It is the dark side of digitalization: cyberattacks are no longer a rarity, but a constant threat to companies. Experts estimate that more than half of all reported cybersecurity incidents are now attributable to criminal organizations and malicious actors.

It is a serious threat especially for smaller businesses

Around the globe, data breaches, system hacks or extortionist ransomware attacks are reported almost on a daily basis, with the most recent example being the cybercriminal activities of the REvil” extortion group. In general, attackers do not only target international corporations or big businesses. The fact is that many hackers earn a living by targeting small and medium-sized enterprises (SMEs) as well.

Cyberattacks compromise the confidentiality, integrity and/or availability of corporate data, information systems and networks. This so-called CIA triad of data security – confidentiality, integrity, availability – is undermined by these attacks. The potential damage ranges from financial losses to reputational damage and regulatory penalties to business interruption and bankruptcy. This makes it all the more important that small and medium-sized enterprises and subsidiaries also have appropriate budgets, security tools and human resources in place to counter the ever-increasing threats posed by cyberattacks.

Symantec Internet Security Threat Report and Fundera

Sources: Symantec Internet Security Threat Report and Fundera

Systematic risk management is required

Every organization depends on the reliable functioning of its critical infrastructure. However, the increasing complexity and connectivity of infrastructure systems expands attack surfaces and makes it easier for cybercriminals to exploit information security vulnerabilities. It is therefore increasingly important for businesses to pursue a systematic approach to identifying, assessing and prioritizing cyber risks. On this basis, control mechanisms can be identified and implemented to bring down the level of risk to an acceptable range.

In a subsidiary, these controls can be implemented via policies of the Group or parent organization. Another option for SMEs is to adopt customized controls based on best practices. The TÜV Rheinland whitepaper “Information Security Baseline: SME/Subsidiary” provides an insight into the advisory and mandatory information security controls. Interested companies will learn what measures SMEs and subsidiaries can implement to ultimately ensure the confidentiality, integrity and availability (CIA) of their critical system resources.

Advisory and mandatory cybersecurity controls

The proposed baseline controls apply to all employees of a company, contractors, subcontractors and their respective facilities supporting the Group organization’s business operations. They are relevant wherever Group data is stored or processed and also concern third parties who have been contracted by the Group organization or its subsidiary to handle, process, transfer, store or dispose of Group data.

Mandatory controls

  • Mandatory controls establish an information security baseline for the entire community and must be implemented by all subsidiaries in their local, remote and/or cloud infrastructure. To set a realistic goal for a tangible short-term gain in security, we prioritized 15 mandatory management, technical and operational controls.

Advisory Controls

  • The 14 advisory controls are based on best practices that the subsidiaries can also implement to improve their information security standards. Over time, mandatory controls may change due to the evolving threat landscape, and some advisory controls may become mandatory.

Whitepaper Download

For more detailed information on the control measures listed, please see the whitepaper “Information Security Baseline: SME/Subsidiary”.





Anand Rabindranath is a Senior Information Security Specialist at TÜV Rheinland in Muscat, Oman. He has more than ten years of professional experience in IT security, audit, risk and compliance management. Among other things, he supports global companies in implementing information security management systems and training internal users on computer security topics. As a result, they are better able to prevent IT security breaches and respond to cyber attacks.

More Posts


Field testing a hydrogen car for a day

So how does a hydrogen car actually drive? What should I bear in mind when refueling? Report on a hydrogen car gained during a field test.
Industrie Roboter

Industrial Applications and Safety

Robots – it is impossible to imagine production and logistics without them. Various norms and test standards ensure greater safety when using them.

Ransomware – Kidnapping in the digital age

More and more companies are becoming victims of data kidnapping. A study reveals the need for advice. How to protect against ransomware attacks.



Submit a Comment

Your email address will not be published. Required fields are marked *


No one likes popups. But you’ll like our newsletter.

Get remarkable articles on digitization, modern life, energy and technology.