ISO 27001 Internal Audit - Ensuring information security & compliance

Does your company need an internal audit for ISO 27001 certification? Inforevision offers professional internal audits to ensure that your information security management system (ISMS) meets the requirements of the ISO 27001 standard. We help companies identify security risks, document procedures and prepare for the external certification process. Contact us for a no-obligation conversation about how we can help your organization with compliance and information security.

What is ISO 27001?

ISO 27001 is the international standard for establishing and operating an information security management system (ISMS). The standard defines the requirements for how companies should manage, protect and document their information security. ISO 27001 certification is proof that a company follows best practices in cybersecurity and risk management.
By implementing ISO 27001, companies ensure that they meet the requirements of GDPR, NIS2 and other regulatory frameworks. At the same time, it increases credibility with customers and business partners.

What does internal audit mean for ISO 27001?

Internal auditing is an important part of ISO 27001 certification. Its purpose is to ensure that the company's security procedures and systems meet the requirements of the standard. An ISO 27001 internal audit involves:

• Review of risk management and security procedures
• Identifying potential security gaps and improvement opportunities
• Preparation for external certification and auditing

Regular internal audits help companies adapt to new security threats and ensure compliance with ISO 27001, GDPR and NIS2. If your organization needs an experienced partner to perform internal audits, Inforevision can help.

Why is ISO 27001 in demand?

More and more companies are becoming ISO 27001 certified. This is because information security requirements are steadily increasing and the standard is a globally recognized and strong framework to organize work - including internal IT audits - according to.

The requirements of e.g. the EU General Data Protection Regulation (GDPR) partially correspond to the requirements of the ISO 27001 standard.

To some extent, the same applies to the requirements of the National Standard for Identity Security Levels (NSIS).

The ISO 27001 standard is also ahead of the new EU regulations for cyber and information security (NIS2).

Benefits of ISO 27001 certification

• Enhanced information security - Protects company data and customer data.
• Regulatory compliance - Helps meet the requirements of GDPR, NIS2 and NSIS.
• Improved credibility - Increases customer and partner trust.
• Reduced data breach risk - Identifies security gaps before they are exploited.
• Competitive advantage - Many companies prefer to work with certified partners.

Can we help your business?

Want to ensure your company meets ISO 27001 requirements? Inforevision offers tailored internal audits to help you identify risks, optimize security procedures and prepare for certification.

📞 Contact us today for a free assessment of your needs - or book a no-obligation meeting with one of our experts!

Read more about inforevision and our Digital Trust services here

If you are looking for more information about ISO 27001 - you can find it here

Create a more sustainable business with ESG 

Business activities affect people, the environment and society on many levels. As a result, there is a growing need for companies to take responsibility and build a credible sustainability profile - a need that will only grow in the future. From the 2024 financial year, new EU legislation (the CSRD Directive) requires many of the largest companies to report on sustainability through Environmental, Social, Governance (ESG) metrics. From 2025, the requirements will be extended to even more companies.

Why is ESG beneficial for your business?

Regardless of size, the new ESG requirements could affect your business. As society moves towards a more sustainable future, understanding and implementing ESG principles at an early stage can help you: 

• Gain competitive advantage: Gain competitive advantage by staying ahead and actively working with ESG in a market where sustainability is becoming increasingly important
• Strengthen your reputation: Show your customers, employees and investors that you care about the future
• Minimize risks: Identify and manage potential risks related to ESG
• Innovate: Develop new sustainable products and services
• Attract talent: Attract and retain talented employees who want to work for a sustainable company.

SMEs: How to get started with ESG

Although SMEs are not yet directly covered by EU legislation (CSRD), they will still be affected. The increased focus on the value chain means that SMEs will face increasing demands for their sustainability profile and ESG data from their business partners. As a first step, SMEs can use the European Commission's voluntary reporting standard, VSME, which is designed to help smaller companies navigate sustainability data in a standardized and simplified way.

What does the voluntary standard contain?

The voluntary standard is built in 2 modules:

• Basic module with 12 disclosure requirements including applied reporting practices
• Extended module with the most typical data points requested by banks and other business partners.

The primary module, the Basic module, contains the most basic ESG disclosure points that SME business partners are expected to request as a result of the new regulatory requirements for sustainability reporting (CSRD).

Overview of the sustainability topics in the Basic Module
B1 - Basis for creation
B2 - Approaches, policies and future initiatives to promote a sustainable economy

Environmental measurements
B3 - Energy and greenhouse gas emissions
B4 - Air, water and soil pollution
B5 - Biodiversity
B6 - Water
B7 - Resource consumption, circular economy and waste management

Social metrics
B8 - Labor force: General characteristics
B9 - Workforce: Health and safety
B10 - Workforce: Compensation, collective agreements and training

Business behavior metrics
B11 - Convictions and fines related to corruption and bribery.

To add value to your ESG and sustainability work, it is crucial that you identify which ESG issues are important to your business and to your stakeholders (e.g. your major corporate customers or financial connections). Following on from this, you need to assess whether reporting according to the voluntary standard could be beneficial to you.

Should we help your business with ESG?

Navigating ESG concepts and guidelines can be challenging, so external advice may be necessary to get you on the right track faster. This is where a specialized accountant can be a valuable sparring partner in identifying the right ESG solution. Inforevision's experts are ready to help your company achieve a wide range of benefits, both in the short and long term.

Inforevision helps companies with:

• Overview and understanding: Get an overview of which ESG factors are relevant to your business and industry
• Sparring: We help you see how you can implement policies and processes that meet the requirements
• Compliance: We help ensure your business complies with all relevant laws and regulations
• Overall strategic advice: An auditor can help integrate ESG factors into the company's overall strategy
• Daily procedures: Get help implementing necessary procedures to make ESG factors part of daily operations
• Reportingrtering: Produce credible and transparent ESG reports that meet applicable standards and requirements. 

Contact inforevision and let's talk about what you need and how we can help you prepare for future ESG requirements.

Read more:

> What is ESG and why are the rules being introduced?

> Who do the rules apply to?

> What are the requirements for sustainability reporting (CSRD)?

What is ESG and why are the rules being introduced?

ESG is a way of structuring work with sustainability and covers the concepts of Environment, Social and Governance. In Danish, it corresponds to environment and climate, social conditions and corporate behavior.

Environment: Environmental and climate issues such as CO2 emissions, climate change and adaptation, pollution, water and marine resources, biodiversity, ecosystems and circular economy.

Social: Social conditions, e.g. working conditions for your own workforce and workers in your value chain, affected communities, consumers and end users. Areas often considered include diversity, equality and inclusion, human rights, health and safety.

Governance: Aspects of corporate behavior, such as corporate culture, whistleblower protection, anti-corruption or political engagement.

New EU directive: Corporate Sustainability Reporting Directive (CSRD)

These three concepts are at the heart of a new EU directive that sets requirements for the sustainability reporting of the largest companies. The directive is called the Corporate Sustainability Reporting Directive (CSRD).

New sustainability reporting standards (ESRS)

The directive is followed by a set of reporting standards, the so-called European Sustainability Reporting Standards (ESRS).

The standards provide a new, common framework for how companies should measure and report on sustainability.

Why is ESG being introduced?

The new rules and standards will ensure that companies in Denmark and the rest of the EU report on sustainability in the same way.

This makes it easier for investors and other stakeholders across countries and industries to understand how a company works with sustainability.

At the same time, it allows companies to document their efforts to avoid the risk of greenwashing in their communication and marketing.

Read more:

> What is ESG and why are the rules being introduced?

> Who do the rules apply to?

> What are the requirements for sustainability reporting (CSRD)?

ESG: Who do the rules apply to?

Danish companies in reporting classes D and C-large are covered by the new sustainability reporting requirements.

• From the financial year 2024, PIE companies with more than 500 full-time employees will be included. PIEs are public interest entities, i.e. listed companies, financial or mortgage institutions and insurance companies.
• From the financial year 2025, companies in accounting class C-large will be included.
• From the 2026 financial year, listed SMEs will follow.

The question of whether your company will be subject to sustainability reporting requirements depends on which category you belong to in relation to the size thresholds below.

Companies that for two consecutive years exceed the size thresholds for accounting class C-middle will be included.

Note: The company must not exceed two of the three limits for two consecutive years.

Subsidiaries will be able to refer to a parent company's reporting for the group, but regardless of size, all subsidiaries should expect to be involved in collecting ESG data for the parent company in the coming years.  

Many more companies are getting involved in reporting requirements

It is expected that many more companies than those covered by legislation will be required to provide ESG data to their customers, suppliers and/or credit institutions.

That's why inforevision recommends that companies start clarifying whether they need to provide ESG data to their business partners and what it will require. This will enable you to provide customers and business partners with the right data at the right time and in the right quality.

Read more:

> What is ESG and why are the rules being introduced?

> Who do the rules apply to?

> What are the requirements for sustainability reporting (CSRD)?

ESG: What are the requirements for sustainability reporting (CSRD)?

In July 2023, the European Commission adopted the first set of European Standards (ESRS) that will be mandatory for large companies to use when reporting on sustainability under CSRD.

There will be changes and additions to the way companies have been used to reporting. The following elements of reporting are part of the CSRD requirements:

• Double materiality (see below)
• Business strategy and model
• Sustainability reporting (part of the management report)
• Digital tagging of data
• Compliance with the EU Taxonomy Regulation (see below)
• Historical and forward-looking information (short, medium and long term)
• Reporting on the value chain.

What does 'dual materiality' mean?

Dual materiality reporting is an analysis of the company's impact on people and the environment and how sustainability issues affect the company from a financial perspective, focusing on the company's future development, performance and situation.

Expectation of openness

It is an expectation that companies disclose information about their business strategy and business model, how resilient they are to sustainability risks and what opportunities they have.

What is the EU Taxonomy Regulation?  

The Taxonomy Regulation establishes a classification system - a taxonomy - of economic activities that qualify as environmentally sustainable.

The regulation is central to the EU's strategy for the sustainable transition and will be the driving force to direct necessary investments towards sustainable economic activities and contribute to achieving the EU's climate and environmental goals. With the EU taxonomy as a foundation, financial institutions can integrate sustainability into their investment decisions to a much greater extent.

The purpose of the Taxonomy Regulation is overarching:

• To create common criteria across EU countries for when a company's activities can be considered sustainable (i.e. that they contribute significantly to achieving one or more of six climate and environmental goals without significantly harming other goals).
• To classify sustainable activities for use by both financial actors and companies in the EU, thereby channeling private financial flows towards green investments and sustainable activities. Private capital will help the EU reach its climate goals.
• Increase transparency around sustainable finance and investments.

For companies covered by CSRD, this means that they must comply with the EU taxonomy. It can also create new opportunities such as collaboration agreements, competitive advantages or favorable loans if companies can show that they are working to comply with the taxonomy.

Read more:

> What is ESG and why are the rules being introduced?

> Who do the rules apply to?

> What are the requirements for sustainability reporting (CSRD)?

Digital Trust - Ensuring your company's information security

inforevision's Digital Trust Services are designed specifically for IT services and data processing companies that need to prove their compliance with relevant information security standards. In an era of increasing digitization and regulatory requirements, it is crucial to be able to prove that your business meets the highest standards of security and compliance.

Our comprehensive services help businesses navigate the complex world of information security. We offer tailored solutions to ensure your business is compliant with applicable laws and standards, including NIS2, GDPR, ISAE 3000, ISAE 3402, NSIS and ISO 27001. Our experts support you in all phases of information security, from internal audits to implementing controls and processes that meet the most stringent requirements.

By choosing inforevision as your Digital Trust partner, you can confidently focus on your core business knowing that your information security needs are in safe hands. We ensure that your business not only complies, but also promotes trust through documented and proven security measures.

Read more about our specialized services:

• NIS2 - Compliance with the Network and Information Security Directive.
• GDPR- Ensuring data protection and personal data management.
• ISAE 3000 / ISAE 3402 - Documentation and Audit of IT Controls.
• NSIS- Compliance with the National Strategy for Information Security.
• ISO 27001 - Internal audit and implementation of security standards.

Gain digital trust and strengthen your company's information security with inforevision as your trusted advisor. Need help? Contact us now. 

What is transfer pricing?

When affiliated companies, shareholders or individuals trade with each other, they must do so at arm's length prices. This price fixing is called transfer pricing. The area is regulated by the tax authorities, who ensure that the pricing and thus the calculation of taxable income is correct.

Transfer pricing ensures that the purchase and sale of goods, services and rights between group companies is carried out at arm's length. This means that prices and terms are set on equal market terms and correspond to what could have been achieved between independent parties.

Among other things, companies must draw up internal rules for settlement within the group, and this pricing is called transfer pricing.

Interactions between group companies are also called controlled transactions or intra-group transactions.

What is the purpose of transfer pricing?

The transfer pricing rules and the arm's length principle aim to prevent artificial prices that can be used to reduce a company's taxable income.

When independent companies, shareholders or individuals trade with each other, prices are usually regulated by supply and demand, but when the parties are connected, they may have common interests that override free market forces. The rules on transfer pricing and the arm's length principle are designed to prevent this.

Who do transfer pricing rules apply to?

The rules on transfer pricing and the arm's length principle apply to group companies covered by section 2 of the Tax Assessment Act. These are, among others:

• Companies, associations, branches, main shareholders, etc. where the same group of shareholders own more than 50% of the share capital or control more than 50% of the votes
• Natural persons with controlling influence. For example, if a person has a majority shareholding in two different companies, the two companies are considered affiliated. The same applies if two companies have separate owners who are closely related - for example, mother and son.

Do group companies need to document transfer pricing?

For groups of a certain size, it is mandatory to submit written documentation to the Tax Agency for the transactions that take place internally between the companies in the group.

The requirement applies to groups that have more than 250 employees or a balance sheet total of more than DKK 125 million and that also have a turnover of more than DKK 250 million.

With effect for income years starting on January 1, 2021, new rules have been introduced that relax the documentation requirement for purely Danish controlled transactions. The change means that transactions that take place between Danish companies do not need to be included in the transfer pricing documentation. However, the exemption from preparing transfer pricing documentation does not apply if the transaction takes place between Danish companies that are taxed under different sets of rules. 

The arm's length principle still applies to these transactions even though they are exempt from the documentation requirement.

If the transfer pricing documentation is not prepared, is not sufficient or is not submitted on time, the Tax Agency has the right to increase the company's income at its discretion.

Small groups must also comply with transfer pricing rules

Smaller companies are not required to submit written documentation for intra-group transactions, but a company's size is calculated at group level and also includes foreign companies. If a small Danish company is owned by a large international group, it may well be subject to the requirement to document the group's transfer pricing in writing.

Regardless of the size of the group, intra-group transactions with companies etc. in countries outside the EU/EEA with which Denmark does not have a double taxation agreement must always be documented in writing.

Even if a group is below the thresholds for when documentation must be prepared and submitted, it has an obligation to comply with the arm's length principle.

More information

Read more about transfer pricing on Skats website.

If you need advice or practical assistance in connection with transfer pricing or international tax, you are welcome to contact your accountant or inforevision's tax department. You can read more about our advice and assistance to companies here. 

Contact Flemming Saabye
Flemming Saabye
Head of the tax department
T 39 53 50 38
fsa@inforevision.dk

Jannik Petersen
Tax Advisor
T 39 53 50 47
JPE@inforevision.dk