Strategy and Policy

Organizations (companies and institutions) face an ever-changing risk environment. New requirements, new threats, new products and new services can radically change the operating environment and introduce new challenges that need to be addressed. Information and other related assets must be protected from loss of confidentiality/confidentiality, integrity and availability, and special care must be taken when working with personally identifiable information.

SECPRICO provides organizations with advice on the risk environment and how they can best protect themselves against both external and internal threats, changes in the operating environment (including the legal environment), technological changes, etc.

Risk Management

Risk management is the foundation of all operations, along with change management and business continuity management. If these three are in place, it can be expected that organizations are well prepared to meet the challenges that their operations have to face.

SECPRICO provides advice on and assists in the implementation of risk assessments, whether the risk assessment covers information security, privacy or other aspects of organizational operations. Over the years, SECPRICO has gained experience in conducting risk assessments on a wide range of topics, including natural hazards.

A short introduction to Risk management

Data Protection and Privacy

General Data Protection Regulation (GDPR) (EU) 2016/679 has brought about major changes in the operating environment of organizations. Although the changes in GDPR have been limited since the 1995 Directive, the main change is that organizations can be subject to administrative fines of up to 4% of the organization’s annual turnover. The Act also places strong emphasis on both built-in and default privacy, meaning that privacy should be assumed in all organizational activities from the outset.

SECPRICO provides advice on almost all aspects of security related to GDPR, but legal interpretations are left to lawyers. It is based on decades of experience in implementing privacy management systems, in Iceland and in recent years in Denmark, Norway, Finland, Germany, the United States and China. It is based on ISO/IEC 27701:2025, and though it is an independent management system focusing on requirements for privacy and the processing of personal data, the implementation of it relise heavily on ISO/IEC 27001 and specially ISO/IEC 27002 standards.

Business continuity management, contingency plans and recovery plans

One of the three key aspects of operating an organization is maintaining business continuity. To achieve this, it is necessary to identify the threats in the organization’s operating environment that can disrupt operations, prepare contingency plans to be available in the event of such an incident, and recovery plans to restore operations to their previous state.

SECPRICO provides advice and assistance in the development of either contingency plans or recovery plans, and in the training of employees who need to use such plans.

ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001 is the leading standard for information security management systems and sets out the requirements that must be followed when developing such systems. The ISO/IEC 27002 standard contains guidance on the implementation of the controls set out in Annex A of ISO/IEC 27001.

SECPRICO provides advice and assistance in defining, documenting and implementing an information security management system (ISMS) according to ISO/IEC 27001. SECPRICO has considerable experience in implementing such a management system and has guided Icelandic companies through initial certification, maintenance certification and renewal certification since 2007.

It is not the case that Annex A covers all the aspects that need to be considered, nor that the guidance in ISO/IEC 27002 is definitive. SECPRICO therefore also provides advice on other standards, methods and best practices that could be used to enhance an information security management system (ISMS) according to ISO/IEC 27001.

Information Security, Cyber security and Privacy Internal audits and Gap Analysis

The maintenance and improvement of any management system requires audits. They can be limited to a specific subject or the entire organization, and everything in between. An audit involves examining the effectiveness of a management system and how well an organization is following it. Regulators, laws, regulations, agreements and standards may require organizations to conduct audits regularly, and they may be a prerequisite for licensing or certification.

Gap analyses are about examining and assessing deviations between, for example, the requirements of laws and/or standards and the management system that an organization has implemented. Understanding where these deviations are and what they entail can be very important.

SECPRICO provides advice on and assistance with either internal or external audits, although the emphasis has been greater on internal audits. SECPRICO has extensive experience with gap analyses, including for large multinational organizations.