Services.

ISMS Design & Implementation for ISO 27001 & SOC2

For technology organisations that that require institutional-grade InfoSec. Meeting investors and customers governance requirements means establishing an ISMS and achieving certification. This collaborative process is for organisations that need to move quickly but also know that achieving these things requires more than cut-and-paste policies.

ISMS Design

ISMS Design means understanding an organisation’s context and strategic goals to ensure that the System part of InfoSec will properly embed into an organisation. To achieve the goal, the following activities are performed:

Outcomes
Timelines can be difficult to establish without context, but a high-level design and strategy should take weeks, not months. This first stage provides:

ISMS Implementation

The outcomes for implementation are a functioning ISMS with a clear plan for certification activities, certification, and beyond. This includes:


Governance for Innovation & Change Programmes

For larger institutions that are developing innovative technology, introducing new technology, or bringing it in through acquisition, ensuring that InfoSec and broader governance requirements continue to be met can be a problem. Technology teams are busy delivering while security teams can struggle to align technology with broader strategic and operational goals.

This work is normally done in conjunction with agile delivery activities to ensure that proposed solutions deliver immediate impact, improve iteratively, and achieve long-term strategic goals.

Discovery & analysis

First, the proposed technology/change is reviewed to determine its many impacts by focusing on:

Strategic Outputs

Any of the following are then produced to resolve governance issues and inform strategic planning:

The secret is doing, not telling.


Due Diligence for Investments

ISO 27001 & Information Security are just a small part of governance. Managing risk with an organisation means looking at a much broader picture so that information security happens naturally. Start-ups are the riskiest organisations.

Investors want to know the risks inherent with an innovative company, both technical and throughout. 6.Three’s framework for due diligence looks at technology & infosec, of course, but also takes into account many other factors to both identify risks, key success factors, and feed into governance of the investment to reduce risk.