Question 1

Do you maintain the content?

Accepted Answer

Not exactly.  After purchasing and downloading materials from this website, we are unable to maintain them for you.  You are expected to customise them yourselves.  We no longer have access to or control over them, assuming your security controls are effective anyway!   However, you will find new and updated materials released here from time to time, particularly when new/updated ISO27k standards are published.   Furthermore, you may wish to engage us to develop fresh materials for you, or revise yours, on a consultancy basis.

Question 2

Our ISMS IT system includes documentation: why would we need more?

Accepted Answer

The built-in content may be sufficient ... but we can do better.  We've been working with the ISO27k standards since the 90's, preparing information security strategies, policies, procedures, awareness and training content all that time.  Our breadth and depth of experience is unparallelled.  The documentation provided with several commercial ISMS systems and services, even some ISMS toolkits, is generally basic and limited.  Aside from poor grammar and phrasing, the materials have typically been prepared by technologists with a narrow perspective on the field.  We understand that information security and privacy are more than just compliance imperatives: there are business objectives to both protect and exploit information, hence a balanced view is essential.

Question 3

Do we need all these policies?

Accepted Answer

Depends what you mean by 'need'.  The only mandatory policy required by ISO/IEC 27001 is 'the information security policy'- and even that is only mandatory if you are to be certified compliant with the standard.  The new 2022 release of ISO/IEC 27002 also suggests 'topic-specific policies', but the standard is entirely discretionary. You are not required to select ANY of the information security controls in '27002.    Let me repeat that.  NONE of the controls in '27002 are mandatory.   However, for certified compliance with '27001, you are required to use the controls outlined Annex A as a reference set in case you have accidentally neglected any controls that you feel are needed to mitigate information risks that your organisation finds unacceptable ... using the risk management process laid out in '27001.  If you do declare the '27002 control about topic-specific policies, or any of the other controls which also refer to policies, to be applicable to your ISMS, then you are expected to implement those controls.    Leaving all that compliance stuff aside, few organisations 'need' ALL the policies we offer, but most could do with at least some of them, depending on factors such as their industry, size, complexity, maturity, technologies, compliance obligations, and of course their information risks. For instance, if your organisation does no software development and doesn't commission software from third parties, it probably doesn't need policies about integrating information security into system/software development projects and systems.  Even if it does some, the information security-related software/system development policies for, say, an online bank would probably not suit a dentist's practice, or a clothing manufacturer.  Differences between organisations are why we offer a wide range of policies, and supply them as templates - documents that you are able to customise/adapt to suit your circumstances. In fact, we actively encourage customers to review and revise the content according to their needs. Although the SecAware templates are 'camera ready' and could be used as-is, reviewing them and deciding on any changes is an important part of adopting workable policies.

Question 4

Can't we simply get free stuff off the web?

Accepted Answer

You can ... but ... be careful about copyright.  Respecting Intellectual Property Rights is just one of the things your colleages need to understand: 'do as I say, not as I do' is a poor way to teach or tell.    Much of the genuinely free content out there is of low quality - often inadequately researched, poorly written, scrappy and badly out of date.  Some of it is misleading, or plain wrong (e.g. instructions to change passwords regularly).    Using free/cheap-n-nasty stuff betrays your organization's lack of concern for information security, sending out a powerful but distinctly negative awareness message, quite the reverse of what you intend.    Besides, our stuff is priced realistically. We honestly believe we offer the best value in the market, by far. See what you think.

Question 5

Can you cover a particular awareness topic for us?

Accepted Answer

Yes.  Please tell us what you're after.  With gigs of content to hand, we probably already have relevant security awareness and training materials on which to build unless your topic is highly specific or obscure ... in which case we can probably research and prepare fresh materials for you.  Let's talk!

Question 6

What's wrong with creating our own awareness and training content?

Accepted Answer

Nothing, provided you have the capability and resources to do so.  However, it's harder than it seems to prepare effective awareness and training content.  There's both art and science to it. It's not just a matter of assembling a random assortment of stuff  grabbed from wherever.  Telling people what not to do, and warning them about dire consequences if they do, may not be the most sensible approach.  This is adult education on a complex and largely technical topic, with a diverse audience for whom the topic is perceived as peripheral or irrelevant to their lives and jobs.  Frankly, even spelling and grammar are challenging for some awareness authors, let alone motivational text and compelling graphics!

Question 7

We only need the basics.  What use is the rest?

Accepted Answer

The basics are a great place to start - start being the operative word.  If your awareness and training only covers the basics, you are missing out on the business benefits of a security aware workforce, a "security culture".  Worse still, your organization is not just facing basic threats: if you have any kind of Internet connection anywhere in the organization, you are exposed to the entire world.  If you have valuable trade secrets and sensitive personal information to protect, the basics definitely won't suffice.  If you depend on information (with or without IT), you are hanging by a thread above the Pit Of Disaster with only basic security in place, including minimal security awareness.  
 By all means start simple and grow it from there, but don't hang about.

Question 8

Does your content cover regulation 12345 part 6 article 7 clause 8.9.10a?

Accepted Answer

If it relates to information risk and security, almost certainly yes ... but probably only in a general way: with a few exceptions (such as GDPR) we deliberately shy away from focusing on specific laws and regulations for two key reasons:   (1) We are not lawyers.  We are not competent to advise on specific legal and regulatory matters.  We are not paid nearly enough to provide that kind of specialist service.     (2) Globally, there are so many laws and regulations, plus rules and accepted practices and professional guidelines and contractual clauses and so forth that impinge in some way on information risk and security that we cannot possibly be familiar with them all. Our customer base is international.  We stick to principles that apply more or less universally.   (3) [Free bonus reason] You are actively encouraged to elaborate on the SecAware content to suit your specific requirements.  We provide the prompts, the inspiration to set you going but it's up to you to 'make it yours' ... with the huge advantage that you know what matters to your business, here and now.  We have no clue.  Done properly, customization is more than just re-badging our stuff, replacing our logo with yours: we want you to draw out points that resonate with your audiences, that make sense to them and motivate them to behave securely.  We'll do all we can to support and enable you to do that - taking away the drudgery of researching and preparing top quality awareness and training content for instance.

Question 9

How do we engage you?

Accepted Answer

Get in touch!  We first of all need to know what kind of services you require, not least to determine whether we are able to help i.e. do we have the skills, knowledge and resources to undertake the assignment.   If so, we normally prepare at least an informal summary of the assignment to clarify our understanding (for small/quick jobs), or a more detailed and formal proposal (for more substantial/ongoing assignments), typically including an outline plan and information about our capabilities.  Either way, we will require a contract to formalise the main parameters such as the obligations on both parties, our charges, and invoicing arrangements, and so forth, before we can commence the work.  Given the nature of consulting, particularly in this domain, we anticipate the need for certain controls to protect both you and us against unacceptable information risks.  If not, we may be able to put you in touch with other organisations that are better suited, or at least point you in a more appropriate direction.