You are here: Home > Get Support > Documentation > Quarterly Planning > Information Security, Risk and Compliance

Quarterly Planning

This page details the work we'll do in the Information Security, Risk and Compliance area in the coming quarter, how you can give your input on that work and our reaction to that input.

We have three objectives in publishing our quarterly planning:

  1. We want to be transparent about the work we are doing
  2. We want your input on that work and our planning, and we want to document that input, and let you know if and when we can add your suggestions to our planning
  3. We want an open dialogue with members and community on developments around Information Security, Risk and Compliance

We launched this initiative in Q2 2022, and we are open to improving what we publish here and how we do that. So let us know if there are ways we can better present our plans. In Q1 2023, we separated the work items of Information Security, Risk and Compliance from the Information Technology and added them to this area.

We will update this page as our activities progress and continue to share updates on RIPE Labs, on the RIPE NCC Membership Discussion and RIPE NCC Services Working Group (WG) mailing lists, and at RIPE Meetings and other events.

Q1 2023 Plans

Last Updated: 21 March 2023

Item Activity Description Status
1 Compliance with ISO/IEC 27000

Define our operations within the ISO/IEC 27001 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q1 2023, we completed the gap analysis against the ISO 27001 standard, which was initiated in Q4 2022. In Q2 2023, we will be focusing on designing our Information Security Management System and drafting our overarching Information Security Policy according to the ISO 27001 standard. The timeline for implementation and certification against the standard is the end of 2024.

In progress

2 Vulnerability management framework

In 2023 we are guiding organisation-wide efforts to streamline our patch management and vulnerability management processes. 

In Q1 2023, we focused on improving the infrastructure vulnerability detection accuracy and coverage. Additionally, we designed the workflows and tooling for managing the remediation lifecycle of application layer vulnerabilities.

In Q2 2023, we will continue to expand the coverage of our infrastructure vulnerability detection. Next to that, the vulnerability management policy will be drafted. The remediation lifecycle for application layer vulnerabilities will be operationalised based on the drafted policy.

In progress

3 Cloud security enhancements

In Q1 2023, we outlined the core areas where cloud security enhancements are required and engaged with relevant experts. The execution of the outlined security improvements is planned for the rest of 2023. Additionally, in Q1, further cloud configuration checks were implemented to enhance security visibility.

In progress

 4 Enterprise risk management modernisation

In Q1 2023, we established an internal Risk & Compliance function.
In order to modernise our risk management methodology in a robust manner, a Risk Management policy has been drafted and industry risk management frameworks have been evaluated.

In Q2 2023, we will be updating our Risk Management framework and establishing the relevant internal governance structure.

We expect the work for the enterprise risk management modernisation to be executed throughout 2023.

In progress
5 Security Awareness Programme

In Q2 2023, we will be launching our internal security awareness program. The program will encompass security awareness training for new joiners, current staff and people in high-risk roles.

Planned for Q2 onwards

Items completed in the last quarter

More information can be found on the archived plans page.

Community Input on Planning

We want the community to contribute to our plans and suggest additional work items. Please share your comments with us or post them on the RIPE NCC Membership Discussion and RIPE NCC Services WG mailing lists. And we'll be monitoring all the other channels where people talk about these services.

When we receive feedback that can significantly impact our planning or that needs a further response, we will add it to the table below.

Reference Input RIPE NCC Reaction
IS-2023-#01 -

-

Archived Quarterly Plans

You can find our plans from the previous quarters on this page. The Q2 2023 plans will be archived once we publish the Q3 2023 planning.