Fib.Code
Information security is the foundation of our business. As a consultancy specializing in cybersecurity and compliance, we apply the same highest standards that we implement for our clients.
Below we present our certifications, implemented security controls, security policies, and audit processes. We believe that transparency builds trust — that is why we openly share information about our approach to security.
Active certifications & standards
Implemented security controls
Infrastructure availability
External audits per year
Our management systems are certified by independent, accredited certification bodies. We regularly undergo surveillance and recertification audits, confirming continuous compliance with international standards.
Information Security Management System (ISMS) covering all business processes, IT infrastructure, client data, and internal operations. Certification confirms compliance with the latest 2022 version of the standard.
Quality Management System ensuring repeatability and the highest standard of advisory, training, and implementation services. Continuous process improvement is the foundation of our approach.
Business Continuity Management System ensuring operational readiness for incidents, failures, and crisis situations. Regular testing of continuity plans and recovery procedures.
Full compliance with the General Data Protection Regulation. Designated Data Protection Officer, implemented processing policies, records of activities, data subject rights procedures, and breach management.
Overview of regulatory frameworks, standards, and industry best practices with which we are compliant or actively implementing.
Information security management system — full operational scope
Quality management system — advisory, training, and implementation services
Personal data protection — all processing activities
Business continuity — critical processes and IT infrastructure
Network and Information Security Directive — compliance alignment
National Interoperability Framework and National Cybersecurity System
ISMS extension for privacy information management
Security controls for cloud services
Web application security standards
Critical security controls — Implementation Group 2
Cybersecurity framework — Identify, Protect, Detect, Respond, Recover
Internal reporting channel and whistleblower protection
We employ a defense-in-depth model encompassing security at the network, application, data, and endpoint layers.
AES-256 for data at rest, TLS 1.3 for data in transit. Full disk encryption, database encryption, and inter-service communication encryption.
Zero Trust model with least privilege principle. Multi-factor authentication (MFA) mandatory for all systems. Centralized identity management.
Wazuh platform for continuous security event monitoring, endpoint threat detection, and automated alert correlation 24/7.
Centralized log collection from all systems. Minimum 12-month retention. Anomaly monitoring and automated alerting.
3-2-1 backup strategy (3 copies, 2 media types, 1 off-site). Regular recovery testing. RPO < 4h, RTO < 8h for critical systems.
Regular infrastructure and application scanning. Patch management process with SLA. Prioritization based on CVSS and business context.
Facility access control, CCTV monitoring, clean desk and screen policy. Server room security in accordance with ISO 27001 requirements.
Cloud configuration hardening per CIS Benchmarks. Network segmentation, WAF, real-time configuration monitoring and compliance.
EDR agent on all workstations and servers. Automatic isolation of compromised devices. Device management policies.
Periodic infrastructure and application penetration tests by independent auditors. Critical vulnerability remediation within 48 hours.
Central directory service with SSO. Automatic deprovisioning during offboarding. Quarterly access reviews.
Microsegmentation with next-generation firewalls. Isolation of production, development, and test environments. East-West traffic control.
Our security policies are regularly reviewed, updated, and communicated to all employees. Key documents are available upon request for qualified clients and partners.
The overarching ISMS document defining the objectives, scope, and principles of information security management within the organization.
Review: every 12 months | Last update: Q1 2025
Personal data processing principles in accordance with GDPR, including legal bases, retention, data subject rights, and breach procedures.
Review: every 12 months | Last update: Q1 2025
BCP/DRP plans ensuring operational continuity in case of incidents. RTO/RPO definitions, escalation procedures, and crisis communication.
Review: every 12 months | Testing: every 6 months
Role-based access control (RBAC), multi-factor authentication, and access review management principles.
Review: every 12 months | Access reviews: quarterly
Process for detection, classification, escalation, and handling of security incidents. Severity definitions, response SLAs, and post-mortems.
Review: every 12 months | Exercises: every 6 months
Rules for using the organization''s IT resources, including work devices, email, internet, and remote work.
Review: every 12 months | Last update: Q4 2024
A regular program of internal and external audits ensures continuous compliance with standards and regulatory requirements.
Annual surveillance and recertification audits for ISO 27001 and ISO 9001 conducted by the accredited body DNV Business Assurance.
Cyclical internal audit program covering all ISO 27001 clauses, Annex A controls, and GDPR compliance.
Regular infrastructure and application security testing, vulnerability scanning, and configuration verification.
Continuous IT infrastructure monitoring via the Wazuh SIEM/EDR platform. Automated anomaly detection and real-time alerting.
External audit reports and certification details are available upon request for qualified clients and business partners. Contact us for access.
Have questions about our security measures, certifications, or need access to documentation? Contact our information security team.
Trust Center last updated: February 2025
Information contained in the Trust Center is for informational purposes. Detailed security documentation is available upon request after signing an NDA.