We can conduct assessments of a security program against our list of over 400 ISO 27001-mapped criteria to determine the client’s level of maturity, specific gaps and general risk and compliance posture. The table below lists the security domains into which we organize the evaluated criteria.
We deliver a “Current State Assessment and Gap Analysis” identifying these findings on program-wide and domain-by-domain level. We prioritize and cluster the gaps by domains, and provide a preliminary roadmap with recommendations for closing the gaps to support developing a business case for program improvement.
We have a standard set of tools we use for security program assessments, security domain assessments and some custom or specialized assessments. Where necessary we work with clients to prepare tailored assessment questionnaires and interview schedules. After conducting a series of interviews and rolling up the results for client review, we generate a draft report, take comments, and provide a final report.
For larger, more complex assessments, we can offer onsite assessment workshop delivery, or a combination of online and onsite workshops. Workshops combine informational presentations and group facilitation methodologies with our standard assessment service elements. For example, we could facilitate a brainstorming or team-building day for security stakeholders with an assessment service and/or we could tailor our criteria to vary the level of coverage for specific security domains.
Security program assessments and domain assessments always include a gap analysis against known good practices and preliminary improvement roadmap. After an assessment, we offer an optional support package to keep following up at least once a month to help plan and guide your security roadmap, or flow forward into an architecture engagement.