ISMS Design and Review
Security of Information Systems was an afterthought not so long ago. The applications and systems team would decide on all the details with the business unit and then hand it over to security for their comments. Many a time, compromises on security would have to be made to allow functionality ; or because, financial commitments had already been made in infrastructure before consulting the security department first.
This resulted in unoptimised architectures and ad-hoc implementations. This may result in overlapping and redundant security components – or serious gaps in critical controls.
We can help your organisation to review your ISMS design in accordance with best practices and international standards. We can review, tailor and realign your information security to be consistent with international standards, frameworks and guides such as:
- ISO 27002:2013
- NIST – Cyber Security Framework
- NCSC – Cyber Assessment Framework 3.0
- CSC Critical Security Controls
- CSA – Cloud Controls Matrix
A typical assessment covers more than 25 areas including:
- Services and Applications
- Data Centres / Locations
- System Infrastructure
- Network Infrastructure
- Wireless Infrastructure
- Virtualisation Infrastructure
- Storage and Backup Infrastructure
- Printers and Peripherals
- Communication Lines
- Access Control and CCTV
- Audio/Video Infrastructure
- Security Infrastructure
HOW WE DESIGN OR REVIEW AN ISMS
Survey & Data Gathering
Consultants will examine all the components in the IT infrastructure and acquire data by:
* Physical survey of data centres
* Interviews with IT staff
* Inspection of systems, configuration data, etc.
Documentation
All the details collected will be collated and documented. Work products in this phase include:
– Documentation of servers, networks, applications, services, etc.
– Topology and connectivity diagrams
– Server and equipment lists.
Assessment
The Mapped architecture and controls will be assessed against (any of the) following frameworks, standards and guides:
* ISO 27002:2013
* NIST Cyber Security Framework
* PCI-DSS
* Other standards/frameworks available (Dubai ISR, NESA, HIPAA, etc.)
Reports
Summary and detailed reports will be compiled that will show the present state of security in the organisation.
Recommendations
Based on the assessment and business requirements, recommendations will be made, which:
– Highlight areas which require immediate action
– Configuration changes or upgrades to systems
– Implementation of controls hitherto not implemented
Presentation
The assessment will culminate in:
* Presentation of findings
* Discussion of recommendations
* Workshop with tech and admin teams
Infographics
Sample Deliverables
Assessment Report
Summary and detailed reports on the state of security pointing out adequacy of controls implemented.
Gap Analysis Report
Gap analysis against established standards such as ISO27001, PCI etc.
System Documentation
Asset inventory: servers, storage, backup, network equipment, cloud assets.
Diagrams & Infographics
Network connectivity and topology diagrams, traffic flow diagrams, etc.