Skip to content

FAQ

Cybersecurity | Data Protection

General Questions

Any organization that values cybersecurity and compliance with data protection regulations can benefit from our services, including private companies, public authorities, associations, and foundations. We support SMEs, public institutions, and large enterprises alike. Our most common areas of expertise include software development, real estate management, finance, fiduciary services, human resources, and administrative services.

Yes. Our Data Guardians provide services across Switzerland, either on-site or remotely, depending on your needs. Our offices are located in Geneva, Lausanne, and Sion.

Absolutely. We tailor our services to the needs of both SMEs and large organizations. Every organization deserves and requires cybersecurity and data protection measures that are appropriate to its size and operational context.

Yes, if you wish. We can conduct a gap analysis before starting an engagement, based on the framework or subject relevant to your organization (ISO 27001, Cyber-Safe, the Swiss FADP, the GDPR, etc.). This assessment provides a clear overview of your current level of maturity and identifies the key priorities to address. If you already know your needs or your current level of compliance, we can move directly to implementation and tailor our support accordingly.

Yes. All of our cybersecurity engineers and data protection legal experts are based in Switzerland. Your sensitive data and confidential information never leave Swiss territory during our engagements, and our teams have an in-depth understanding of the Swiss regulatory and business environment.

Yes. Our expertise is endorsed by numerous Swiss organizations that trust us. Upon request, and with their prior consent, we can put you in contact with clients from your industry or organizations of a similar size so they can share their experience of working with us.

Data Protection (Swiss FADP / GDPR)

It depends on the legal framework applicable to your organization.

Under the Swiss Federal Act on Data Protection (FADP), appointing a Data Protection Officer (DPO) is optional for private organizations. Only federal public authorities are legally required to designate one. However, appointing a DPO offers significant advantages, particularly because they may be consulted instead of the supervisory authority when carrying out high-risk data processing. It also demonstrates due diligence in the event of an audit, a security incident, or when reassuring clients and business partners.

Under the GDPR, appointing a DPO is mandatory in certain situations, particularly where organizations process special categories of personal data on a large scale or carry out regular and systematic monitoring of individuals.

The Swiss FADP (Federal Act on Data Protection) is Switzerland’s data protection law, while the GDPR is the European Union’s data protection regulation. Both aim to protect personal data and are based on very similar principles, although they differ in certain areas, such as the level of sanctions, notification obligations, and territorial scope. A Swiss organization may be subject to both regulations simultaneously.

In principle, if you process only the personal data of individuals located in Switzerland, the Swiss FADP applies. However, the GDPR may also apply if you offer goods or services to individuals located in the European Union or monitor their behaviour, even if your organization is not established within the EU. We assess your data processing activities to determine precisely which legal framework applies to your organization.

The Swiss FADP provides for fines of up to CHF 250,000, which may be imposed on the individuals responsible within the organization. Beyond financial penalties, non-compliance can result in reputational damage, loss of trust from clients and business partners, and commercial challenges where customers require evidence of strong data protection practices.

Yes. Both the Swiss FADP and the GDPR expressly allow organizations to appoint an external DPO. In many cases, this is the preferred option: you benefit from the expertise of a specialist without the cost of a full-time employee, while ensuring complete independence from your internal operations and access to experience gained across a wide range of organizations. Our Data Guardians can be officially appointed as your external DPO.

Cybersecurity (vCISO / SOC / Incident Response)

Your IT Manager ensures that your systems operate efficiently by maintaining availability, performance, and user support. A Chief Information Security Officer (CISO), on the other hand, is responsible for the security of those systems: risk management, security governance, cybersecurity strategy, and regulatory compliance. These are two distinct yet complementary roles. Assigning cybersecurity responsibilities solely to your IT Manager creates a conflict of interest, as they cannot objectively assess the security of systems they have implemented themselves.

Your IT provider manages your infrastructure and deploys security technologies, but their primary role is to keep your systems operational. They are generally not responsible for defining and overseeing your overall cybersecurity strategy or ensuring compliance with applicable regulations. An independent cybersecurity expert provides an objective assessment of your security posture, identifies blind spots, and supports you on governance, risk management, and legal compliance—areas that typically fall outside the scope of an IT service provider.

Act quickly, but avoid making hasty decisions. Contact us immediately, avoid shutting down affected devices (as this may destroy valuable evidence), isolate compromised systems from the network whenever possible, and never pay a ransom before consulting cybersecurity experts. Our incident response teams act rapidly to contain the attack, determine its origin, preserve forensic evidence, and guide you through any mandatory notifications to the relevant authorities.

No, provided it is properly planned. Most of our audits consist of interviews, documentation reviews, and technical assessments that do not interfere with your production environment. When conducting penetration tests, we define the scope, rules of engagement, and communication procedures in advance to ensure your business operations continue without disruption, while allowing us to respond promptly should a critical vulnerability be identified.

Certifications (ISO 27001 / Cyber-Safe)

The timeframe depends on your organization’s size, the scope of certification, and your current level of information security maturity. In most cases, organizations should allow at least six months—and more commonly around nine months—to prepare confidently for the certification audit. Once obtained, ISO 27001 certification is valid for three years, subject to annual surveillance audits.

ISO 27001 is an internationally recognized standard based on an Information Security Management System (ISMS). It focuses on governance, policies, procedures, and continuous improvement to manage information security across all forms of information, including digital, paper, and verbal. It involves substantial documentation and is often required by organizations with mature cybersecurity expectations.

Cyber-Safe is a Swiss cybersecurity label supported by the Swiss Confederation. It focuses specifically on the protection of information systems and data through practical technical requirements and measurable security indicators. Compared with ISO 27001, it requires significantly less documentation and places greater emphasis on the effective implementation of cybersecurity controls.

No—and no reputable cybersecurity provider would make such a claim. Certification demonstrates that your organization has implemented a structured management system to identify, assess, and manage information security risks. It significantly reduces the likelihood of a successful cyberattack and, most importantly, improves your ability to detect, respond to, and recover from security incidents. Certification is part of a continuous improvement process, not an absolute guarantee.

Training & Security Awareness

Cybersecurity awareness should be an ongoing effort, as threats evolve continuously and good security habits diminish over time. We recommend regular awareness initiatives throughout the year, including training sessions, simulated phishing campaigns, and knowledge assessments. Repetition and contextualised learning help build a lasting security culture—especially considering that more than 90% of successful cyberattacks involve human error.

No. Our simulated phishing campaigns are designed as educational and supportive exercises, not punitive ones. The objective is to raise awareness and improve resilience, not to blame individuals. Results are analysed at an aggregate level to identify areas where additional training is needed, without singling out or stigmatizing employees.

Privacy Policy Summary

This site uses cookies so that we can provide you with the best possible user experience. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team understand which sections of the site you find most interesting and useful.

To learn more, please see our privacy policy.