Skip to main content

Information Security, Risk and Complience Quarterly Planning

We have three objectives in publishing our quarterly planning:

  1. We want to be transparent about the work we are doing
  2. We want your input on that work and our planning, and we want to document that input and let you know if and when we can add your suggestions to our planning
  3. We want an open dialogue with members and community on developments around Information Security, Risk and Compliance

We launched this initiative in Q2 2022, and we are open to improving what we publish here and how we do that. So let us know if there are ways we can better present our plans. In Q1 2023, we separated the work items of Information Security, Risk and Compliance from the Information Technology and added them to this area.

We will update this page as our activities progress and continue to share updates on RIPE Labs, on the RIPE NCC Membership Discussion and RIPE NCC Services Working Group (WG) mailing lists, and at RIPE Meetings and other events.

Q2 2025 Plans

Last updated: 26 March 2025

Item 1: Ensure Adherence to Regulatory and Security Industry Standards

In 2024, we completed the ISAE 3000 / SOC2 Type I RPKI audit and received the final assurance report. In Q1 2025, we kicked off the preparation efforts for the RPKI ISAE 3000 / SOC2 Type II audit and initiated internal control testing to ensure our processes are operating according to the designed control framework. This effort will continue in Q2.

We continue to work on establishing compliance with the ISO 27001 standard. In Q2 2025, we will continue focusing on increasing our business continuity readiness and formalising our data governance. This initiative will also ensure that RIPE NCC is ready to comply with the upcoming NIS2 EU regulation.

In the first two quarters of 2025, we will also be working on publishing our compliance with regulatory and security industry standards via a Trust portal. The portal will focus on creating a secure, user-friendly interface where interested parties can easily access high-level information about the information security posture of the RIPE NCC.

Status: In progress

Item 2: Secure System Security and Resiliency

In Q2 2025, we will continue to focus on our vulnerability remediation efforts, by refining our policies and procedures and expanding our reporting capabilities. In the first two quarters of 2025, we will also direct our efforts to enhance the security posture of our on-premise Kubernetes cluster.

Status: In progress

Item 3: Elevate Organisational Risk Resilience

In 2024, we operationalised the Enterprise Risk Management framework. In Q4 2024, we finalised the execution of risk assessments across the whole organisation and started drafting treatment plans to address relevant risks. In Q2 2025, we will monitor the timely execution of the treatment plans and continue the refinement of the Enterprise Risk Management framework based on gathered internal input.

Additionally, we will initiate the tooling selection process for a Governance, Risk and Compliance tool.

Status: In progress

Item 4: Strengthen Detection and Response

During Q1 and Q2 of 2025, we will focus on enhancing the scope and coverage of our security monitoring capabilities. Furthermore, we will evaluate various approaches to implementing 24/7 security alert monitoring to ensure comprehensive and continuous protection.

Status: In progress

Item 5: Enhance Team Efficiency and Capabilities

In Q2 2025, we will continue to standardise our documentation and processes. Additionally, we aim to streamline workflows for security reviews through improved prioritisation and process enhancements.

Status: In progress

Community Input on Planning

We want the community to contribute to our plans and suggest additional work items. Please share your comments with us or post them on the RIPE NCC Membership Discussion and RIPE NCC Services WG mailing lists. We'll also be monitoring all the other channels where people talk about these services.

When we receive feedback that can significantly impact our planning or that needs a further response, we will add it to the table below.

Archived Quarterly Plans

You can find our plans from the previous quarters on this page. The Q2 2025 plans will be archived once we publish the Q3 2025 planning.