Skip content

Regulatory Compliance Testing Services

We ensure your organisation meets the stringent demands of national and international regulations

LRQA is an approved Threat Intelligence provider across regulatory frameworks including CBEST and GBEST

Ensuring compliance with cybersecurity standards is increasingly complex. As the cyber technologies integrated into everyday business practices evolve, so does the legislation that governs them. On top of this, today’s globalised world means that business operations often span multiple jurisdictions.

Staying proactive and abreast of legislation requires dedicated expertise that can exceed workforce capabilities. However, a lack of focus on security or compliance can open your organisation to security breaches, non-compliance and potential fines. To mitigate risks, you must navigate complexities, adapt to evolving legislation and invest in cybersecurity measures. LRQA can help. Our Regulatory Compliance Testing services are designed to ensure your organisation meets the stringent demands of national and international regulations.

  Award-winning expertise

Our cyber security team continues to achieve multiple vendor certifications, highly respected industry accreditations and international accolades, demonstrating the breadth, depth and impact of their services.  

Our approach to Regulatory Compliance Testing

Our services will help protect your businesses by quantifying your risk, identifying vulnerabilities and assessing technology to deliver practical solutions that enable compliance with cybersecurity legislation and frameworks.

Risk identification

We undertake a thorough assessment of your organisation’s systems and infrastructure.

Expert insight

Our experts possess the certifications and knowledge you need to understand the standards you must comply with.

Remedial advice

We provide robust and actionable remedial advice for all levels of vulnerability.

Debrief

We provide detailed reports in a digestible format. All our tests come with a business debrief as standard.

CBEST Assessments

Created by the Bank of England and supported by CREST, CBEST testing assessments make significant use of Cyber Threat Intelligence, deliver sophisticated Red Team style assessments and provide incident response maturity assessments.

CBEST engagements are unique when compared to many other types of assessments because they can only be instigated by the Bank of England. The Bank of England is involved in the scoping of the assessments and determines which types of assets and systems comprise the test scope. The threat intelligence used to determine the testing approaches is augmented by GCHQ.

CBEST requires organisations to commission a threat intelligence gathering exercise by a CBEST-approved threat intelligence provider. This exercise:

  • Reviews geopolitical threats
  • Reviews tactics, techniques and procedures (TTPs) of threat actors known to be targeting similar types of organisations.
  • Reviews open-source intelligence relating to your organisation.
  • Gathers and reviews closed-source intelligence relevant to your organisation.
  • Creates a series of scenarios that reflect real-world threats.
  • Includes TTPs to be simulated, goals to be executed and targets to be pursued.

LRQA is one of only a handful of CBEST-approved service providers to be accredited by both CREST and the Bank of England as CBEST Penetration Testing providers and CBEST Threat Intelligence providers. We have extensive experience with CBEST testing and a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications.

We have also developed our state-of-the-art custom tooling to mimic sophisticated threat actors that are known to be prevalent within the financial services sector. This toolset is unique within the industry and is one of the reasons why LRQA’s team has been highly successful in supporting organisations’ intelligence-led assurance strategies.

STAR-FS

STAR-FS assessments are similar to CBEST engagements as they both leverage the concepts of Red Teaming and utilise threat intelligence to simulate the tactics, techniques and procedures of threat actors against financial institutions. However, STAR-FS assessments are designed to allow for a lighter or optional involvement of the Regulator.

STAR-FS requires organisations to commission Threat Intelligence Services from a STAR-FS-approved Threat Intelligence provider. Several threat scenarios are defined and then utilised by an Intelligence-led Penetration Testing team to simulate real-world attacks.

STAR-FS engagements must be structured in four main components:

Initiation: to define the scope and select the providers for the subsequent components. LRQA will ensure a dedicated project manager oversees every part of the engagement and a full RACI model will be put in place for all stakeholders. Communications, escalations, risk management and debriefs/reporting needs will be fully discussed and agreed upon.

Threat intelligence exercise: to develop threat scenarios and agree on a plan to be handed over to the penetration testing service provider. The experience gathered on CBEST engagements allows us to identify real-world scenarios to help organisations identify and understand where gaps are.

Penetration testing: Our threat intelligence-led Penetration Testing services are delivered with the support of state-of-the-art custom tooling to simulate sophisticated threat actors that are known to be prevalent within the Financial Services Sector.

Reporting: Our reports have been designed to inform both senior stakeholders and technical teams within engineering, operations and the detect and response functions. Remediation guidance, regulator debriefs and executive debriefs are delivered with pragmatic advice in a collaborative and supportive manner.

LRQA is accredited by CREST to deliver Threat Intelligence Led Penetration Testing for Financial Services under the STAR-FS scheme. We have a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications. When we engage in threat intelligence-led services, we can deliver a true reflection of the types of TTPs that threat groups are known to be leveraging.

iCAST – Intelligence-Led Cyber Security Testing

iCAST is an intelligence-led framework, introduced by the Hong Kong Monetary Authority (HKMA). It is an innovative regulatory requirement that does not just rely on a strategy that is focused on Penetration Testing alone. The focus of the iCast framework is to deliver a threat intelligence-based scenario test, with the testing element focusing on Red Teaming. 

Threat Intelligence phase

This includes reviewing open-source intelligence relating to an organisation, defining scenarios that reflect real work attack vectors, reviewing TTPs of likely threat actors and providing a list of actionable intelligence to confirm the right approach for the Red Team phase.

Reviewing and defining phase

We help you define the likely scenarios for the Red Teaming phase. The iCAST framework encourages organisations to define a list of key assets that are trying to protect and use the output of the threat intelligence to define what tactics and approaches should be used to carry out the attack phase of the assessment. During this phase, we will launch various attacks such as phishing or insider threats to mimic real work threat actors.

Attack replay phase

We work closely with your Blue Team and re-create some of the scenarios to see how the defensive layer of your organisation was able to react to the testing phase.

General Data Protection Regulation (GDPR) Compliance

The right approach to information security is critical to achieving GDPR compliance. For many organisations, this requires a significant revision of their security strategy and tactics as GDPR requires you to implement a risk-based framework. This framework includes the correct governance structure, policies and operational practices in addition to monitoring, detection and incident response.

LRQA can help you with GDPR compliance by providing:

                 Gap assessments against the GDPR standards for information security and incident response practices, to produce a roadmap to compliance.

                 Monitoring services to support the information security and incident response aspects of GDPR.

TIBER EU

Threat Intelligence-based Ethical Red Teaming (TIBER-EU) is a framework launched by the European Central Bank (ECB) to deliver a controlled, bespoke, intelligence-led Red Team test of your critical live production systems.

LRQA provide all elements of the Threat Intelligence and Red Team testing requirements. Our cybersecurity threat intelligence capabilities allow us to execute broad, intelligence-based targeting exercises, of the kind typically undertaken by real-world threat actors as they prepare for their attack.

Our objective is to draw a picture of the target organisation, through the lens of an attacker. This approach allows us to design and deliver testing scenarios for a TIBER test. Our experts not only shape the tests through the production of the key TIBER intelligence documents but also provide added value to your organisation by reducing uncertainty while aiding in identifying threats and opportunities that will reduce the risk of a real attack.

I-CIRT

Canada’s Office of the Superintendent of Financial Institutions (OSFI) created the Intelligence-led Cyber Resilience Testing (I-CRT) framework to simulate relevant real-world threats. The framework assesses cyber resilience, using independent suppliers, to help systemically important and internationally active insurance groups identify areas where they could be vulnerable to cyber-attacks.

Our I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known TTPs to assess and enhance your organisation’s security posture.

I-CRT requires organisations to commission a Threat Intelligence Service Provider to conduct a threat intelligence gathering exercise. We are an approved Threat Intelligence provider across regulatory frameworks and can deliver the following:

  • ·        Intelligence on geo-political threats known to be operating in the sector and sub-sector
  • ·        TTPs of threat actors known to be targeting similar types of organisations
  • ·        Open Source Intelligence (OSINT) relating to your organisation
  • ·        Closed source intelligence relevant to your organisation

Why work with us?

Specialist expertise

Our cybersecurity experts hold multiple vendor certifications and accreditations as well as highly respected industry accreditations from CREST, the PCI SSC, ISC2, BCI, Chartered Institute of IT, and NCSC CHECK.

Industry leadership

We lead and shape industry on advisory boards and councils including the PCI SSC Global Executive Assessor Roundtable and CREST councils in the Americas, Asia, EMEA and the UK. We are certified by a range of governing bodies including the payment card industry and are approved as a Qualified Security Assessor.

Everywhere you are

Operating in over 55 countries, with more than 250 dedicated cyber security specialists and over 300 highly qualified information security auditors across the world, we can provide a local service with a globally consistent dedication to excellence.

Award winners

We have been recognised for the breadth and depth of our services – including the TEISS Award for Best Penetration Testing Service in 2024, Enterprise Threat Detection and Cloud Security awards at the Security Excellence Awards 2024 and the Stratus Award for Best Managed Cloud Security Service.

The world leader in CREST accreditations

We are proud to be the only organisation in the world with a full suite of accreditations from The Council of Registered Ethical Security Testers (CREST).

Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organisation to be CREST accredited for our Security Operation Centre services.