Practice areas

Below are our main areas of expertise and experience.

Safety & security

Our skills

Custax & Legal supports companies in their overall, cross-functional management of safety, security and cybersecurity issues.

We offer an integrated approach aimed at controlling risks in both physical and digital environments and preventing all forms of threat.

We provide prevention and training, diagnosis and audit, advice and remediation, as well as specific support in crisis situations.

Information systems security & cyber security

    • Delivering awareness and providing training in the requirements and best practices (e.g. ISO 27002, 29100, SGDSN, etc.) relating to the IT environment (sandboxes, IDEs, applications, operations, networks, workstations, etc.).
    • Ensuring the implementation of the 5 pillars of compliance for the management of regulated or controlled intangibles:

    o Assisted characterization, classification and electronic marking

    o Management of authorisations/declarations

    o User authentication and access control to controlled or regulated items

    o Enterprise architecture and security in compliance with technical specifications (eg. ANSSI)

    o Traceability/accountability and reporting of controlled intangible flows

    • Addressing the specific cases of SaaS, Cloud, etc. solutions for managing controlled or regulated intangibles (SecNumCloud, ESCloud, etc.)
    • Implementing applicable security standards (RGS ANSSI, CLUSIF, ENISA, NIS2, etc.)
    • Securing workstations, nomadism, network and administration of the entire IT perimeter
    • Auditing and determining threats and risks in order to correct identified flaws and vulnerabilities
    • Assess cyber risks and impacts on IT resources and projects
    • Issue the requirements and recommendations necessary to ensure the security of information systems and the protection of company data.
    • Ensure compliance with the regulatory obligations of “Security & Privacy by design” and the contractual compliance vs. customer’s requirements.
    • Supporting specific certifications e.g. HDS, DORA, “Physical Infrastructure Hosting”, “Outsourcing Hosting”, etc.
    • Resilience review:

    o Maintaining the information system’s virtual infrastructure in operational condition

    o Maintaining the operational readiness of the information system’s application hosting platform

    o Administration and operation of the information system containing controlled/regulated data

    • Specific support on the definition of “PASI” (Information Security Assurance Plan)
    • Support for regulatory security audits of IT resources
    • Initiating the implementation of Zero Trust Network Access, Cloud Access Security Broker, etc.
    • Cyber defence strategies, prevention (Data Leak/Loss Prevention), monitoring (Security Operation Center)

Physical security

  • Diagnose compliance with regulations (OIV, LPM, ZRR, etc.)
  • Carrying out security studies to assess risk exposure
  • Identify site weaknesses
  • Formulate useful recommendations
  • Provide specific advice on the definition of security plans (e.g. launch campaigns, test campaigns outside national territory, etc.).

Security & Privacy by design

  • Supporting the deployment of dedicated frameworks depending on the data to be protected (CSA, ISO27005, ISO27018, TOGAF, Zachman, etc.)
  • Conducting PIA studies on the protection of personal data
  • Support in obtaining and managing authorisations from ANSSI
  • Defining procedures and support for “safety-security” certification as part of AEO customs certification
  • Propose agile methodologies for taking security into account in projects
  • Helping to draft and implement internal security procedures
  • Audit project management in relation to IT security
  • Reviewing security and business continuity clauses in customer and supplier contracts

Crisis management

  • Identify crisis or pre-crisis situations
  • Setting up and running a crisis management unit using the company’s resources
  • Provide crisis management training
  • Report to and interface with the authority with regard to reporting obligations
  • Raising awareness of the specific nature of media relations


  • Establish risk prevention policy in company daily practices
  • Advise management on safety and security policies

Economic protection

  • Protecting your strategic assets
  • Controlling your e-reputation on the internet
  • Securing your data and anticipating attacks from your competitors
  • Determining information requirements needed to enhance your organisation’s security and competitiveness
  • Designing and running a monitoring system to detect threats and opportunities likely to impact your business
  • Integrate a systemic approach to business intelligence as part of an overall policy to protect the organisation.

Data Privacy (Personal Data Protection)

  • Managing and organising data protection
  • Defining the roles of data controller, data processor and data protection officer
  • Analyse the impact on data protection
  • Managing DAROs and other individual’s access requests
  • Notifying and responding to incidents

Our background

Our safety and security experts are certified in ISO 22301, 27001 and CISSP, and are certified by the “Institut National des Hautes Etudes de la Sécurité et de la Justice” (National Institute for Higher Studies in Security and Justice), reporting to the Prime Minister.

  • Expert in security diagnostics and consultancy
  • Ability to grasp both the business challenges and the specific features of the security of a company’s information, flows and physical installations
  • A method for embracing change
  • Assistance with ISO standards and regulatory compliance
  • Advice to companies on site security
  • Training and advice on crisis management and safety and security audits

Would you like to call on our firm ?