Information protection and cybersecurity 

Effective information security management is one of the underpinnings for the sound risk management. KPMG offers services regarding analysis and improvement of IS management systems, based on the extensive experience of our professionals and generally recognized global methodologies in this field.


Andrey Lepekhin

Andrey Lepekhin

Partner, Head of Information Risk Management

+7 495 937 44 77

We offer the following types of services in this field:

Information security testing and incident response

  • vulnerability assessment and penetration testing;
  • express diagnostics of the internal threat protection system;
  • prevention and investigation of malicious activities in IT (in conjunction with the Forensic Group).

Payment processes and systems security:

  • vulnerability analysis;
  • identification of bottlenecks and risk points in payment processing technologies as well as related business processes.

Business continuity management:

  • business continuity and disaster recovery strategy development;
  • business continuity plans and procedures development and implementation;

Data management (including personal data):

  • organization’s data management practices analysis;
  • assessment of and support for compliance with Russian statutory requirements in the area of personal data protection (in conjunction with the Legal Services Group).

SAS 70/ISAE 3402 Attestation (standard for reports on controls in place at service organizations).

Data leakage prevention services.

Information security management systems implementation and assessment in accordance with ISO 27001.

International security system compliance analysis and improvement in accordance with the Information Security Standard of the Bank of Russia:

  • objective assessment of the current state of information security and the level of compliance with the ISSBR;
  • improving bank reputation through official confirmation by an independent audit firm of the level of maturity achieved (i.e. adherence to the standard) on the Bank of Russia website;
  • confirmation of compliance with the Bank of Russia and Russian statutory requirements on IS, including the protection of personal data.

Preparation of mandatory reporting for participants in the National Payment System in accordance with the Bank of Russia's Regulation 382-P on information security:

  • objective assessment of the current state of information security and the level of compliance with the Bank of Russia's Regulation 382-P and recommendations on improving it;
  • assistance in the preparation of a report on compliance with the Bank of Russia's Regulation 382-P, based on the results of an external assessment.