Frequently Asked Questions

Our mission is to empower organizations to secure their critical assets, products, and services. We achieve this by providing technology-independent guidance and building internal cybersecurity capabilities within your organization. The letter ‘r’ between brackets is no lack of ambition, but the realism that 100% cybersecurity is neither practical nor desirable. Perfect security would require completely disconnecting from the digital world—which defeats the purpose of digital transformation and business innovation. Instead, we focus on making the digital world "safer"—managing and mitigating risks to acceptable levels while enabling your organization to thrive both digitally and economically.

Technology and vendor independence means we don't sell, resell, or receive commissions from any IT or security products and platforms. Our assessments and recommendations are based purely on what we consider best for your organization's specific needs and risks, not what generates revenue for us or any vendor. We're not tied to any particular vendor's ecosystem or incentivized to oversell solutions or services. This independence matters because when advisors have financial relationships with vendors, their recommendations can be, consciously or consciously, biased toward solutions they know or that benefit them financially rather than operationally optimal for your organization. Moreover, we strongly believe that technology can only secure so far. Digital benefits are not durable if you don't factor in the cyber & information security risks at all levels of your Business & IT architecture. To manage these today and tomorrow, you need to look beyond the necessary technology investments and build an in-house capability & culture that can make continual trade-offs and creates transparency and trust. Our vendor-neutral approach means we can objectively evaluate your existing investments, recommend the most cost-effective solutions, help negotiate better contracts, and even advise when you don't need new technology at all. Sometimes the best cybersecurity improvement comes from better processes or training—advice you're unlikely to hear from vendors trying to sell you something new.

Cybersecurity is for every type of organisation both important and a challenge. Yet we try to focus on more technical and/or complex sectors. We work(ed) in the following sector: - Discrete Manufacturing - Food (processing) - Chemical - Engineering & Automation - Energy (production & storage) - Real Estate development - IT & Cloud solution providers - Healthcare - and even Financial Services The list goes on. So, if you don't recognize you in this non-exhaustive list, just contact us and a short scoping call will quickly reveal whether we have a fit and/or relevant experience.

Once 2 isolated worlds and responsibilities within each organisation with a technical component is its core, nowadays the convergence and/or interaction between both requires knowledge and collaboration to secure the entire organisation. And even the larger/extended supply chain(s) of with each company makes part of. OT and IT have fundamentally different priorities and constraints. IT security focuses on protecting data/information confidentiality and system availability, while OT security must prioritize human safety, environmental protection, and continuous operation of critical processes. An IT security incident might mean stolen data or system downtime, but an OT security breach could result in physical harm, environmental damage, or disruption of productions (food, chemical, discrete products, ...) or essential ‘public’ services like power, transportation or water supply. Organizations need security expert(i)s(e) that understands both domains and their intersection. Most cybersecurity providers specialize in either IT or OT, leaving dangerous gaps where these worlds converge. Spinae's dual expertise ensures comprehensive protection that keeps your business data secure while maintaining the safety and reliability of your operational processes.

If we can build up secure capabilities in complex industrial environments where a cybersecurity failure could shut down production lines or compromise safety systems, we can certainly protect organizations with less technical complexity. Our expertise demonstrates our ability to handle the most demanding cybersecurity challenges—which means we're well-equipped to secure HR service providers, financial institutions, transport, or even IT/OT consulting firms, or any other business. In fact, many of our clients are exactly these types of organizations: IT providers, software companies, automation specialists, payroll services, and financial partners. These businesses often have sophisticated cybersecurity needs despite not having traditional operational technology—they handle sensitive client data, manage critical business processes, or provide services that other organizations depend on. Our technical depth and business-oriented approach means we can scale our expertise to any organization's complexity level. Whether you're managing industrial control systems or simply need to protect customer databases and ensure business continuity, the same risk-based, practical security principles apply. We help organizations of all technical levels build proportionate, effective cybersecurity programs that enable rather than hinder their business objectives.

ISO 27001 is an international standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing and protecting sensitive information through policies, procedures, and controls that ensure confidentiality, integrity, and availability of data. We assist organizations in pursuit of ISO 27001 certification to demonstrate security credibility to customers, comply with regulatory requirements, or improve their overall security posture. First of all we help you to scope it and translate the generic approach to you size, context and risk appetite. Spinae provides comprehensive support throughout your ISO 27001 journey. We help with gap analysis to understand where your current security practices differ from the standard's requirements, develop and implement the necessary policies and documentation, and establish the management system that ISO 27001 requires. We don't just help you get certified—we maximise the chance the ISMS actually works for your organization and supports your business objectives. Our approach goes beyond compliance checkbox exercises. We translate ISO 27001's technical requirements into practical business language, integrate security controls into your existing processes, and train your team to maintain and continuously improve the ISMS. We also provide audit preparation and assistance, helping you successfully navigate certification audits and ongoing surveillance assessments. Importantly, we position ISO 27001 as the foundation of your broader security program, not the endpoint.

IEC 62443 is the international standard for industrial cybersecurity, specifically designed for operational technology (OT) environments like manufacturing plants, process control systems, and critical infrastructure. Unlike IT security standards, IEC 62443 addresses the unique challenges of securing systems where safety, continuous operation, and physical processes are prime — and where you can't simply reboot or patch systems without disrupting production. Our approach works with all stakeholder roles defined in the standard—whether you're an Asset Owner operating industrial systems, a System Integrator building automation solutions, or a Product Supplier developing industrial components. Spinae provides specialized support for implementing IEC 62443 across your OT environment. We conduct zone and conduit assessments to properly segment your industrial networks, perform risk assessments specific to operational technology threats, and help establish the security levels appropriate for your different operational zones. We understand that OT security requires balancing protection with operational continuity. We help develop secure-by-design principles, establish supplier security requirements, and create operational procedures that embed security into maintenance and engineering workflows. Our dual OT/IT expertise ensures your industrial cybersecurity program aligns with your overall ISMS and business risk management approach.

Vulnerability scanners can identify potential weaknesses, but only penetration testing shows whether those weaknesses can actually be exploited and what real damage an attacker could cause. It's the difference between knowing your door lock is old versus having someone demonstrate they can pick it in 30 seconds. Offensive security—ethical hackers testing your defenses—reveals the true effectiveness of your security controls under realistic attack conditions. Penetration testing also validates your detection and response capabilities. Can your security team or SOC service provider actually spot an intrusion in progress? Do your incident response procedures work under pressure? These insights are invaluable for building resilient security programs that can withstand real attacks, not just pass compliance checklists. So, the bottomline is: "Seeing is believing." Penetration testing isn't just about finding vulnerabilities—it's about proving your defenses actually work when tested against realistic attacks.

Penetration testing simulates real-world attacks to identify vulnerabilities before malicious actors can exploit them. We offer several specialized types, each focussing on a specific set of attack vectors: - Application Penetration Testing: Testing web applications, mobile apps, and APIs for security flaws like injection attacks, broken authentication, insecure data storage, and business logic vulnerabilities. This includes both external-facing and internal applications. - Infrastructure Penetration Testing: Assessing your network infrastructure, servers, firewalls, and perimeter defenses. We attempt to gain unauthorized access, escalate privileges, and move laterally through your systems—simulating how an attacker would compromise your network. - Device/Hardware Penetration Testing: Testing physical devices like embedded devices, IoT sensors, industrial controllers (PLCs), building management systems, etc. This is particularly relevant for OT environments where hardware vulnerabilities can have physical safety implications. - Social Engineering Testing: Often not seen as 'real' pentesting, but assessing human vulnerabilities through phishing campaigns, physical security office and/or serverroom access tests, or telephone-based social engineering. Often, the weakest link isn't technology—it's people. We tailor our testing approach to your specific environment, risk profile, and compliance requirements, providing actionable findings that improve your security posture without causing operational disruptions.

Spinae has expertise in the following: Standards - ISO 27001 (Information Security Management) - IEC 62443 (Industrial/OT Cybersecurity) - ETSI EN 303 645 (IoT Cybersecurity) - ISO 21434 (Automotive Cybersecurity) - NR 659 (Bureau Veritas - Rules on Cyber Security for the Classification of Marine Units) Frameworks - CIS Controls (Cybersecurity Best Practices) - NIST Cybersecurity Framework (NIST-CSF) - NIST SP 800-218 (Secure Software Development Framework) - NIST SP 800-61 (Incident Response) - NIST SP 800-64 (SDLC Security Considerations) - NIST SP 800-82r3 (ICS/OT Security) - CMMC (Cybersecurity Maturity Model Certification - US Defense) - SWIFT CSCF (Customer Security Controls Framework - Financial) Legislation/Regulations - EU GDPR (General Data Protection Regulation) - NIS/NIS2 Directives (Network and Information Security) - DORA (Digital Operational Resilience Act) - CER (Critical Entities Resilience Directive) - AI Act (EU Artificial Intelligence Act) - CRA (Cyber Resilience Act) - EU Machinery Directive - RED (Radio Equipment Directive) The distinction between frameworks and standards can be nuanced—frameworks are typically more flexible and principles-based, while standards are more prescriptive and can be certified against.