I can help organiztions with an Information Security Assessment Service which has been specifically tailored for a business to rapidly assess and evaluate it information security maturity. The process involves a structured on-site assessment of key risk areas across your business covering people, processes, and technologies. This assessment has been created fully in-line with ISO27001 requirements. I am able to use other frameworks such as NCSC 10 (UK) or NIST Cyber Security Framework (US). The outcome of this assessment will provide your organisation with a board-level report on the Information Security Risks facing your organisation and a prioritised list of actionable remediation actions. If desired, it can also contain a fully costed remediation plan and a roadmap to move your organisation to a more acceptable level of risk.

Key Benefits

• Provides organizations with a snapshot, board-level, of Information Security Risks
• Identifies areas requiring immediate attention, in prioritised terms
• Provides a measure of Information Security Control Maturity within your business 
• Assists with Information Security cost forecasting, and budget justification

My Methodology

Step 1: Pre Assessment Phase (Off- Site)

• Meeting with key staff members
• Walkthrough of engagement activities, and agree roles
• Identify all required documentation to support
• Walkthrough of existing Information Security Policy (If Applicable)
• Walkthrough of business processes in the scope (Assets)
• Walkthrough of existing network diagram
• Walkthrough of existing Information Security documentation (If Applicable)

Step 2: Information Security Risk Assessment (On-Site)

• Identify the key Cyber Risks to your business
• Identify key digital assets, including Personally Identifiable Information (PII)
• Identify the key relevant cyber risks to the critical digital assets
• Identify the key Legal, Regulatory and Contractual obligations 

Step 3: Cyber Security Controls Assessment (On-Site)

• Perform an on-site review of controls in order to review key areas of risk in-line with the ISO/IEC27001 security requirements:
  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement
• Perform an on-site review of ISO/IEC27001 Annex A control set requirements:
  • A.5 Information security policies (2 controls)
  • A.6 Organisation of information security (7 controls)
  • A.7 Human resource security (6 controls)
  • A.8 Asset management (10 controls)
  • A.9 Access control (14 controls)
  • A.10 Cryptography (2 controls)
  • A.11 Physical and environmental security (15 controls)
  • A.12 Operations security (14 controls)
  • A.13 Communications security (7 controls)
  • A.14 System acquisition, development and maintenance (13 controls)
  • A.15 Supplier relationships (5 controls)
  • A.16 Information security incident management (7 controls)
  • A.17 Information security aspects of business continuity management (4 controls)
  • A.18 Compliance (8 controls)

Step 4: Reporting (Off- Site)

• Preparation of Information Security AssessmentReport

Step 5: Stake Holder Review and Future Planning (Off-Site)

• Workshop or meeting walkthrough of findings with key stakeholders/team leaders.
• Define a vendor-neutral plan outlining tactical, and strategic changes required to improve Information Security Risk posture.

Timeframe

• Total:       3- 5 days
• Onsite:     1- 3 days
• Remote:  1-2 days

Deliverables

1. Information Security Assessment Executive Summary Report: High-level summary, overall Information Risk Status, identification of any critical issues and exposures, and a prioritised set of recommendations required to align with agreed business risk appetite.
2. Information Security Controls Analysis
3. Remediation Project Plan: A high-level plan identifying the tasks, resources and proposed timeframes required to immediately reduce any identified exposures, and any strategic items identified above.