Certified Professional Consultancy Services
Risk Assessment
Delivery of complex information risk assessments to influence senior risk owners, managers and other stakeholders. We can influence development of information risk assessment methodologies across and beyond the organisation. We apply findings from threat assessments, IT Health Checks and vulnerability testing, protective monitoring, incident management reporting and failure to implement basic assurance controls (e.g. ISO 27001) into risk assessments. We understand how information risk management fits within wider risk management strategies: and the governance structure of the organisation and how to engage with it. We refine risk assessments to match the specific business context.
Our Information risk assessments have sufficient credibility to change major client, organisational or national priorities for risk mitigation. We are able to author departmental or national guidance on information risk assessment practices and influence generic risk management strategies.
We are credible at main Board level and recognise situations for which previous approaches are inadequate and develop innovative alternatives or novel solutions.
Risk MANAGEMENT
We are able to advise management executives and senior key stakeholders on information risk across a business unit or organisation. We are able to design, approve and implement risk treatment plans for information systems ensuring controls are pragmatic, appropriate, cost effective and are traceable to the associated risks.
We can prioritise the allocation of information risk management resources across an organisation identifying value adding business activities that can be enabled by improved information risk management. We identify IS controls upon which the organisation is most dependent and influence the level of resources allocated to information risk management. We can also peer review risk management plans
INFORMATION SECURITY STRATEGY
We are able to influence investment decisions and risk appetites through contribution to development or implementation of IS strategy. We can describe and contrast alternative IS strategies for realising business benefits, describing techniques to gain adoption of IS strategy
We can develop and refine your corporate IS strategy to deliver business benefits influencing corporate strategies to reflect the needs of IS. We are able to lead workshops and teams to develop IS strategy, achieving consensus among key stakeholders
We are regularly consulted by Directors and senior business managers including CEOs, CIOs, CTOs, DSOs, ITSOs and IAOs in the public sector
INNOVATION & BUSINESS IMPROVEMENT
We are able to support realisation of strategic business benefits through innovative application of IS. We can describe how we conceived and delivered a business improvement through application of IS; e.g. reduced cost or risk, greater business agility. We are able to identify opportunities for IS to enable strategic business benefits persuading senior stakeholders to invest in IS to make business benefits; e.g. improved IS controls to enable consolidation of IT infrastructure
We can resolve challenging conflicts between security and other business objectives; e.g. balancing need to know with need to share. We can apply deep knowledge of IS and business activities to identify information risks of concern at board level; e.g. specific increased threat that could exploit vulnerabilities causing high business impact
We are able to appraise senior managers and Directors of the IS implications of strategic business objectives; e.g. risks of information sharing with new partners, increased use of on-line services, increased remote working. We influence the implementation of IS in Enterprise Architectures
We identify the IS implications of Government or regulator policies and strategies and take actions to influence public or industry sector IS policy, standards or guidance accordingly. We are frequently sought for key note speeches at IS conferences and events
POLICY & STANDARDS
We are able to advance your business objectives through development or interpretation of a range of IS policies or standards. We can describe and contrast various approaches to IS policy or standard development, initiating the development of new policies and standards in your organisation
We are able to co-ordinate development of effective policies and standards in information security fields with which we are not previously familiar. we are able to contribute to development of national or international policies or standards and supervise other policy developers
We are able to incorporate recent advances in information security into existing policies and standards, co-ordinating policy and standard development on behalf of your organisation. We interpret IS policy and standards to support important or complex decisions or decisions that set new precedents.
We are able to expresses findings from penetration testing and audits as non-compliance with applicable policy and guidance
INFORMATION ASSURANCE METHODOLOGIES
We are able to verify risk mitigation using methodologies, applying recognised cyber security/IA methodologies to verify that risks are mitigated to levels acceptable to risk owners and managers, taking into account the business environment and objectives
We can appropriately refine and interpret methodologies for use on complex tasks to meet the needs of risk owners or managers. We are able to advise whether a methodology is appropriate to identify or mitigate risks to information systems
We are able to review the effective application of cyber security/IA methodologies, justifying the choice of cyber security/IA methodology to stakeholders or explain its limitations
We are able to apply cyber security/IA methodologies proportionately to the potential business benefits or impacts and mentor experienced users of a cyber security/IA methodology
THIRD PARTY MANAGEMENT
We are able to advise procurement and legal staff on the requirements for contracts to protect information entrusted to third parties based on a good understanding of the supporting IS requirements. We can specify technical, physical, personnel or procedural security requirements expected from third parties
We can assess the potential risks of entrusting third parties to protect information or to deliver services upon which the information security of the first party depends.
We are able to assess compliance by third parties to agreed information security policies and standards and have an awareness of the level of trust that can be assumed by Departments and Agencies whose partners may have gained Cyber Essentials, Cyber Essentials plus, or other sector specific or industry sector certifications
We understand and can advise how to protect compliance with Codes of Connection to services such as PSN. We are aware of and pragmatically utilise a range of assurance methods to gain confidence in arrangements: such as penetration tests, audits, inspections or other reporting approaches
We are able to develop organisational IS policies for sharing information with third parties and negotiate frameworks for managing third party protection of shared information. We can advise information risk owners or managers of the risks of supply chains including third parties that are not subject to EU legislation protecting personal data or privacy such as the EU Charter of Fundamental Human Rights
We are able to lead complex negotiations with third parties on standards for protecting shared information whether through transfer of data or access to a shared repository
INFORMATION SECURITY AWARENESS & TRAINING
We are able to design, deliver, and manage the delivery of training on multiple aspects of IS.
We can design, develop and deliver effective information security training courses based on up-to-date IS knowledge. We can identify gaps in organisational security awareness
We can design or modify awareness programmes to meet organisational needs and initiate new ways for enhancing IS awareness.
We are able to persuade management of the need to resource IS awareness and training
GOVERNANCE
We are able to develop IG standards or processes; applying IG principles across the organisation. We can advise how to apply IG standards or processes beyond the local business area and apply IG standards or processes in complex cases. We also provide good judgement on when to escalate IG issues to seniors
We are able to influence corporate resourcing of IG, interpreting IG principles or policies for your business units, and developing practical guidance tailored to your needs
We are able to improve aspects of IG in response to internal or external audits, making IG decisions that set organisational precedents
We are able to lead development of IG at the organisation level initiating changes to IG frameworks at departmental or national level
We are also capable of influencing government, industry sector or public IG standards
AUDIT & REVIEW
We are able to:
-
Audit compliance with security criteria in accordance with an appropriate methodology, testing compliance with security criteria. In the public sector we are able to audit and assess compliance with Codes of Connection, with HMG IA Standards or the HMG IA Maturity Model
-
Audit and assess compliance with commercial approaches or sector specific approaches such as PCI/DSS, ISF or ISO27001
-
Audit findings to influence information risk owners or managers. In the public sector this means influencing risk managers, business leaders or Information Asset Owners
-
Recommend and implement processes to verify on-going conformance to security requirements. We maintain current knowledge of relevant policies, standards, legal and regulatory requirements
-
Influence Senior Information Risk Owners and business managers through information risk driven auditing with assessments against the HMG IA Maturity Model, or checks for compliance with the HMG Security Policy Framework or Code of Connection to public sector networks
We ensure audit plans and compliance testing activities are information risk driven based upon an understanding of threats, vulnerabilities and business impacts
We have broad experience of conducting security audits and develop audit plans to meet audit assignments. We effectively communicate credible audit findings to our clients based on impartial, objective evidence and clear reasoning
We can identify the security risks to the organisation or service from audit findings, identifying opportunities for improving audit techniques
LEGAL & REGULATORY
We understand applicable legislation and regulations relating to IS in the context of own and client organisations
Working with your legal team, we can advise whether your business practices comply with relevant legislation and regulation based on an understanding of business requirements
We are able to recognise major non-compliances with applicable legislation and regulations. We also recognise when our advice is precedent setting and know where to gain more expert advice if required
We are able to propose updates to IS policies and standards to comply with legislation or regulations maintaining awareness of major recent changes to legislation and regulations relevant to IS. We are able to consider their implications for your organisation
We are able to advise how to persuade management of the need to change Information Security practices to comply with legislation and regulations
We can author IS policy or standards to comply with legislation and regulations; identifying the need to change working practices in response to new changes in legislation and regulation