information Security Assessment) and is used for the secure verification and exchange of information between partners in the automotive industry.

The most important requirements are:

  • Information Security Management System (ISMS): TISAX requires the implementation of an ISMS in accordance with ISO/IEC 27001, which systematically identifies risks and defines information security measures.

  • Confidentiality, integrity and availability of data: Companies must ensure that all sensitive data is protected and available at all times, especially in the areas of prototype protection and production planning.

  • Security requirements for data exchange: TISAX requires strict standards for the secure exchange of information with partners in order to minimize risks when working together in supply chains.

  • Prototype protection: Because many automotive companies work with confidential prototypes, specific protective measures must be taken to prevent unwanted disclosure or distribution.

  • Training and awareness: Employees must receive regular training and be made aware of specific threats within the automotive industry in order to consistently comply with security standards.

  • Regular audits and certification: TISAX-certified companies must undergo regular audits by accredited testing organizations to ensure that the TISAX requirements are permanently met.

Who is affected by the TISAX standard?

  1. Suppliers and service providers to the automotive industry:

    • Companies that provide components, systems or services to automotive manufacturers are often required to provide proof of TISAX certification, especially if they have access to confidential information.
  2. Automotive manufacturers (OEMs):

    • The manufacturers themselves use TISAX to ensure uniform security standards in their supply chain.
  3. IT service provider and software provider:

    • Service providers who offer IT systems, cloud services or software solutions for the automotive industry must meet the requirements if they process sensitive data.
  4. Consulting companies and other partners:

    • External partners who work in design, engineering or consulting, for example, may also be affected if they have access to critical information.

Who is TISAX mandatory for?

TISAX is not legally binding, but it is de facto binding for companies due to contractual requirements and industry-specific expectations:

  1. Companies with access to confidential data:

    • Especially those that deal with prototypes, customer data, research results or other business-critical information.
  2. Companies in tenders:

    • Many automotive manufacturers require TISAX certification as a prerequisite for participating in tenders.
  3. Companies with high security requirements:

    • Companies that develop safety-critical systems or components are often required to submit a TISAX certification to prove their safety competence.

Summary:

TISAX primarily affects players in the automotive industry and is particularly important for suppliers and service providers who work directly with manufacturers. Although it is not a legal obligation, it is de facto prescribed via contractual requirements and industry standards. Companies that are active in the automotive industry or have access to sensitive data should deal with the TISAX requirements at an early stage in order to remain competitive.

Automotive SPICE (ASPICE) is a process model that was developed specifically for the automotive industry to improve quality and efficiency in the development of electronic and software systems. ASPICE is designed to standardize the processes involved in the development and integration of safety-critical systems and supports companies in continuously optimizing their development processes and reliably fulfilling safety-relevant requirements.

The most important requirements are:

  • Process management: ASPICE requires the implementation of a clearly defined and documented development process that ensures that all project steps and milestones are methodically tracked. This includes planning and control mechanisms as well as continuous monitoring of development progress.
  • Quality assurance: Companies must ensure that all development processes and results are subject to a structured quality assurance process. This includes regular checks, audits and the documentation of quality criteria in order to identify and rectify errors at an early stage.
  • Requirements management: ASPICE requires systematic management of requirements that records, documents and tracks all customer and system requirements. Changes to the requirements must be tracked in a structured manner in order to ensure the integrity of the development process.
  • Configuration management: The standard attaches great importance to effective configuration management, which ensures version control of all software and hardware components. This ensures that all project data and product variants remain consistent and traceable.
  • Change and problem management: ASPICE requires structured change and problem management to ensure that all changes, errors and problems in the development process are documented, analyzed and resolved.
  • Test and verification processes: ASPICE requires comprehensive testing and verification processes to ensure that all developed functions and systems meet the specified requirements. This includes unit, integration and system tests as well as the verification and validation of functional safety.

Who is affected by ASPICE?

The ASPICE (Automotive SPICE) standard primarily affects companies and organizations that are active in the automotive industry and are involved in the development of software and electronic systems for vehicles. This includes both automotive manufacturers (OEMs) and their suppliers.

  1. Automotive manufacturers (OEMs):

    • Manufacturers use ASPICE to check the quality of their internal development processes and those of their suppliers.
    • OEMs often demand a defined ASPICE maturity level from suppliers as a prerequisite for the business relationship.
  2. Supplier to the automotive industry:

    • Companies that develop electronic control units (ECUs).
    • Provider of software for driver assistance systems, infotainment or other vehicle control systems.
    • Development service providers who carry out development orders for OEMs or other suppliers.
  3. Technology service provider and consultant:

    • Provider of tools and services that support development processes, such as software development, test automation or quality assurance.

Who is ASPICE mandatory for?

  1. Supplier of safety-critical systems and components:

    • ASPICE is often mandatory for suppliers of control units, e.g. for brake systems, powertrains or driver assistance systems, as OEMs require this by contract.
  2. OEMs with strategic partners:

    • OEMs often make compliance with ASPICE requirements a condition for cooperation with suppliers.
  3. Regulation driven projects:

    • If the software or systems are used in safety-relevant areas (e.g. in accordance with ISO 26262), ASPICE becomes indirectly mandatory for quality assurance.

Commitment in practice:

Although ASPICE is not a legal requirement, the requirements of OEMs and increasing pressure from the automotive industry have made it a de facto mandatory standard for everyone involved in the automotive value chain. Non-compliance can mean the loss of contracts or the inability to participate in tenders.

WIBA (Economic Assessment for IT Security) is a method for the economic evaluation of IT security measures. It helps companies to analyze the costs and benefits of investments in IT security and to make well-founded decisions about which measures should be implemented. WIBA was developed to plan IT security investments in a targeted manner and to ensure that the resources used contribute optimally to risk reduction.

The most important requirements are:

  • Risk assessment and threat analysis: Companies must systematically identify which threats endanger their IT infrastructure and information and what potential damage could occur. This analysis forms the basis for the profitability analysis.

  • Cost recording and analysis: All potential costs of IT security measures – including implementation, maintenance and operating costs – must be recorded in detail. WIBA attaches great importance to a complete cost analysis that takes both direct and indirect costs into account.

  • Benefit assessment of the safety measures: For each measure, the extent to which it contributes to risk reduction and the associated economic benefits are analyzed. This includes evaluating the savings made by avoiding incidents and increasing system availability.

  • Cost-benefit analysis: WIBA requires a systematic comparison of the costs and benefits of each safety measure. The aim is to select those measures that offer the highest possible economic benefit in relation to the costs.

  • Prioritization and decision support: WIBA offers companies a framework for implementing security measures in a prioritized manner and for selecting the measures that offer the best cost-benefit ratio. The method helps decision-makers to deploy resources in a targeted manner and to make IT security economically viable.

  • Success monitoring and optimization: After implementing security measures, companies must regularly check whether the expected savings and security gains have been achieved. Adjustments and optimizations may be necessary to maintain the efficiency and effectiveness of the measures.

Who is WIBA mandatory for?

The implementation of WiBA is not mandatory. The BSI offers WiBA as a voluntary instrument to enable municipalities to enter the field of information security at a low threshold. However, it does not replace the implementation of recognized standards such as BSI IT-Grundschutz or ISO 27001.

However, it is possible that specific regulations exist at the state level that require the implementation of WiBA. Therefore, municipalities should check the state-specific requirements that apply to them.

The most important requirements are:

  • Risk assessment and threat analysis: Companies must systematically identify the threats to their IT infrastructure and information and the potential damage that could arise. This analysis forms the basis for the cost-effectiveness analysis.

  • Cost recording and analysis: All potential costs of IT security measures – including implementation, maintenance and operating costs – must be recorded in detail. WIBA attaches great importance to a complete cost analysis that takes both direct and indirect costs into account.

  • Benefit assessment of the safety measures: For each measure, the extent to which it contributes to risk reduction and the associated economic benefits are analyzed. This includes evaluating the savings made by avoiding incidents and increasing system availability.

  • Cost-benefit analysis: WIBA requires a systematic comparison of the costs and benefits of each safety measure. The aim is to select those measures that offer the highest possible economic benefit in relation to the costs.

  • Prioritization and decision support: WIBA offers companies a framework for implementing security measures in a prioritized manner and for selecting the measures that offer the best cost-benefit ratio. The method helps decision-makers to deploy resources in a targeted manner and to make IT security economically viable.

  • Success monitoring and optimization: After implementing security measures, companies must regularly check whether the expected savings and security gains have been achieved. Adjustments and optimizations may be necessary to maintain the efficiency and effectiveness of the measures.

Our customers about RIMIAN and LIFEBLood

If we have aroused your interest, please do not hesitate to contact us.

We look forward to presenting LIFEBLood and its many advantages to you. Make an appointment today for a live demo or contact us directly via our contact form.

Discover our solution for NIS2

Learn how you can meet NIS2 requirements with minimal effort and cost. Our solution offers:

  • Automated risk management and risk analysis
  • Automated emergency and crisis management
  • Ensuring supply chain security
  • Management of vulnerabilities in systems and processes
  • Cyber hygiene and IT security training
  • Fast , semi-automated reporting process
  • Integrated industry solution (energy suppliers/Healtcare/Automotive/etc.)

Download our detailed document now and discover how LIFEBLood can support your company in implementing the NIS2 requirements.

Low cost level – Minimal personnel deployment – Fast implementation