Many organisations still treat assurance as a compliance activity, reducing it to a simple check-box exercise. Over the last few years there have been a number of high-profile breaches that have revealed that compliant does not necessarily mean secure.
Organisations’ assurance activities should provide them with confidence that the controls they require have been implemented and are working as expected.
Assurance provides you with confidence that your security and privacy risks are appropriately managed so that they remain within your risk appetite.
Our Assurance Services
ISO 27001 Certification Readiness Review
Organisations that are planning to undergo certification of their Information Security Management System (ISMS) against the ISO 27001 standard have to be able to demonstrate that they meet all of the requirements defined in the standard, have the minimum set of documented information and have completed at least one full Plan-Do-Check-Act cycle.
A review of the implementation of your ISMS will provide you with assurance that it conforms with the ISO 27001 standard and will identify any omissions or weaknesses, together with actions to address them before you undertake certification.
ISO 27001 Internal Audit
ISO 27001 requires you to conduct internal audits at regular intervals to assess whether your ISMS conforms with your organisation’s requirements and those specified in the standard, and that it is effectively implemented and maintained.
Periodic review of the performance of your ISMS through the development and execution of an internal audit programme will provide you with assurance that it continues to support your business goals and objectives by identifying and clearly communicating non-conformities and issues to senior management.
If you are a government agency that operates information systems that hold official information you are required to certify and accredit that security requirements have been met and the associated risks are being effectively managed.
A certification audit of a new or existing information system provides you with assurance that it complies with your security requirements and that the controls specified to manage the identified risks have been implemented and are effective, forming the foundation of your agency’s decision on whether to certify and accredit a system for use.
Specifying technical or procedural controls to manage a risk does not guarantee that they are actually effective. If you do not validate that your required controls have been implemented and are properly configured, you may be implicitly accepting more risk than you anticipate.
A controls audit provides you with confidence that a set of controls have been implemented correctly and are appropriately managed and maintained so that they remain effective throughout their lifecycle. Any nonconformities are identified, enabling them to be addressed.
Incident Response Tabletop Exercises
How you respond to security and privacy incidents can significantly affect the impact they have on your business and its customers. How do you know if your incident response processes and plans work? Tabletop exercises provide you with a way to safely evaluate and improve your incident response capabilities.
Incident response tabletop exercises use real-world scenarios to evaluate your ability to effectively respond to and manage information security and privacy incidents. Testing your incident response capabilities provides you with confidence that your processes and plans are effective and that your team is proficient at executing them. It also enables you to identify and safely address any issues.