For IT teams

Compliance without stepping on your turf.

You know your systems. We know the regulatory map. We work with you, not over you.

What the law asks of your area

GDPR, NIS2, ENS, ISO 27001… different names, similar demands. This is what they touch on your turf:

tria MFA & access Backups Logs Encryption Vulnerabilities Suppliers Incidents Evidence
MFA and access controlSSO where possible, MFA where it counts, and admin accounts separated from daily use.
Backups and recovery3-2-1 with an immutable copy. A backup without a restore test is a hypothesis.
Logging and monitoringCentralized logs for what's critical, defined retention and alerts someone actually watches.
EncryptionAt rest and in transit, with key management. "The vendor encrypts" is not an answer.
Vulnerability managementPatching prioritized by real exploitability, not by CVSS arrival order.
Supplier securityWho accesses what, with what contractual guarantees, and what happens if they get attacked.
Incident responseDetection, classification and the NIS2 deadlines: early warning in 24 h, notification in 72 h.
Evidence of all the aboveIf you can't prove it, for the auditor it doesn't exist.

From regulation to control

The legal text doesn't say "FIDO2" — but the auditor expects it. This is how we translate the letter of the law into verifiable controls and the evidence you'll be asked for:

Regulation / articleExpected technical controlEvidence an auditor asks for
NIS2 art. 21.2(j)Multi-factor authentication Phishing-resistant MFA —FIDO2/WebAuthn, passkeys— on privileged and remote access. App-based OTP as the acceptable minimum elsewhere; SMS, no. Access control policy + IdP configuration export (Entra ID, Okta, Google Workspace) showing per-group enforcement.
NIS2 art. 21.2(c)Continuity and backups 3-2-1 backups with at least one immutable copy (object lock / WORM) or offline, and periodic restore tests against defined RTO/RPO. Dated restore-test report, with measured times against the target and who ran it.
GDPR art. 32Security of processing Encryption in transit (TLS 1.2+, ideally 1.3) and at rest (AES-256); laptop disks with centrally managed FileVault/BitLocker. Per-system encryption inventory + key management procedure (who holds the keys and how they rotate).
ENS op.accAccess control Least privilege: separate admin accounts, periodic permission reviews and PAM at scale. Same-day user offboarding. Reviewed roles-and-permissions matrix, with date, owner and outcome of the last review.
NIS2 art. 23Incident notification Ability to detect and classify significant incidents: early warning within 24 h and notification within 72 h to the reference CSIRT (in Spain, INCIBE-CERT / CCN-CERT). Response runbook with roles and deadlines + incident register, even if it's at zero.
NIS2 art. 21.2(e)Vulnerability management Patching prioritized by real exploitability: CVSS as the baseline, corrected with EPSS and CISA's KEV catalog. SLAs per severity. Monthly vulnerability report with SLAs met and exceptions justified in writing.
EmailNIS2 art. 21.2 · basic hygiene SPF + DKIM + DMARC at p=reject, first passing through p=none and p=quarantine while monitoring aggregate reports. Published DNS records + DMARC (rua) reports from the last quarter.
NIS2 art. 21.2(d)Supply chain TPRM assessment of suppliers with access to data or systems, security clauses in contracts and data processing agreements (GDPR art. 28) where due. Register of assessed suppliers with criticality, date and outcome of the last review.
ENS op.exp.8Activity logging Centralized logs for critical systems, defined retention, NTP-synchronized clocks and restricted access to the log itself. Logging policy + evidence of retention and of who can read (and not delete) the records.

A representative sample, not the full map. The Gap Analysis crosses your real scope —assets, data, sector, size— with the provisions that actually apply to you.

The frameworks we work with

Prioritizing without a reference framework is guessing. These are ours — and what we use each one for:

Prioritization CIS Controls v8

Our baseline for ordering the work. We start with IG1 —essential hygiene, 56 safeguards— and move up to IG2 depending on size and exposure. Every recommendation traces to a specific safeguard, not a generic "best practice".

Compliance ISO 27002:2022 + ENS

We map each CIS control to the 93 controls of ISO 27002:2022 and to the ENS measures (basic or medium category, as applicable). You implement once and cover several frameworks — no duplicated work.

Web applications OWASP ASVS

For what you expose on the web: ASVS as a list of verifiable requirements, level L1 or L2 depending on the application's criticality. Concrete, testable requirements, not a top-10 of headlines.

How we fit with you

Not auditors who come to fail you, not consultants who send you a PDF and disappear.

1

Your stack is yours.

We recommend agnostically: criteria and options, not brands. You choose the tool — or keep the one you have, if it meets the requirement. We take commission from no one.

2

Concrete proposals.

Every finding comes with severity, estimated effort and a budget-friendly alternative when one exists. No "you should strengthen security": what to change, in what order and why.

3

We do the documenting.

You implement; the policies, the evidence and the answers to auditors are prepared by us with the platform. Compliance paperwork stops being your problem.

Shall we talk about your stack?

Tell us what you're running and we'll send back the map: what the regulation asks of you, what you already have covered and what evidence is missing. Engineer to engineer, no smoke.

hola@tria.consulting

Prefer to start on your own? Take the free check-up (Spanish) →