Security Health Check

Information Governance Review

A high level and quick analysis of the current status / maturity of information security in the organisation and how it compares to recognised standards for information security (e.g. ISO/IEC 27001, ISF Good Practice Guideline, HMG, PCI DSS).

This service is designed to give a broad high-level view of the security ‘health’ of the organisation upon which to build a strategy or framework for proactive risk management and continual security improvement.

Typically, the ISO/IEC 27001 Standard provides a good baseline framework for this service. Even if they have ISO 27001 certification, it may be prudent to assess their maturity and effectiveness.

This service, especially for a new client, is an opportunity for ISMS Matters to impress the client with the quality of the work delivered by us and can generate numerous opportunities for further work, whether Information Assurance, Technical Assurance or a combination of both (the ideal).

The consultancy is primarily high-level interview-based, due to the short timescales; however, where necessary (for validation), technical configurations can be checked. If the client indicates that full validation of process is required, then the number of consulting days may need to be increased accordingly, or possibly the audit-related services utilised.

If there are any relationships with third parties identified, e.g. data centre service providers or developers, the scope of the assessment does not normally include a review of the third party environment, unless explicitly required by the client (and consultancy days allocated). However, any evidence of due-diligence activity on the part of the client will be reviewed as it forms part of the governance framework.

On the flip side, some clients have specifically engaged us to carry out the assessment solely of the third party environment, thus the service becomes a ‘third party Security Review’. In these scenarios and dependent on the type of service offered, the review of the third party will tend to revolve around:

• Review of overall security governance (as described above); or
• Review of physical security (normally for prospective hosting/data centre providers); or
• Review of third party development processes (if a software developer)

The third party review option is primarily taken up if there are regulatory compliance requirements (e.g. covering the handling of sensitive data), normally ISO/IEC 27001 or PCI DSS related (in which case this falls into the PCI DSS Practice area).