Information Security Consulting Services
The use of IT to process information continues to evolve, and organisation’s dependence on information is continually increasing. Dependence on information systems and services means organisations are more vulnerable to security threats. As it becomes easier to exchange information, it also becomes more difficult to protect it. Most organisations today have become targets of attacks on their IT systems and the information they transmit.
Analytix's Information Security consulting services provide a structured, practical, results-oriented approach that assists organisations in all the aspects of developing, implementing or managing an Information Security Management System (ISMS) in compliance of ISO 27001.
We have extensive experience in developing security management systems in both private and public sector organisations. Some of the key services we offer include:
ISO 27001 Assessments
The Analytix ISO 27001 assessment service is structured to provide a high level and independent review of the content and quality of the Information Security Management programme and documentation.
The approach, tailored to your organisation’s needs, is applicable to organisations of different sizes, and whose Information Security processes vary in maturity.
Through a combination of desktop research, and structured interviews, our experienced consultants conduct an assessment of your ISMS plans and documentation. The reviews are conducted by comparing the ISMS programme and documentation against the ISO 27001 Information Security standard.
The assessment results will provide you with opportunities to make enhancement to the ISMS, based on the ISO 27001 standard.
ISO 27001 ISMS Implementation Support
Analytix's approach to ISMS implementation support is based on the ISO 27001 Information Security Standard. The ISO 27001 Standard effectively comes in two parts:
- ISO 27001:2005 is a standard specification for Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.
- ISO 27002:2007 is the standard code of practice and can be regarded as a comprehensive catalogue of good security actions.
Our ISMS implementation service could involve consulting assistance with one or more of the following aspects:
Phase 1: Plan (Establish the ISMS)
- Define the scope of the ISMS
- Define the ISMS Policy
- Define a systematic approach to risk assessment
- Identify the risks
- Assess the risks
- Identify and evaluate options for the risk treatment
- Select control objectives and controls
- Prepare a statement of Applicability
- Obtain Management Approval
Phase 2: Do (Implement and Operate the ISMS)
- Formulate a risk treatment plan
- Implement the risk treatment plan
- Implement all selected control objectives and controls
- Implement the training and awareness programme
- Manage operations
Phase 3: Check (Monitor and review the ISMS)
- Execute monitoring procedures
- Undertake regular reviews of the effectiveness of the ISMS
- Review the level of residual risk and acceptable risk
- Conduct internal ISMS audits
- Undertake management reviews of the ISMS on a regular basis
- Record all events that have an effect on the performance of the ISMS
Phase 4: Act (Maintain and Improve the ISMS)
- Implement the identified improvements
- Take appropriate preventive and corrective action
- Communicate the results to all interested parties
- Ensure that the improvements achieve the intended objectives
Information Security Policy and Procedure Development
ISO 27001 implementation requires the development and implementation of a variety of Information Security controls. We provide consulting services, toolkits and templates aimed to assist you in developing the required Information Security policies, procedures, practices, organisational structures and other controls required to achieve ISO 27001 compliance.
Information Risk Assessment
Within the ISMS programme, a Risk Assessment focuses on the threats that jeopardise the confidentiality, integrity and availability of important information and data of an organisation.
Our Risk Assessment services will assist to determine your information security requirements through a methodical assessment of your information security risks.
The Risk Assessment service is tailored to assist you to: o Identify and adopt a suitable risk assessment methodology o Develop criteria for accepting risks o Identify acceptable levels of risk o Assess potential threats and vulnerabilities o Ensure that risk assessments produce comparable and reproducible results The results of the Risk Assessment would guide and determine the appropriate management action for managing security risks and for implementing controls selected to protect against these risks
Control Selection
Our information security policy and controls selection and development services assist our clients to prioritise, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process, as appropriate to the organisation’s operations.
Theses services are aimed to assist you with the selection of appropriate controls that will reduce the level of risk to the organisation’s information security to an acceptable level.
Our approach makes provision to analyse the controls that have been implemented, or are planned for implementation, by the organisation to minimise or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability
It may not be practical to address all the identified risks, so we assist you to give priority to the threat and vulnerability pairs that have the potential to cause significant mission impact or harm.
Information Security Awareness and Training Programmes
Employees represent the most cost-effective counter measure against security violations. Our Information Security Awareness programme services assist organisations to develop workable programmes aimed to ensure that your employees are aware of the importance of their information security activities and the way they participate in meeting the ISMS objectives.
Our approach and methodology to Information and IT security awareness programme design makes provision for three major steps: o Designing the program (including the development of the IT security awareness and training program plan) o Developing the awareness and training material, and o Implementing the program. We believe that even a small amount of IT security awareness and training can go a long way toward improving the IT security posture of, and vigilance within, an organisation.
Regulatory or Legislative Compliance
The security requirements relating the set of statutory and contractual requirements that an organisation, its trading partners, contractors and services providers have to satisfy, should be documented in an ISMS. We offer consulting to assist organisation to identify the legal statutory and contractual requirements related to the organisation’s information assets.
For more information on Training in this field, please click here.