Risk Assessment

What can we do for you?

We can produce complex information risk assessments that influence senior risk owners, managers and other stakeholders. We can influence development of information risk assessment methodologies across and beyond the organisation.  We apply findings from threat assessments, IT Health Checks and vulnerability testing, protective monitoring, incident management reporting and failure to implement basic assurance controls (e.g. ISO 27001) into risk assessments. We understand how information risk management fits within wider risk management strategies: and the governance structure of the organisation and how to engage with it. We refine risk assessments to match the specific business context. 

Our Information risk assessments have sufficient credibility to change major client, organisational or national priorities for risk mitigation. We are able to author departmental or national guidance on information risk assessment practices and influence generic risk management strategies.


We are credible at main Board level and recognise situations for which previous approaches are inadequate and develop innovative alternatives or novel solutions. 

Risk Management

What can we do for you?

We are able to advise management executives and senior key stakeholders on information risk across a business unit or organisation. We are able to design, approve and implement risk treatment plans for information systems ensuring controls are pragmatic, appropriate, cost effective and are traceable to the associated risks. 

We can prioritise the allocation of information risk management resources across an organisation identifying value adding business activities that can be enabled by improved information risk management. We identify IS controls upon which the organisation is most dependent and influence the level of resources allocated to information risk management. We can also peer review risk management plans 

Information Security Strategy

What can we do for you?

We are able to influence investment decisions and risk appetites through contribution to development or implementation of IS strategy. We can describe and contrast alternative IS strategies for realising business benefits, describing techniques to gain adoption of IS strategy 

We can develop and refine your corporate IS strategy to deliver business benefits influencing corporate strategies to reflect the needs of IS. We are able to lead workshops and teams to develop IS strategy, achieving consensus among key stakeholders 

We are regularly consulted by Directors and senior business managers including CEOs, CIOs, CTOs, DSOs, ITSOs and IAOs in the public sector 

Innovation & Business Improvement

What can we do for you?

We are able to support realisation of strategic business benefits through innovative application of IS. We can describe how we conceived and delivered a business improvement through application of IS; e.g. reduced cost or risk, greater business agility. We are able to identify opportunities for IS to enable strategic business benefits persuading senior stakeholders to invest in IS to make business benefits; e.g. improved IS controls to enable consolidation of IT infrastructure

We can resolve challenging conflicts between security and other business objectives; e.g. balancing need to know with need to share. We can apply deep knowledge of IS and business activities to identify information risks of concern at board level; e.g. specific increased threat that could exploit vulnerabilities causing high business impact 

We are able to appraise senior managers and Directors of the IS implications of strategic business objectives; e.g. risks of information sharing with new partners, increased use of on-line services, increased remote working. We influence the implementation of IS in Enterprise Architectures 

We identify the IS implications of Government or regulator policies and strategies and take actions to influence public or industry sector IS policy, standards or guidance accordingly. We are frequently sought for key note speeches at IS conferences and events 

Incident Management

What can we do for you?

We are able to manage your security incidents, ensuring that security incident management is aligned with more general incident management. We can author or authorise procedures for handling security incidents.


We improve organisational ability to manage security incidents in terms of detection or reporting processes, training for incident handlers and investigators or organisational procedures for damage limitation 


We are able to provide input to the press office for handling media interest in security incidents.

We can arrange separation of duties to avoid conflicts of interest. We are able to advise on managing lessons learned from security incidents within an organisation, ensuring that root causes have been identified and appropriate corrective measures implemented 

Policy & Standards

What can we do for you?

We are able to advance your business objectives through development or interpretation of a range of IS policies or standards. We can describe and contrast various approaches to IS policy or standard development, initiating the development of new policies and standards in your organisation

We are able to co-ordinate development of effective policies and standards in information security fields with which we are not previously familiar. we are able to contribute to development of national or international policies or standards and supervise other policy developers 

We are able to incorporate recent advances in information security into existing policies and standards, co-ordinating policy and standard development on behalf of your organisation. We interpret IS policy and standards to support important or complex decisions or decisions that set new precedents.

We are able to expresses findings from penetration testing and audits as non-compliance with applicable policy and guidance 

Please reload

As part of the rigorous NCSC CCP Lead SIRA certification process, below you will find a selection of our certified offerings

6 Core Cyber Security Skills
Additional Certified Cyber Security Skills


What can we do for you?

We are able to verify risk mitigation using methodologies, applying recognised cyber security/IA methodologies to verify that risks are mitigated to levels acceptable to risk owners and managers, taking into account the business environment and objectives 

We can appropriately refine and interpret methodologies for use on complex tasks to meet the needs of risk owners or managers. We are able to advise whether a methodology is appropriate to identify or mitigate risks to information systems 

We are able to review the effective application of cyber security/IA methodologies, justifying the choice of cyber security/IA methodology to stakeholders or explain its limitations 

We are able to apply cyber security/IA methodologies proportionately to the potential business benefits or impacts and mentor experienced users of a cyber security/IA methodology 


What can we do for you?

We are able to advise procurement and legal staff on the requirements for contracts to protect information entrusted to third parties based on a good understanding of the supporting IS requirements. We can specify technical, physical, personnel or procedural security requirements expected from third parties 

We can assess the potential risks of entrusting third parties to protect information or to deliver services upon which the information security of the first party depends.

We are able to assess compliance by third parties to agreed information security policies and standards and have an awareness of the level of trust that can be assumed by Departments and Agencies whose partners may have gained Cyber Essentials, Cyber Essentials plus, or other sector specific or industry sector certifications 

We understand and can advise how to protect compliance with Codes of Connection to services such as PSN. We are aware of and pragmatically utilise a range of assurance methods to gain confidence in arrangements: such as penetration tests, audits, inspections or other reporting approaches 

We are able to develop organisational IS policies for sharing information with third parties and negotiate frameworks for managing third party protection of shared information. We can advise information risk owners or managers of the risks of supply chains including third parties that are not subject to EU legislation protecting personal data or privacy such as the EU Charter of Fundamental Human Rights 

We are able to lead complex negotiations with third parties on standards for protecting shared information whether through transfer of data or access to a shared repository 


What can we do for you?

We are able to design, deliver, and manage the delivery of training on multiple aspects of IS.


We can design, develop and deliver effective information security training courses based on up-to-date IS knowledge. We can identify gaps in organisational security awareness 

We can design or modify awareness programmes to meet organisational needs and initiate new ways for enhancing IS awareness.

We are able to persuade management of the need to resource IS awareness and training 


What can we do for you?

We are able to develop IG standards or processes; applying IG principles across the organisation.  We can advise how to apply IG standards or processes beyond the local business area and apply IG standards or processes in complex cases. We also provide good judgement on when to escalate IG issues to seniors 

We are able to influence corporate resourcing of IG, interpreting IG principles or policies for your business units, and developing practical guidance tailored to your needs 

We are able to improve aspects of IG in response to internal or external audits, making IG decisions that set organisational precedents 

We are able to lead development of IG at the organisation level initiating changes to IG frameworks at departmental or national level 

We are also capable of influencing government, industry sector or public IG standards 


What can we do for you?

We are able to:

  • Audit compliance with security criteria in accordance with an appropriate methodology, testing compliance with security criteria. In the public sector we are able to audit and assess compliance with Codes of Connection, with HMG IA Standards or the HMG IA Maturity Model

  • Audit and assess compliance with commercial approaches or sector specific approaches such as PCI/DSS, ISF or ISO27001 

  • Audit findings to influence information risk owners or managers. In the public sector this means influencing risk managers, business leaders or Information Asset Owners 

  • Recommend and implement processes to verify on-going conformance to security requirements. We maintain current knowledge of relevant policies, standards, legal and regulatory requirements 

  • Influence Senior Information Risk Owners and business managers through information risk driven auditing with assessments against the HMG IA Maturity Model, or checks for compliance with the HMG Security Policy Framework or Code of Connection to public sector networks 

We ensure audit plans and compliance testing activities are information risk driven based upon an understanding of threats, vulnerabilities and business impacts 

We have broad experience of conducting security audits and develop audit plans to meet audit assignments. We effectively communicate credible audit findings to our clients based on impartial, objective evidence and clear reasoning 

We can identify the security risks to the organisation or service from audit findings, identifying opportunities for improving audit techniques 


What can we do for you?

We are able to collect and record evidence to support security investigations; e.g. through interviews, studying documentation, analysing protective monitoring systems or impounding equipment

We are able to identify potential sources of evidence, report initial findings from investigative work and know how to record and preserve evidence such that it may be used to support formal proceedings 

We are also able to suggest ideas for improving team investigative capability 


What can we do for you?

We understand applicable legislation and regulations relating to IS in the context of own and client organisations 

Working with your legal team, we can advise whether your business practices comply with relevant legislation and regulation based on an understanding of business requirements 

We are able to recognise major non-compliances with applicable legislation and regulations. We also recognise when our advice is precedent setting and know where to gain more expert advice if required 

We are able to propose updates to IS policies and standards to comply with legislation or regulations maintaining awareness of major recent changes to legislation and regulations relevant to IS. We are able to consider their implications for your organisation 

We are able to advise how to persuade management of the need to change Information Security practices to comply with legislation and regulations 

We can author IS policy or standards to comply with legislation and regulations; identifying the need to change working practices in response to new changes in legislation and regulation


What can we do for you?

We are able to evaluates threats to your information services through risk assessment, undertake business impact analysis for information services and perform continuity requirements analysis for information services 


We can identify potential BCM strategies to achieve the maximum tolerable period of disruption for an information service, author business continuity plans and exercise business continuity plans for information services, including in crisis situations 

We understand and can apply guidance from the Business Continuity Institute or other authoritative bodies 


What can we do for you?

We are able to:

  • analyse internal problem reports for signs of anomalous security issues 

  • monitor, collate and filter external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through your formal change processes 

  • engage with your Change Management process and people to ensure that vulnerabilities are mediated 

  • ensure that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available 

  • produce warning material in a manner that is both timely and intelligible to your target audience(s) 

  • explain why vulnerability assessments are required to maintain Information Security 

  • advise both HMG and commercial clients of sources of vulnerability information; e.g. Common Vulnerabilities and Exposures; Warning, Advice and Reporting Points, internal check lists 

We can also advise you how to

  • obtain and act on vulnerability information in accordance with your Security Operating Procedures 

  • inform Change Management staff and other stakeholders of the need to respond to new vulnerabilities 

  • identify systems which are most vulnerable to attack  

  • monitor corrective actions in response to vulnerability assessments 


What can we do for you?

We can help you with configuration of information and communications equipment in accordance with relevant security policies, standards and guidelines. We can also help you maintain security records and documentation in accordance with your SyOPs and advise how to administer logical and physical user access rights 

We can advise on monitoring processes for violations of relevant security policies (e.g. acceptable use, security, etc.). We can also help you understand the potential business impact of failure to operate information systems securely the common causes of security incidents and typical SyOPs for mitigating the risks of incidents 

We can advise you how to effectively apply SyOPs and follow routine security procedures such as patching, updating anti-virus signatures or vulnerability testing. We can also advise you how to record security related activities to provide assurance to risk owners and managers that these activities have been completed 

We can advise you how to

  • maintain secure configurations of equipment such as firewalls, routers, operating systems, applications, databases, cryptographic equipment, authentication systems 

  • handle cryptographic key material or equipment in accordance with SyOPs 

  • author new SyOPs and gain support for their introduction 

  • monitor compliance with SyOPs used across multiple information systems or services 

  • understand the holdings of cryptographic key material or equipment 


What can we do for you?

We can help you establish processes for maintaining the security of your information throughout its existence and: 

  • establish and maintain SyOPs in accordance with security policies, standards and procedures 

  • coordinate penetration testing on information processes against relevant policies 

  • assess and respond to new technical, physical, personnel or procedural vulnerabilities 

  • manage implementation of information security programmes, and co-ordinating security activities across your organisation 

We are able to explain the potential for security incidents if Information Systems are not managed securely and advise of common causes of security incidents; e.g. lost removable media, failure to scan files for viruses, weak or compromised passwords 

We can advise you of sources of corporate security processes and procedures for maintaining operational security 

and tools commonly used to detect vulnerabilities and how they are used; e.g. port scanning, security checklists, protective monitoring, audits 

We can advise you how to

  • monitor the application of Security Operating Procedures (SyOPs) 

  • make changes to SyOPs in response to newly identified vulnerabilities 

  • monitor that SyOPs for introducing information systems into operational use have been followed 

  • monitor compliance with routine SyOPs such as patching, updating antivirus signatures or vulnerability testing

  • monitor the output of protective monitoring systems and alerts supervisors to suspicious events 

  • monitor that SyOPs for decommissioning information systems and disposing of storage media security are followed 

  • provide advice on accepted practice for compliance with policies 


What can we do for you?

We can help you:

  • with your testing processes for vulnerabilities, highlighting those that are not addressed by security policies, standards and procedures and advising on corrective measures 

  • apply recognised testing methodologies, tools and techniques, developing new ones where appropriate 

  • assess the robustness of a system, product or technology against attack 

  • apply commonly accepted governance practices and standards when testing in an operational environment 

  • with testing processes for vulnerabilities, highlighting those that are not addressed by security policies, standards and procedures and advising on corrective measures 

  • apply recognised testing methodologies, tools and techniques, developing new ones where appropriate 

  • assess the robustness of a system, product or technology against attack 

  • apply commonly accepted governance practices and standards when testing in an operational environment  

  • present the findings of a test or security research to peers using a medium, language and technical level of detail appropriate to the audience 

  • develop test schedules 

  • develop product or system test plans

  • review draft security requirements 

  • assess and interpret test results and propose reasonable actions to mitigate risk in response 

  • understand the difference between a vulnerability assessment and a penetration test 

  • tailor the scope of testing to meet business requirements 

  • understand the management of risks derived from testing activities 

  • find the latest information on vulnerabilities or exploits to enable you to design tests to identify them 

  • prioritise the business importance of test findings 

  • justify to senior management why your product/system subject to test failed to meet required standards 

  • explain the business implications of the limitations of test programmes 


What can we do for you?

We can help you:

  • apply architectural principles to complex systems or to bring structure to disparate systems 

  • design security architectures for complex new information systems 

  • influence IT or Enterprise Architectures to enable legacy applications to be migrated to a secure architecture or to enable secure integration of existing systems 

  • influence senior managers to adopt architectural principles to reduce information risk 

  • recommend changes to information systems to make them compliant with existing architectures 

  • recommend changes to enterprise architectures to improve security 

  • adapt existing architectures to accommodate new technologies or business requirements 

  • increase your knowledge of security vulnerabilities and techniques for defending against them 

  • lead workshops to develop security architectures 

  • share knowledge of sources of up-to-date information relevant to security architecture design; e.g. CPNI, CESG, ISO standards 


What can we do for you?

We can help you:

  • implement secure systems, products and components using an appropriate methodology 

  • define and implement secure development standards and practices  

  • select and implement appropriate test strategies to demonstrate security requirements are met 

  • analyse problem reports for signs of anomalous security issues, coordinating research into vulnerabilities and advise corrective action where necessary

  • select and implement appropriate test strategies to demonstrate security requirements are met 

  • define and implement appropriate processes for transfer of a product/system to operation/sale/live use 

  • define and implement appropriate secure change and fault management processes 

  • minimise the risk to an asset or product through the ‘standard’ design and development processes 

  • verify that a developed component, product or system meets its security criteria (requirements and/or policy, standards and procedures) 

  • specify a processes that maintains the required level of security of a component, product, or system through its lifecycle 

  • manage a system or component through a formal security assessment 

  • propose security requirements for information systems 

  • follow local processes for implementing secure systems 

  • apply secure design patterns to system development 

  • produce security artefacts required by CBs 


What can we do for you?

We can help you:

  • with your investigation of vulnerabilities in current and potential technologies and techniques 

  • develop improved assurance methods 

  • understand the fundamental concepts of applied research 

  • describe the fundamental steps involved in carrying out a specific research task 

  • understand why research is required 

  • understand how research can be used alongside security analysis activities to further the capability and security knowledge of your organisation 

  • develop your knowledge and capability through conducting simple research 

Please reload


Copyright © Lockcode Limited 2020

Registered in England 2004

Company No. 05078345