ISMS Maintenance / Refresh

Information Assurance & Testing

This service is designed for clients who are concerned about their current level of information security; need to ascertain how effective their security controls are; require an understanding of where the real security weaknesses lie; are unsure of whether they are receiving value from existing assessments; or just simply lost their current resource for maintaining compliance.

ISMS Matters can perform a security review in order to provide a holistic view of information security and an understanding of which areas of the business are at the most risk.

A combined approach is recommended for this service:

● Information Assurance. A review of existing security governance and the management of security within the business; this is the bit done by us;

● Technical Security Testing. A technical assessment aimed at giving a comprehensive overview of the levels of technical security within the business; this is the part performed by a Security Testing Practice.

We believe that this mix of both information and technical assurance is the key to verifying and measuring the effectiveness of policies and processes.

Only this combination can deliver real confidence to senior management that information risk is being addressed and that legal and regulatory requirements for information protection are being met in a structured and consistent manner.

It can also bridge the gap between senior management and lower-level information security activity.

This service is particularly useful as it specifically highlights where there is either process failure or process is not being followed.

Quite often we see the corporate side of the business will have lots of documented policies, standards and procedures, but when the technical side of the business is examined:

● Knowledge of policy or procedural documentation is weak or non-existent

● Process is not being adhered to (either through lack of awareness, enforcement or business/technical constraints)

● Technical controls are not aligned with management policy

In some cases, the non-alignment may be purely due to the fact that the policy documentation has been produced without the input of the technical side of the business.

There may be a lack of security culture, security enforcement, or valid business constraints (operational or technical) as to why a policy, standard, procedure or process cannot be followed. This is particularly symptomatic of organisations that have grown organically through acquisition and incorporate different security architectures, technologies and technical teams.

This scenario is also seen where a business is making the transition from small ‘warm and fluffy’ to a more corporate stance; they will likely be moving from a culture of limited or no security to suddenly having structure enforced.

If not properly managed, this can cause resentment, frustration and non-adherence (particularly if technical knowledge is held by a few limited and ‘indispensable’ employees).

This service can help to identify areas of non-alignment and can provide recommendations for changing the security posture in a manner best suited to the culture of the organisation.

If there are any relationships with third parties identified, e.g. data centre service providers, developers, the scope of the assessment does not include review of the third party environment, unless explicitly required by the client (and consultancy days allocated).

However, any evidence of due-diligence activity on the part of the client will be reviewed as it forms part of the governance framework.