ISMS Design & Implementation for ISO 27001 & SOC2
For technology organisations that that require institutional-grade InfoSec. Meeting investors and customers governance requirements means establishing an ISMS and achieving certification. This collaborative process is for organisations that need to move quickly but also know that achieving these things requires more than cut-and-paste policies.
ISMS Design
ISMS Design means understanding an organisation’s context and strategic goals to ensure that the System part of InfoSec will properly embed into an organisation. To achieve the goal, the following activities are performed:
- review of contracts, legal agreements, and governance requirements
- comprehensive review of all organisatinal policies
- analysis of sales, marketing, and product development
- architectural review
- review of development practices
Outcomes
Timelines can be difficult to establish without context, but a high-level design and strategy should take weeks, not months. This first stage provides:
- a scope for the ISMS
- goals for the ISMS
- a high-level risk model
- an implementation plan for all ISMS requirements
- multi-year strategy to ensure that:
- certification can happen as quickly as possible
- longer-term risks are addressed
ISMS Implementation
The outcomes for implementation are a functioning ISMS with a clear plan for certification activities, certification, and beyond. This includes:
- policies & procedures
- legal & contractual changes
- process changes for sales, marketing, and product development
- implementation of technical controls
- establishment of ongoing InfoSec procedures:
- delivery & development
- IT Operations
- HR Operations
- training
- risk modeling & management
- establishing cybersecurity operations
- incident response
- monitoring
- penetration testing
- certification activities
- internal audit preparation for staff
- internal audit
- management & coordination of external audit activities
Governance for Innovation & Change Programmes
For larger institutions that are developing innovative technology, introducing new technology, or bringing it in through acquisition, ensuring that InfoSec and broader governance requirements continue to be met can be a problem. Technology teams are busy delivering while security teams can struggle to align technology with broader strategic and operational goals.
This work is normally done in conjunction with agile delivery activities to ensure that proposed solutions deliver immediate impact, improve iteratively, and achieve long-term strategic goals.
Discovery & analysis
First, the proposed technology/change is reviewed to determine its many impacts by focusing on:
- existing governance practices
- proposed technology/changes
- architecture
- delivery practices
- technical controls
- staffing & roles
Strategic Outputs
Any of the following are then produced to resolve governance issues and inform strategic planning:
- interim operating model
- target operating model
- changes to threat models and risk management practices
- changes to policies & procedures
- skills gap identification & resolution plan
- product roadmap integration
- backlog development for delivery of technical controls
The secret is doing, not telling.
Due Diligence for Investments
ISO 27001 & Information Security are just a small part of governance. Managing risk with an organisation means looking at a much broader picture so that information security happens naturally. Start-ups are the riskiest organisations.
Investors want to know the risks inherent with an innovative company, both technical and throughout. 6.Three’s framework for due diligence looks at technology & infosec, of course, but also takes into account many other factors to both identify risks, key success factors, and feed into governance of the investment to reduce risk.