Cyber Security Consultancy

Overview

Every day in the press there are horror stories of security breaches, data losses and an ever increasing number of vulnerabilities to IT systems that need to be addressed. Many organisations have a worrying time trying to address these issues and make sure that they are not the next news item. With the introduction of the Internet, organisations are now forced to re-examine their security infrastructure, especially, if they are required to open their information systems to customers, partners, and suppliers in order to maintain a competitive advantage. An incomplete and outdated cyber security solution can put your organisation’s information resources at risk and a single breach can result in tremendous loss to your organization and its reputation.

Although it may be difficult for you to implement a comprehensive and complete cyber security programme to manage and control all of your information assets, the risk of breaches can be minimized if appropriate controls are put in place to protect them. To do this, all of your assets must be identified and the risks to them evaluated so appropriate cyber security controls can be selected to reduce the risks to an acceptable level.

Consequently more and more organisations are exploring the benefits of implementing best practice information security management using ISO 27001 and ISO 27002 as supporting guidance with the rest of the relevant ISO 270xx family.

ISO 27001 was formerly a British standard (BS: 7799) and is the de-facto international standard on:

    • Establishing
    • Operating
    • Maintaining
    • Continuously improving.

an Information Security Management System (ISMS).

Service Offering

A-GRC are uniquely placed to assist you as they have done others to develop and implement information security solutions appropriate for your business.

Additionally, our Chief Technology Officer (David Lilburn Watson) sits on the ISO Standards committee that oversees the development of the ISO 270xx series of standards.

A-GRC has developed its own methodology based on ISO 27001 that contains an Information Security Management Policy and all of the processes, procedures and plans that are required to develop an Information Security Management System (ISMS) based on the Deming cycle of:

    • Plan
    • Do
    • Check
    • Act

that all of the major management systems standards have adopted. Whilst the PDCA cycle is no longer mandated in Annex SL, many organisations still prefer to use this process.

A-GRC ISO consultants are all ISO 270xx experts and some are qualified and IRCA Certified Auditors and Principal Auditors, rather than those just attending a Lead Auditor course, and have implemented a number of ISO 27001 systems that have gained the Certificates of Registration to ISO 27001.

Approach

Using the A-GRC approach to ISO 27001 covers:

  • defining the context of the organisation
  • understanding the business, its drivers, needs and expectations of the interested parties
  • determining the scope of the ISMS
  • establishing the ISMS
  • establishing management commitment throughout the organisation
  • embedding information and cyber security in the business
  • planning for the ISMS, including defining business continuity objectives and how to achieve them
  • ensuring appropriate support processes and procedure are in place
  • performing gap analysis
  • undertaking risk and vulnerability assessments
  • develop the Risk Treatment Plan and the SoA
  • documenting procedures
  • implementing awareness training
  • implementing supporting cyber and information security procedures
  • monitoring, measuring and reviewing the ISMS
  • auditing the ISMS
  • management reviews of the ISMS
  • continuous improvement of the ISMS
  • assistance in gaining an ISO 27001 Certificate of Registration.

In addition to this, there are the mandatory procedures and documents that are required for ISO 27001.

Benefits

The A-GRC approach gives you the ability to:

  • align business needs with information security deliverables
  • allow you to make contractual bids, where if you were not certified, you may be precluded
  • assure management and customers of information security levels in place
  • create an organisational structure to ensure that roles and responsibilities for information security management are established
  • demonstrate compliance verified by a third-party Conformance Assessment Body
  • develop a statement of applicability (SoA) that identifies controls to be implemented to address the risks identified in your organisation
  • enable interoperability between disparate systems
  • ensure that a high-level corporate information security policy exists
  • ensure that an appropriate incident management process is in place
  • ensure that an information asset register is created and managed
  • ensure that personnel security issues are highlighted and controlled
  • ensure that there is an ongoing compliance and monitoring mechanism in place
  • ensure that there is appropriate security of assets within the defined scope
  • ensure that processes and procedures for information security are documented and tested
  • implement and maintain information security awareness within your organisation
  • identify risk and evaluate risks to your organisation
  • increase customer confidence in your products and services
  • make a public statement that you have addressed information security needs of your, and your customers’, data
  • manage and treat significant risks to reduce them to an acceptable level in line with risk appetite;
  • validate the adequacy of IT technical security measures including communications and operational procedures; logical access controls; systems development and maintenance arrangements
  • validate the adequacy of physical and environmental security arrangements
  • validate the existence or adequacy of ensuing continuity of information security when invoking business continuity and/or disaster recovery arrangements.