Information Risk Management & Governance

In today’s cyber security landscape, ensuring compliance & good governance is more important than ever.

  • What happens when you need to demonstrate the integrity of your security and compliance practices?
  • How do you manage increasing numbers of required or recommended certifications?
  • What happens if you are suddenly required to meet a new set of security standards?
  • How do you manage the process of testing and verifying your compliance?

We deliver a systematic and strategic approach, covering all aspect of information risk management. 

Key Features

  • Continual compliance management available.
  • Expert help and advice from experienced staff.
  • PCI qualified security assessor & approved scanning vendor.
  • ISO 27001 accredited organisation.
  • Green light CHECK accredited company.

Information Assurance Consultancy

What is your plan to ensure critical functions will continue after an incident? 

NCC Group provides Information assurance consultancy to help companies develop a Business Continuity Plan and protect critical business information. We have a long history in cyber threat prevention, security and information assurance. We can help you in setting the correct direction and approach for your organisation to mitigate risk.

Our experienced Information Assurance Consultants will assist you in assessing security risks. We work with you to provide possible solutions and advise you on policy implementation to improve information security. Such project may range from short one day workshops or advisory visits, through to longer term support.

We help organisation's to develop modern security strategies. Our risk assessment team will conduct an in-depth analysis of your facilities and processes. Our specialist skill allows us to make a more holistic business continuity strategy. This will help ensure the continuation of business activities and the safety of information should an incident occur. Marking a business continuity strategy ensures that you have identified and planned to respond to any possible incident that would otherwise result in a business failure.  

Many of our clients come to us to help them achieve certifications such as ISO 27001 which is the benchmark for information security. Whatever your policy needs our consultants are able to help. They can define requirements and deliver polices that meet your goals.

  • We create policy’s that will meet ISO 27001 requirements
  • We provide Risk Assessments following best practice methods such as ISO 27005 and ISF IRAM
  • We provide supervising test exercises to support ISO 22301 certification
  • A policy review can be carried out  to encompass PCI DSS requirements

NCC Group provides these services as a trusted advisor partnering with our clients to address their security and assurance requirements. To find out more about how our Information Assurance Consultants can help phone us today or arrange a call back using our contact form.

Download Overview PDF


Virtual CISO Security Manager

Having spent time and effort improving your security and assurance posture, how do you continually evaluate and maintain it as the business grows?

Our Solution

One cost effective and efficient way might be NCC Group's provision of our Virtual CISO and Security Manager services providing access to a wide range of compliance-based and technical skills under one framework.

Acting as an extension to your organisation, our experienced consultants provide an ongoing security presence and ensure risks and incidents are reduced before they can cause unacceptable business losses. By utilising this service you also gain access to NCC Group’s huge security knowledge base – providing much greater resilience and support than an individual CISO/Security Manager could hope to.

What to Expect

As well as access to our experts in security and assurance, this services
also includes:

  • Dedicated onsite time every month.
  • Email and phone support during office hours.
  • Change and project risk assessment.
  • Security incident management.
  • Proactive risk management.
  • Business and IT consultancy.
  • Information security audit plan management.
  • IT/Governance Steering Committees attendance if required.
  • Monthly reporting (where defined) with security KPI’s.

Key Benefits

  • Allows you to significantly lower cost.
  • Enables your company by improving your information security posture.
  • Provides management peace of mind that your business is secure and security issues are being managed by professionals.
  • Meets business objectives while ensuring new projects are secure and compliant.
  • Delivers proactive information security risk management to avoid surprises and assist funding and planning.
  • Gives direct access to technical security specialists.
  • Increases stakeholder and customer confidence while business risks decrease.
  • Keeps smaller businesses up-to-date with new regulation and legal jurisdictions.
  • Helps you to be better prepared to address the ever increasing compliance and security regulation and legislation.

Download Overview PDF



Technical Design Review

Implementing or updating any IT Security Architecture can leave your business vulnerable. How do you ensure you are protected during the transition? Do you know the real requirements for your security?

Our Solution

Performing a Technical Design Review allows us to determine the real requirements of your information security and evaluate policies and procedures independently. By allowing us to review any Proposed or existing IT Security Solution we can help ensure you reduce reliance on individual resources and satisfy client’s security expectations. Contact our information security experts now to discuss the scope of the review and how we can help you build your security profile.

What to Expect

Our review is delivered via a mixture of documentation and workshops that can be customised to your circumstances. These can include:

Design Concept Workshops: Our Security Consultants can join with your IT, Security Architects and Web Designers to provide clear, tangible, security advice. Integration can be carried out at any stage of project.

Existing Solution Review: If you already have a number of processes and policies in place we can perform a design review to ensure best practices being followed. We will identify existing security vulnerabilities that may not have been picked up via traditional penetration testing or compliance reviews.

Solution Migration: Migrating key security infrastructure or implementing technical changes can pose an increase risk to your security. Our consultants can assist in reducing this risk by reviewing migration plans and attending workshops.

PSN Design Workshop: If your company is planning on providing services to the UK Government’s Public Service Network, we can help you define a solution that is capable of satisfying the mandatory functional and security requirements.

Key Benefits

Our Technical Design Review can be particularly useful when the challenges you face are not covered by existing published guidelines. Our experts can consult on the creation of solution architecture for your IT Infrastructure. We also provide consultancy for the implementation of procedures and policies that protect the security posture of the overall solution.

Download Overview PDF



General Data Protection Regulation (GDPR)

NCC Group provides a range of Data Privacy services to help customers gain a holistic view of their state of compliance towards the Data Protection Act 1998 (DPA) and assess their readiness towards the GDPR.

The Context

In May 2015, the EU outlined its strategy to create a digital single market which would modernise and update the principles of the EU Data Protection Directive 1995 and UK Data Protection Act (DPA) 1998.
The GDPR replaces the 1995 EU directive (Directive 95/46/EC ) and will be introduced during the first half of 2016 with full enforcement after a two-year lead in period.
The GDPR will put control of data back into the hands of individuals who will be able to request the right to be forgotten and even be able to move their data from one organisation to another.
For data controllers and processors more stringent and measurable compliance requirements will be enforced with even heavier penalties of between 2-4% of worldwide turnover.

Our Services

The GDPR presents a perfect opportunity for organisations to understand their key risks and embed privacy driven design principles into business operations.
We have split our services into four focus areas to help you at every stage of your Data Protection Act (DPA) and GDPR compliance readiness process.
  • Awareness Workshop: Our workshop is designed to facilitate an understanding of privacy within your organisation and will provide an awareness of how the GDPR legislative changes will impact the organisation.
  • Privacy/Data Protection Impact Assessment: A measurement of the impact to your business of failure to protect PII in accordance with DPA and GDPR.
  • Health Check: Our health check has been designed to understand your privacy risks according to your business objectives. We will assess your privacy controls according to both DPA and GDPR requirements.
  • Strategy and Remediation Support: Now, more than ever, there is a need for organisations to have a defined strategy to manage privacy risks. We will help you to assess the risk, build a roadmap and assist in all aspects of remediation and compliance with the DPA and GDPR.

Do you comply?

  • If you are unable to answer any of the questions below, a Privacy Health Check would be a suitable course of action.
  • How compliant are we to the current Data Protection Act 1998?
  • Have we got the processes and resources in place to support requests from individuals to delete data, or enable the secure transfer of data from our organisation to another?
  • Have we got the right level of consent to perform current processes on PII? Is this aligned with the additional GDPR requirements?
  • Are suppliers and third parties only processing our PII as authorised?
  • Are we managing the risks to PII effectively and in line with GDPR?
  • Are we able to measure and demonstrate compliance to DPA and GDPR?

Any doubt? Do not hesitate to contact our expert.

Download Overview PDF



CESG Listed Advisor Scheme (CLAS)

The CESG Listed Advisor scheme (CLAS) provides a pool of private sector Information Security professionals approved by CESG (GCHQ), to give IA advice to UK Government departments and agencies.

Our Services

NCC Group offers a full range of CLAS related services from project inception to project go-live and monitoring and maintenance including:

  • Advice and guidance for connecting to PSN (Public Services Network) and completing Code of Connection (CoCo) accreditations.
  • Advice and guidance to clients seeking G-Cloud listing on how they can achieve the required levels of security, how to complete the forms and general help through the process.
  • Providing CLAS qualified and experienced staff working as Accreditors across the civil and military services.
  • Assessments against the Security Policy Framework (SPF) providing advice and guidance to organisations on how to improve their compliance to this standard.
  • Undertaking Technical Risk Assessment (IAS Parts 1&2) and the development or update of Risk Management and Accreditation Document Sets (RMADS).
  • Security Architecture and Infrastructure design advice and guidance for OFFICIAL and SECRET systems.
  • The creation and development or update of System Operating procedures (SysOps) to align with the latest HMG guidance.
  • Reviews of Forensic Readiness processes and plans against GPG18 providing advice and guidance on how to improve an organisations forensic posture.
  • Assessment and advice to organisations for complying to HMG guidance when off-shoring services and data.
  • Reviews of mobile working solutions and End User Devices (EUD) assessing the approach, strategy and conducting gap analysis exercises against HMG EUD requirements.
  • Providing CLAS resource required for the delivery of CESG Tailored Assurance Evaluations (CTAS) and CESG Assured Services (CAS) assessments.

Key Benefits

  • We have a large team of in-house CLAS consultants and CLAS associates which allows us to manage and deliver large complex long term engagements and smaller specific engagements.
  • We can create a CLAS team to address different CLAS CCP specialisms which may be required at different phases of project delivery.
  • We can provide continuity of CLAS resource for call off engagements and with experience of central government, local government and suppliers of services into government.
  • Our CLAS team also delivers our CTAS and CAS services so can bring innovative solutions and knowledge to address your CLAS requirements.

Download Overview PDF



CESG Assured Service for Telecommunications - CAS (T)

 The scheme supports the government Public Services Network (PSN), which requires all telecoms services procured by public sector bodies be assured to suitably protect information at IL2-2-4. This level is sufficient for the transmission of Unclassified and Protected data.

CAS(T) Services by NCC Group

NCC Group has been delivering ISO 27001-based services and has used this experience to develop a service offering enabling our clients to meet their CAS (T) requirements, through all stages of CAS (T) compliance, from service scope definition, through to audit and final submission to CESG.

Our CAS (T)-based services include:

  • Scope Validation: We undertake focused exercises to identify and confirm the exact scope of any CAS (T) project. This enables our clients to focus effort where it is needed.
  • Gap Analysis: We deliver gap analysis against the CAS (T) requirements to map exactly what work our clients need to do in order to being themselves in line with the standard.
  • Remediation: We assist clients as a trusted advisor helping them to remediate the gaps identified as part of a gap analysis exercise. This support includes services ranging from policy development through to design support.
  • Audit: As we have CAS (T) accredited auditors within our team, at the end of the process, we are able to undertake full compliance audits which we will then submit to CESG to confirm that you meet the CAS (T) requirements.

Download Overview PDF



Supplier Assured

Do you need peace of mind that your third party suppliers are taking serious, proactive measures to ensure the on-going security of your information?

Our expert Supplier Assured team will review your supplier data security controls, informed by industry best practices such as ISO 27001, and report on your supplier's current security posture.

While key operations and processes can be outsourced to a third party, your business risks cannot be. So why do so many organisations still fail to assess their third party supplier IT security risks and ensure the on-going security and availability of their business critical information?

Third party suppliers can be an attractive way for cyber criminals to gain access to data and networks that would otherwise be beyond their reach. A huge range of external suppliers, from marketing to accountants to legal firms, can all be potential vulnerabilities. These suppliers may hold customer data, employee data or intellectual property that is hugely valuable to competitors.

When dealing with a third party it should be a given that all possible technical safeguards have been put in place to protect your data, however as recent headlines have shown, this is not always the case. Organisations need to impose the same strict security policies for all third party suppliers and partners as they do for themselves. Insisting on a comprehensive IT security policy at the very beginning of working with the company is a good start.

Download Overview PDF



NCC Group Compliance Manager

How do you track compliance across your organisation?

Organisations are faced with increasing pressure to implement and efficiently operate governance, risk and compliance (GRC) processes, as well as information security technology. Both are needed to help organisations meet the requirements of a growing number of IT compliance standards, such as ISO 27001/2, PCI DSS and SOX.

Our Solution

NCC Group’s Compliance Manager offers a practical and proven alternative to the currently available GRC options. It is designed for organisations that need to implement a number of GRC processes within a short time frame and at a reasonable price.

Our Compliance Manager comes with a set of Template Forms and workflows to fast track process implementation. These cover areas such as PCI DSS 2.0 & 3.0 and ISO 27002, ITC Policies, and Incident Response.

What to Expect

  • Forms – enabling the user to quickly define Forms (without programming) to implement the data capture element of a process, such as an ISO 27002 control list, an incident Response Form or a 3rd Party Assurance Questionnaire – the possibilities are endless.
  • Workflows – to control the flow of Forms through a process.
  • User Definable Dashboards – providing the user with a summary or granular view of process activity.
  • Define and track Projects and Tasks, related to a specific Form or section within a Form, for example requesting that a person completes a specific Section or adds evidence for a compliance requirement.
  • Reference System Objects from other modules within Forms - such as Scans, Audits, Vulnerabilities, Assets and Events – to implement the concept of continuous auditing and compliance.
  • Store documents, such as the evidence for a security control, in a central repository and link the evidence to a Compliance Requirement or Control.
  • Export data to office productivity tools, such as Microsoft Excel, for further analysis.
  • Run a selection of operational and management reports; providing different views of the information for different stakeholders

Key Benefits

Compliance Manager provides organisations with a convenient, cost effective way to automate GRC processes – in a manner and at a pace that meets with resource and budgetary constraints. Efficiencies and cost savings are achieved rapidly through process automation and by reducing
spreadsheet proliferation – removing the manual process of aggregating spreadsheet data.

Additionally, the Software as a Service (SaaS) model is ideal for organisations that need to automate processes across departments, geographic territories and organisations (such as trading partners), providing a common ‘language’ for all stakeholders. It allows everyone involved in the end-to-end compliance picture to access the information they need, when they need it, from anywhere in the world.

All of this enables compliance teams to operate more effectively and puts them in a position to meet their growing compliance workloads.

Download Overview PDF



Card Production Audits

When producing payment cards, any failings in your systems could compromise security of your organisation and sensitive data. How do you currently check your security to ensure compliance? 

As a service provider to both MasterCard and Visa Inc., we provide PCI Card Production certification audits globally. NCC Group will ensure that your logical and physical security measures are up to the job and are compliant with the industry standards.

Here are the services we provide:

  • PCI Card Production Audits
  • Over-The-Air (OTA) Personalisation Audits
  • 3-D Secure Audits
  • Cloud-based Payment Platform Security Audits
  • PCI Card Production Consultancy
  • Training Services for Card Vendors

PCI Card Production Audits

NCC Group is accredited by MasterCard and Visa Inc. to perform audits against PCI Card Production logical and physical security requirements. We have unrivalled experience of conducting payment scheme audits worldwide and helping card vendors achieve compliance and certification to the industry standards. We have 11 auditors approved by the major payment schemes and conduct card audits of personalisation and manufacturing facilities in over 60 countries. We have expertise in all areas of card production including personalisation, manufacturing, PIN distribution, EMV and key management and mobile provisioning.

Over-The-Air (OTA) Personalisation Audits

Over the air (OTA) personalisation also known as mobile provisioning is the process whereby consumer’s payment account details are securely transferred onto their NFC (Near Field Communication) enabled mobile phone. OTA personalisation occurs remotely allowing provisioning of mobile handsets with MasterCard or Visa payment credentials over wireless networks. These mobile devices can then be used to perform payment transactions at merchant locations with enabled contactless point of sale terminals.

NCC Group has significant experience in delivering consultancy services and certification audits of the mobile provisioning facilities wishing to take advantage of this growing market. Our understanding of the commonalities and differences between the OTA provisioning standards of the major payment schemes helps us efficiently deliver combined certification audits in a single visit.

3-D Secure Audits

To reduce fraud and increase consumer confidence in online shopping, payment schemes introduced a mechanism of 3-D (Three Domain) authentication allowing issuers to verify that the person making e-commerce transactions is an authorised cardholder. The 3 Domains of the 3-D Secure service (Issuer, Acquirer and Interoperability Domains) provide secure protocols enabling enrolment of cardholders in the 3-D Secure service and secure exchange of data between the issues and merchant in order to authenticate the cardholder during the e-commerce purchase.

3-D Secure service enables cardholders to get enrolled into the scheme and develop a set of security credentials which will authenticate them during online transactions. Participating merchants implement a Merchant Server Plug-in onto their e-commerce system. Via a secure exchange of messages with the payment scheme and the Issuer, this Plug-in allows merchants to verify if a cardholder is enrolled into the 3-D Secure service and authenticate them with the security credentials registered by the cardholder at the time of enrolment.

NCC Group is accredited to perform certification audits of facilities seeking Visa Inc. 3-D Secure certification (also known as Verified by Visa or VbV) of Access Controls Server and Enrolment Server services.

Cloud-based Payment Platform Security Audits

NCC Group is accredited to perform audits of Cloud-Based Payment Platform providers. Introduction of Host Card Emulation (HCE) technology is a significant development in the mobile payment industry which supports contactless payments made using NFC-enable mobile devices that removes the need to have a secure element on these devices. During a contactless transaction, secure element (or smart card) is emulated by the HCE software deployed on the mobile device which calls upon the payment account details stored in a secure virtual cloud instead of the mobile devices itself. NCC Group works with the Cloud-Based Payment Platform providers to assess physical and logical security systems supporting all stages of the HCE-based payment including data provisioning, active account management, verification for payment, transaction processing, lifecycle management, and post payment processing.

PCI Card Production Consultancy

NCC Group have been conducting payment scheme audits since 2002 and have gained a wealth of experience assisting card vendors building up their facilities from ‘zero’, introducing new service lines or undergoing changes. We provide sound advice and practical assistance in reviewing construction plans and physical layouts of the facility, correct implementation of the access control system, intrusion detection system and CCTV cameras, designing the network architecture and developing the ISMS policy suite. All consultancy projects are different and we work with the client to understand their needs and concerns and develop a consultancy service that addresses all client’s requirements.

Training services for Card Vendors

It is important that card production staff have knowledge of the production process, site security and logical security procedures. We work with card vendors to develop and deliver targeted training sessions for the relevant audience people covering topics are particularly important to our client, such as

  • HR security, pre-employment and ongoing screening
  • Visitor handling process
  • Production process and audit trail
  • Key management
  • Guards’ responsibilities
  • Security policies and procedures
  • Business continuity and disaster recovery


Our History and Credentials

February 2002

NCC Group was the first company to become MasterCard International accredited for Logical Security audit of card production facilities

March 2008

NCC Group became accredited by MasterCard International to conduct Physical Security audits

March 2009

NCC Group was accredited by MasterCard International to conduct the Mobile Provisioning Over The Airways (OTA) assessments

March 2011

NCC Group became Visa Inc. approved for the CEMEA and AP region to provide logical and physical security audit services of card production facilities.

July 2014

NCC Group was approved by the other major card scheme to conduct logical security assessments of card vendors.

September 2014

NCC Group was approved to perform Visa Inc. PCI Card Production audit in the USA, Canada and Latin America.




GSMA Security Accreditation Scheme

GSMA Security Accreditation Supplier Logo

There is an increasing use of embedded SIMs (eUICC) in phones, automobiles, smart meters and other products, facilitating ‘over the air’ provisioning of subscriber tailored services. Products with eUICCs are commonly referred to as machine to machine (M2M) devices.

Many machine-to-machine devices are not easily reachable for the purpose of subscription management.  Subscription Managers (i.e. provisioning providers) and mobiles network operators have been collaborating to develop ‘Subscription Management’ solutions to accommodate this emerging market.

The GSMA’s Security Accreditation Scheme (SAS) was set up to assure and provide confidence to the mobile network operators and their customers that the management of subscription profiles would be carried out against stipulated minimum logical and physical security standards.  Thereby, guaranteeing the security, integrity and confidentiality of the subscriber’s personal and profile information.

There are two activities which are carried out to complete the subscription management process; Data Preparation (SM-DP) and Secure Routing (SM-SR).

Being one of the two independent SAS auditor companies approved by the GSMA, NCC Group can conduct an audit against the SAS SM-DP and SAS SM-SR standard worldwide. All audits are carried out to GSMA current standards to meet full compliance. These security audits ensure measures are in place to protect the mobile network operator (MNO).

GSMA Security Accreditation Diagram

The audit covers the following areas;

  • Security policy, strategy and documentation
  • Security organisation and responsibility, including internal audit and control
  • Information security
  • Personnel security
  • Physical security
  • Production data management
  • Logistics and production management
  • Computer and network management
  • Data and service management specific to data preparation and secure routing functions of Embedded SIM remote provisioning


ISO 27001 Certification

Are you looking to formalise your information security management? Do you want to know more about what it takes to become ISO 27001 certified?

Having achieved ISO 27001 certification ourselves, we are ideally placed to work with organisations that wish to implement the standard internally or to achieve certification against the standard.

Read more about ISO 27001 Certification or contacrt us for more information.


PCI DSS Compliance

Do you require assistance and guidance on how to become PCI compliant?

Accredited by the Payment Card Industry as a Qualified Security Assessor (QSA) and as a PCI Approved Scanning Vendor (ASV), NCC Group is ideally placed to help you become compliant and stay compliant with PCI DSS.

Read more about PCI DSS Compliance or contact us for more information.