Planning and delivering treatment
for information security risks
Once you have a clear understanding of your information security vulnerabilities you can start to plan how they will be addressed. Your organisational priorities, as well as the availability of expertise and resources in-house, will have a significant impact on the plan and its timeline.
In many cases we can provide a team to run a full implementation project; in other instances it is more appropriate for us to brief key personnel then step back and take a less hands-on role in managing the rollout. Either way, you can bank on us being with you every step of the journey.
Working within ISO27001 and its related standards, we generally divide the risk treatment into three parts:
- The first step is to identify the fundamental controls that are going to be required for the implementation. This involves selecting well-defined areas in which attention will be focused. Within each of these there will be specific technical measures, management systems and policies to develop.
- The next step is focused on outstanding areas that are not covered by ‘standard’ policy approaches. Here we work with you to devise appropriate measures that balance risk with operational efficiency and manageability.
- The final step is where we lead the work to develop and apply solutions. Where possible, experts from within your own organisation (or outsourced functions, such as IT or direct marketing) will create policies, select technologies and train staff in new ways of working.
This a highly collaborative process, where the experience and expertise that we bring is matched with operational and specific technical knowledge within your business and outsourcing partners. We take into account that your business, its use of information and the threat landscape are changing all the time, so help you build-in approaches for continual improvement.