Assessing your exposure to information security risks
If you do not have a clear and complete picture of your organisation’s information vulnerabilities, then any security measures you implement are likely to be undermined by weaknesses that have gone unnoticed elsewhere.
That’s why we start by understanding what our clients need to achieve with information security, and use that context to carry out a comprehensive assessment of where information is stored, how it is used and the ways in which staff and other individuals are accessing it.
Our assessment typically considers all parts of an organisation, including every team and department:
- The information they are holding: What sort of value it has and what the impact would be if it were lost, corrupted or leaked.
- The operational procedures in place: How information is used and manipulated, whether manually or automatically.
- Roles: Which individuals have responsibility for handling, processing and safeguarding the information.
We apply many years’ information security experience to assess the findings, so that together we can see where the most significant risks lie and how the treatment of risks needs to be prioritised.
If you would like more information about assessing your exposure to information security risks, please contact us.
Planning and delivering treatment
for information security risks
Once you have a clear understanding of your information security vulnerabilities you can start to plan how they will be addressed. Your organisational priorities, as well as the availability of expertise and resources in-house, will have a significant impact on the plan and its timeline.
In many cases we can provide a team to run a full implementation project; in other instances it is more appropriate for us to brief key personnel then step back and take a less hands-on role in managing the rollout. Either way, you can bank on us being with you every step of the journey.
Working within ISO27001 and its related standards, we generally divide the risk treatment into three parts:
- The first step is to identify the fundamental controls that are going to be required for the implementation. This involves selecting well-defined areas in which attention will be focused. Within each of these there will be specific technical measures, management systems and policies to develop.
- The next step is focused on outstanding areas that are not covered by ‘standard’ policy approaches. Here we work with you to devise appropriate measures that balance risk with operational efficiency and manageability.
- The final step is where we lead the work to develop and apply solutions. Where possible, experts from within your own organisation (or outsourced functions, such as IT or direct marketing) will create policies, select technologies and train staff in new ways of working.
This a highly collaborative process, where the experience and expertise that we bring is matched with operational and specific technical knowledge within your business and outsourcing partners. We take into account that your business, its use of information and the threat landscape are changing all the time, so help you build-in approaches for continual improvement.
To find out more about the process and how it would apply to your business, please contact us.
Verifying your information security measures
If you already have a good handle on your organisation’s information security, we can provide validation that all the right measures remain in place and practices are still being followed. We can also prepare your organisation in advance of a successful ISO27001/Cyber Essentials audit.
Before you incur the full cost of a formal security audit – or if you have been accredited for some time and want to be sure that your information security practices are still up to standard – we offer a comprehensive validation and compliance check. This allows you to remedy any omissions in your own timeframe without incurring unnecessary audit costs.
We will help you:
- Verify that policies and procedures are being followed consistently and that the all the required records and logs are being maintained.
- Check that an appropriate set of information security documentation is accessible to guide and direct your staff and subcontractors.
- Identify areas of potential exposure that are priorities for future improvement.
Once we are confident that you are ready for a full audit, whether its ISO/IEC 27001 or Cyber Essentials, we will hand over to an independent assessor to formalise your achievement.
To find out more about validating your information security and audit,
please contact us.