Skip to content Skip to footer

Cyber Security‎

Building confidence in your future

Playback of this video is not currently available

Playback of this video is not currently available

How information security can help meet business objectives?

PwC Sri Lanka’s Cyber Security arm has a diverse portfolio of solutions tailored to assist organizations achieve an increased level of security and resilience in face of the adverse impacts from cyber-attacks. Our clients include an unparalleled list of the country’s leading banking and finance institutes, telecommunication service providers, healthcare service providers, software development companies and multinational conglomerates.


PwC professionals can help companies in the following critical areas:

Security management

ISO 27001:2013 Certification Implementation Assistance

Consultancy Services for ISO 27001:2013 Certification consist of Gap assessments, risk assessment and treatment, Policy & Procedure development, training and internal audit.

Over the recent past we have assisted the highest number of Sri Lanka organizations across multiple industries to achieve exemplary success ISO/IEC 27001:2013 certification with our dedicated team of ISO/IEC 27001:2013 Lead Auditors.

Information Security Framework Development

PWC offer a suite of information Security Policies and procedures that align with business objectives and address risk and compliance requirements of your organization.

ISO27001:2013 Internal Audits

PWC provides organizations with ISMS Internal Audits to support maintain ISO 27001 certification with identifying implementation gaps and compliance status to ISO 27001

Information Security Policy & Procedure Review

PWC provides consultancy services to review organization's Information Security policy and procedures and provide recommendations to align them with industry best practices, Legal & Regulatory requirements and organization's risk and business objectives.

ISO27001 Managed Services

PWC Provides ISO27001 Managed Service suite which includes Information Security Policy & Procedure Review, Training for employees and ISMS Internal Audits.

Information Classification Framework Development

Information classification framework development includes, setting up information classification policy with consideration of organization's business objectives, sensitivity of information handled by the organization and compliance requirements. And provide assistance to identify and classify information according to the organization policy.


View more

IT Governance, Risk and Compliance (IT GRC)

Business Continuity Management

As part of the Governance, Risk and Compliance services, we offer an array of customized and strategic solutions to our clients, including ISO 22301:2012 Business Continuity Management System.

  • Business Continuity Plan development - PWC assist you in developing business continuity plans in an efficient, focused manner that drives repeatability into your organization's response and recovery efforts. We're ready to assist you in developing your business continuity plans aligning with your business objectives.
  • ISO 22301:2012 Certification Implementation Assistance - ISO 22301:2012 implementation assistance consist of a step by step approach that has business impact analysis, risk assessment plans, BCP plans, mandatory documentations, BCP trainings & exercises and internal audit.
  • BCP Documentation Review - PWC provides consultancy services to review organization's Business Continuity policy & plans and provide recommendations to align them with industry best practices, Legal & Regulatory requirements and organization's risk and business objectives.
  • BCP Managed Services - PWC Provides BCP Managed Service suite which includes Business Continuity policy & plans Review, Training for employees and Internal Audits.

IT Strategy and Governance

  • ISO 20000:2011 Certification Implementation Assistance - ISO 20000 takes a comprehensive approach to IT service management and defines a set of processes needed to deliver an effective service. PWC's Approach to ISO 20000:2011 Certification Implementation Assistance includes Policy procedure development to align your IT service management practices to fulfill business requirements, Trainings and Internal Audit.
  • ITSM Review - PWC provides consultancy services to review your organization's IT service management related Documentation (ITSM documentation) and provide recommendations to align them with industry best practices, and business requirements

Learn more…

View more

Privacy and data protection

The privacy and data protection practice provides companies with a series of important security capabilities. The team can help organizations ensure proper data handling practices for the collection, use, retention, and sharing of personally-identifiable information about customers and employees in its care.

Our services include:

GDPR Compliance Review - GDPR Compliance review is a gap assessment to identify organization's readiness towards EU GDPR Regulation.

GDPR Implementation Assistance - PWC provides Consultancy services for organizations to implement controls to comply with EU GDPR regulation

GDPR Training – Classroom - Classroom Training where organizations can train the employees and increase awareness on EU GDPR regulation and the standards/practices which need to be followed to ensure compliance with the regulation.

View more

Threat and vulnerability management

New vulnerabilities are discovered each day and the speed at which these new threats are created makes securing your critical assets even trickier. The solution is to quickly immunize your infrastructure from these threats by eliminating their foundation. Our assessment would be customized base with your requirement such as:

  • Black box - unauthenticated access and little prior knowledge, except the IP Address or URL, about the systems in scope.
  • Gray box - test target systems as an authenticated user with user-level access. Ensuring users cannot access sensitive data; and
  • White box - designed to assess a system or device with "administrator" or "root" level access and knowledge.

Our VA assessment mainly focused on four areas:

  • External Network Vulnerability Assessment – Remotely performing the test for publicly open services and systems
  • Internal Network Vulnerability Assessment – Onsite testing within the local LAN with direct or remote access.
  • Wireless Security Assessment – We will assess the strength of your wireless network with our expertise knowledge and experience with various commercial and open source tools.
  • Application Vulnerability Assessment – Assessment would be carried out for application and server level misconfigurations, weak controls and well known vulnerabilities. The Application vulnerability Assessment we focused on main four areas under different conditions;
  • Web Application and Web Services/API Security Assessment: Base on your requirement we will do a comprehensive assessment either black box or Gray box.
  • Mobile Application Security Assessment – We will assess your mobile application and its infrastructure security controls with latest security standards such as OWASAP Mobile application framework, PwC Mobile Application Security Standard and CBSL guideline for payment related application.
  • Thin-Client/ Desktop Application security Assessment – Not only web base applications, insecure desktop/thin-client applications are also currently major threat on your organization. Weak configurations and known vulnerabilities of such applications could impact your business directly. Our expertise knowledge and experience would help to mitigate the risk.


View more

Information security architecture

Internal and external network security controls are essential to protect financially significant systems from unauthorized access, network based attacks and unexpected outages. Our review of the network will assess the network infrastructure for security, availability, and performance to gauge security mechanisms deployed, the adequacy of such controls and effectiveness in providing strong security while ensuring minimum impact of productivity. Given below are key areas we are providing to you:

  • Network Architecture Review - Review available pieces of network documentation and interview network administrators to determine that the network architecture adheres to the core security principles.
  • Network Diagnostic Review - Obtaining and analysing the configurations and procedures of network equipment’s and technologies (including firewalls, routers, switches IPS/IDS, VPNs and any other network services and equipment’s ), Virtual Environments such as VMware / Hyper-V  and Cloud Environment base on industry best standards.
  • Traffic – flow Analysis - Review available network statistics to determine how traffic flows among systems and devices on the network.
  • IT general Control review - based on PwC’s Technology Assurance Framework supported by our specific IT risks, we consider which risks affect the technology processes supporting the key business activities.
  • Datacenter Risk Assessment – The benefits of an assessment extend beyond just prevention. They confirm alignment of business mission and facility performance expectations, quantify the risk and exposure of the critical facilities to failure, identifies vulnerabilities, become the first step in creating an action plan for site hardening, benchmark against the industry and assists in developing business case for capital expenditures. Applying physical, administrative, and technical safeguards could lift a business toward a higher level of information security and productivity. The risk assessment exercise attempts to:
    • Validate the function of infrastructure system capacities;
    • Identify single points of failure;
    • Ascertain degree of compliance to Datacenter best practices; and
    • Determine which systems fail to match design objectives.


View more

Physical security

Physical security reviews are an excellent way to provide security personnel and management officials with information helpful in determining the effectiveness and appropriateness of existing security guidelines. Site security reviews are a great first step to take prior to making security improvements at a facility or when trying to solve a specific security problem.

View more

Penetration testing

The vulnerability assessment and penetration testing approach is based on our years of developed and proven testing and unique attack, penetration and forensic experiences.

It allows our security professionals to identify potential access points into the network and prioritize vulnerabilities and attempt controlled penetrations of your networks and other points of access.

Our work plan has been aligned to your needs and operates proactively to identify threats your environment is exposed to and suggest clear remediation options.


View more

Identity and access management

Identity and access management relates to the granting or denying of access to a company’s equipment and data. Strong, effective access management enables the access of authorized workers while restricting the access of unauthorized workers and external third-parties.

PwC Cyber security professionals support organizations on below assignments related to Identity and Access Management Solutions.

  • Authentication and authorization analysis;
  • User management and access provisioning reviews; and
  • Identity storage and data integration infrastructure review


View more

Security awareness and education

Information Security Classroom Trainings

Information Security (IS) Training sessions for employees of your organization or third parties which manage information if your organization, to train them on information security, how to protect information with best practices and how to adhere to organizations information Security policy. We address current IS attack trends and best practices to prevent them as well.

Computer Based Training (CBT)

We at PwC Sri Lanka Cyber Security, have developed our own Interactive Computer Based Training (iCBT) module, a state-of-the-art training module with customization capabilities according to the requirements of the client organization. Our CBT:

  • Can be easily integrated with your existing learning management systems (example Moodle);
  • Comes with customized branding options;
  • Comes with cost-effective licensing and annual maintenance options;
  • Comes with an optional Human Resource Aptitude tests; and
  • Can be easily updated with content required by the client

Social engineering assessments

PwC will conduct various tests to verify social engineering security awareness among employees. These tests could be in the form of:

  • Emails
  • Phishing
  • Telephone-based threats              
  • Reverse social engineering
  • Waste management threats        
  • Physical security threats
  • Website based threats


View more

Managed Cybersecurity Services

“help you innovate on the frontlines and at the same time bridge the gap from ‘Strategy to Execution”

Managed Cybersecurity Services is ideal for security technologies in niche fields where there is a shortage of adequately trained resources to meet the demands of monitoring requirements. Our Managed security services methodology settles the trouble of staffing a committed and exceptionally gifted group to oversee or manage activities outside of conventional technology operations by providing continuous improvement to the technology innovations.

The problems we are solving for our clients

  • Can you take ownership of delivering on cybersecurity needs?

  • We need specialist skills

  • A partner we can trust

  • We need to realize value from Security investments

  • What matters is quality of staff

  • Need a secure infrastructure with best in class technologies

PwC provides customized services for organizations to achieve and maintain secure posture that helps them effectively detect and respond to cybersecurity threats on a continuous basis.

Our solution area covers 


  • Vulnerability Assessment and Penetration Test

  • ITGC & Application controls Review

  • Business Application Review

  • Web Application Security Review 

  • Mobile Application and Infrastructure security review

  • Firewall and Network Infrastructure Review

  • Red Team Assessment

  • Information Security Management - ISO 27001:2013 ISMS Implementation 

  • Business Continuity Management System (BCMS) inline with ISO 22301:2019

  • Phishing simulation and social engineering

  • Security Awareness workshop & Table topic sessions

  • Cloud Security Review 

The pay-offs for your choice

  • Flexible and adaptable service delivery model tailor’s our approach to fit your needs and objectives, 

  • Knowledge transfer through on-going guidance and training to your team by our security domain expertise merged with years of consulting experience for a differentiated experience unlike any other

  • Smoother coordination on staffing projects will minimize potential cost overruns due to inefficiency.

  • Enhance the organisation’s technical controls to prevent loss of intellectual property, frauds, leakage of customer data and other sensitive information

  • Access to specialised skills of cyber investigators, forensics experts, malware analysts, content specialists and security data scientists

  • Robust automated Operating Model for security operations leading to better protection from targeted attacks, focused approach on incident closure, increased efficiency of investigation processes and lower organisational risk


View more

Game of Threats™ Cyber Threat Simulation

Game of Threats™ is a digital game that simulates the speed and complexity of a real-world cyber breach to help executives better understand the steps they can take to protect their companies. The game environment creates a realistic experience where both sides – the company and the attacker, are required to make quick, high impact decisions with minimal information.

Find out more about Game of Threats™

Payment Related Mobile Application Review

Mobile applications are going beyond just a 'view only' banking channel to becoming the primary channel for many banks. This changes the paradigm of security for mobile banking applications. With insecure end point devices, a highly diverse ecosystem and a combination of a variety of technologies, mobile banking is set to become one of the highest risk channels for banks.

Find out more about Payment Related Mobile Application Review

GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union Regulation that has been design to strengthen and unify privacy data protection of EU citizens.

If you are an organisation processing personal data of European Citizens’ or non-EU organization who involve in following activities,

  • Targeting European citizens with goods and services ;
  • Monitoring the activities of European citizens,

Need to comply with GDPR, which effect from 25 May 2018. In that time, those organizations in non-compliance may face heavy penalties.



Contact us

Nishan Mendis

Technology Consulting Leader

Tel: +94 11 7719700 ext. 1001

Vengadasalam Balagobi

Practice Head - Cyber Security

Tel: +94 11 7719700 ext.1601, +94 77 2315168

Follow us