The GRC consulting from SecurEyes is provided in the following modes based on the requirements of the customer:
- Designing and Implementing of new cyber security GRC / ISMS initiative
- Review and Improvement of existing cyber security GRC / ISMS
- Internal Audit of existing cyber security GRC / ISMS
We have a vast experience in assisting our customers in setting up/improving/auditing their ISMS to ensure compliance against the following global standards:
- ISO/IEC 27001:2013 standard
- PCI Data Security Standard
- NIST Cybersecurity Framework
Our overall flow for an ISMS design & implementation of an ISMS project is as follows:
- Developing a detailed project plan and conducting a workshop with key stakeholders
- Conducting a Gap Assessment
- Performing a Risk Assessment
- Design and Documentation of the ISMS Framework
- Implementation Guidance & Training
- Internal Audit & Assurance
The details of the above steps are as follows:
1. Developing a detailed project plan and conducting a workshop with key stakeholders
Our team prepare a detailed project plan, so all stakeholders are aware of their respective responsibilities - it clearly prescribes who is responsible for which task and by when the task is to be completed. In addition, we conduct an in-person workshop with all key-stakeholders to clearly develop a consensus on the work-plan. In the workshop we also discuss our understanding of your organization, your business, and your existing IT security operations and have a detailed walkthrough of our plans to structure it according to the chosen ISMS.
2. Conducting a Gap Assessment
Our team conducts a detailed gap assessment against the chosen standard. It reviews the requirements of the standard and evaluate the current state of each of the management system requirements/domains/sub-domains/control objective/controls/functions/categories. The team then documents the results of the gap assessment with clearly a defined roadmap for moving from the "As-Is" state to the "To-Be" state of the organization against the chosen standard.
3. Performing a Risk Assessment
Our experts gain a detailed understanding of the current-state of the organization and identify all the tangible and intangible information assets/processes/services. We then ascertain all the possible risks (with corresponding probability & impact) that may arise in case of loss of confidentiality, integrity, and availability of these assets. Based on this, a set of prioritized risks are listed after considering the current control environment. A detailed Risk Treatment Plan (RTP) along with clearly assigned risk owners and the timeline is then documented.
4. Design and Documentation of the ISMS Framework
Our experts design and develop the ISMS framework which consists of Information security strategy, IS governance framework, IS policies, IS procedures and other relevant documents as required for implementation of ISMS based on the chosen standard. Our team conducts sessions to facilitate internal reviews from key stakeholders to ensure the desired alignment across all stakeholders within the organization.
5. Implementation Guidance & Training
In continuation to the internal review sessions conducted by our team, we provide implementation guidance to the relevant stakeholders with the objective of assisting them in implementing the ISMS as per the intended design. Our team ensures that all the new security controls (technology/process) are understood clearly by the team and are implemented accordingly. Our team further provides end-user awareness trainings to the relevant target user groups to ensure they are made aware of the implemented ISMS. The various groups considered for training include end-users, IT users, business users and senior management.
6. Internal Audit & Assurance
Our team conducts an internal audit as part of the ISMS certification roadmap. The internal audit is conducted by a different team of consultant(s) which is not a part of the implementation team. This activity results in publishing of the Internal audit report along with recommendation for closures and improvement. The internal audit report is presented in the Management review meeting to inform the leadership team on the current design and operating effectiveness of the ISMS within the organization.