About SecAware

SecAware logo

SecAware ISO27k ISMS materials are templates for your ISO/IEC 27001 Information Security Management System:

  • SecAware Launchpad gets you to the starting blocks with the essential documentation that is mandatory for any certified ISMS. These are basic but indispensable templates, the bare minimum.

    Despite what you may have read elsewhere, an ISMS
    can be certified with only the bare minimum of mandatory documentation and processes specified in the main body of ISO/IEC 27001, and whatever information security controls management feels are appropriate (theoretically, that may be none at all!). In practice, while the information security controls from Annex A may be appropriate as described, most organisations require custom controls - perhaps adapted/interpreted versions of the Annex A controls supplemented by controls from other sources (e.g. privacy, cloud and business continuity controls).
     

  • SecAware Take-off adds a pack of discretionary (optional) materials for your managers to govern, direct and oversee the ISMS.

    If the ISMS is to add real value to the business and so earn its keep, genuine management engagement and support is essential. There's more to this than approving the implementation project budget! For a start, managers need to understand what a 'management system' is, and appreciate the business case for systematically managing information risks, security controls, incidents, compliance, exceptions and exemptions. They need more than just a clue about 'information risk management' since they will be making the key decisions about policies, risk appetite, risk treatments etc. If managers are to be held to account for protecting and exploiting information, the distinction between accountability and responsibility is crucial, along with an appreciation that, important though it is, IT or cybersecurity only addresses part of the organisation's information risk landscape.

     

  • SecAware Orbit adds a further stack of discretionary materials for the specialists currently designing and building the ISMS ready for the launch, who in due course will be operating and maintaining it.

    This content is more detailed and often technical, written in a style that suits the professional audience. It distils real-world experience of building, running and auditing ISMSs, supplemented with good practices that we know work well in practice.  Your colleagues in Risk Management, IT, HR, Legal/Compliance and other business functions are more likely to engage with and support the ISMS if they understand what it is meant to achieve and how it is structured.  Even the language can be confusing for specialist from other areas, so there's a comprehensive hyperlinked glossary in Orbit.  If eyes glaze-over when you use terms-of-art such as certification and accreditation, compliance and  conformity, vulnerability, threat and risk, you may have lost your audience.

     

  • SecAware Mission puts it all together - a cut-price package deal for all the above materials, plus the full suite of policy templates and a policy cross-reference matrix.

    The SecAware ISMS templates contain top-quality generic content based on our decades of experience in the field. These are the materials we use in our consulting gigs: we wrote it all. Adapting or customising the templates to your particular circumstances is straightforward, easier, quicker, and much more cost-effective than writing everything from scratch, or adapting disparate materials written by various authors for various purposes. Get a head-start with
    SecAware.

SecAware information security policies are formal statements of management intent concerning a wide variety of aspects of information security. Most are what ISO/IEC 27002 calls 'topic-specific policy - intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management'.

Despite the inevitable formalities, we've developed a readable, consistent style of policies.

In a background section, the the reasoning/rationale behind each policy is explained, followed by one or two* high-level 'policy axioms', the most formal part. The axioms succinctly promote good security practices.

The axioms, in turn, are elaborated into about a dozen* policy statements, expanding on and explaining how the axioms are to be implemented in practice. These embody pragmatic guidance - stuff that people can realistically and reasonably be expected to do. The aim here is to guide, encourage and support your people to do the right things and do thigs right, rather than constrain them so tightly that they have no breathing space.

Each policy concludes with a set of responsibilities associated with specific roles.

The policies have been researched, prepared and continually refined over decades as a coherent, comprehensive suite. While they have meaning and value individually, the policies complement and support each other, working together to raise your game.

* Those numbers vary between policies. 
Most policy templates are about 3-4 sides.

SecAware security awareness "modules" are zip files containing editable Microsoft Office files on a variety of topics:

  • Briefings - designed to appeal to particular audiences: relatively simple, straightforward, action-oriented and informative for general employees; succinct guidance focused on governance, strategy, policy, compliance, metrics etc. for managers including execs and board members; more technical/in-depth information for the professionals from IT, risk, security, HR. legal/compliance and other corporate support functions;

  • Checklists including Internal Control Questionnaires to review/audit things;

  • Diagrams such as mind maps, Probability Impact Graphs, risk-control spectra and process flowcharts;

  • FAQs - Frequently Asked Questions with straightforward answers;

  • Leaflets - single or double-sided glossies, readable and engaging awareness materials;

  • Metrics - suggested ways to measure in order to improve various aspects of information risk and security;

  • Newsletters demonstrating that information risks are real, not merely academic concerns;

  • Policies - generic/model "topic-specific" policy templates to consider, adapt and adopt for your organization;

  • Posters - bright, eye-catching, thought-provoking artwork supplied as high-resolution JPGs suitable for professional or desktop printing, or to illustrate other materials (such as an infosec area on your intranet);

  • Puzzles such as as word searches, so people become security-aware while having fun on their breaks;

  • Quizzes, tests and challenges - designed to set people thinking, assess their understanding and engage them with the awareness program;

  • Slide decks - largely graphical/visual slides with detailed speaker notes, for seminars, meetings, briefings and courses, including self-study using Learning Management Systems or the intranet;

  • Train-the-trainer guides - bags of creative suggestions for security awareness and training activities.

There is a lot of content in each SecAware awareness module, giving you plenty of choice. You are not expected to use everything - simply pick out the items that suit your purposes. We do it this way because every customer is different: some of you are new at this and only need the basics right now, while others who have been doing awareness for a while are looking for something fresh, perhaps more in-depth or simply 'different'. All of you have a range of workers, some of whom will appreciate the one-page leaflets and pretty pictures, and some who need something more meaty to get their teeth into, or need to be shown stuff. 

It should be obvious from the module descriptions that SecAware makes extensive use of powerful graphical images as well as written words. Perhaps less obviously, the materials delve into fundamental concepts, ideas and approaches, while offering pragmatic, down-to-Earth guidance according to the topic and the audience. We're talking breadth and depth here - an innovative and creative yet mature and proven approach to security awareness.

All the SecAware materials have been researched and prepared to a consistently high standard of quality by an experienced, competent team of information risk and security professionals, providing continuity across all the materials and topics. This is what we do

SecAware content can be used straight out of the box if you want. However, we use our own templates and MS Word styles making it simple to adopt your corporate look-and-feel. If terms such as "Help Desk" and "Security Zone" don't suit you, simply search-and-replace with whatever you prefer. If you use "cybersecurity" or "IT security" rather than "information security", go ahead, be our guest. Swap your ISMS logo in place of ours, and include your contact details. Rather than employing a specialist to develop ISMS, policy and awareness content specifically for your organization from ground zero, simply adapt the SecAware templates to quickly up to speed ... and we can even help you with that.

SecAware/IsecT management consulting services are custom-designed according to your needs.

Examples of our assignments:

  • Strategic reviews, strategy and policy development: do you know how information security supports and enables the business? Scared by the prospect of selecting and implementing security controls? Need to develop an approach that holds water and secures long-term advantage? Puzzled and annoyed by persistant problems or incidents? We can help!

  • Gap analyses and pre-ISMS implementation reviews: reviewing information risk and security management arrangements, governance, policies etc.;

  • ISMS implementation project proposals: helping to draft, review, promote and finalise proposals, budget requests, business cases etc.;

  • ISMS briefings for management (up to Board level, down to supervisor/team leader, sideways through all departments and even out to business partners and external stakeholders), plus security awareness sessions , risk workshops, courses and what-have-you;

  • ISMS implementation support: mentoring the CISO, implementation project manager and team, providing feedback, guidance, suggestions and support on demand;

  • ISMS/infosec documentation: drafting, customising, updating/refreshing and generally tarting-up documentation of all types, including ISMS IT system documentation, plus policies, procedures, guidelines and associated collateral - forms, user guides, diagrams ... Are your pre-packaged ISMS materials lousy, incomplete, out-of-date and unsuited to your particular business?
  • ISMS management reviews: review the ISMS from management's overall perspective, emphasising the business angles (e.g. the busioness case, information risk and security strategies, policies, implementation plans, governance arrangements, security metrics, continuous improvement, cost-effectiveness ...);
  • ISMS internal audits: review the ISMS independently and dispassionately, focusing on addressing conformity and/or compliance requirements and perhaps smoothing-off any rough edges;

  • Training: information risk and security management, IT auditing, metrics, ISO27k ... whatever you need in this general area really;

  • ISMS certification readiness reviews and stage 1 or stage 2 certification audit support: is your ISMS implementation project on-track to complete all the essentials before the certification auditors turn up? How are you doing on conformity and compliance? Do you need an expert on-hand to smooth the way, accompany/shadow the certification auditors, deal with issues arising, negotiate a settlement ...?

  • General IT audits, IT installation audits, security maturity benchmarking, supplier assessments, cybersecurity audits, accreditation ...: a competent, thorough assessment provides assurance and rational improvement recommendations, free of the inevitable biases and prejudices of those directly involved. We bring fresh eyes, experience, insight ... and being independent, we have no axe to grind: we'll tell it like it is.

  • Security measurement & reporting reviews, metrics development: of all the myriad aspects that could be measured, what are the handful that really matter, and why is that? How will measuring those things drive meaningful improvements in information risk and security that truly support/enable the business?

  • Interim management: need a CISO, Information Security Manager, IT Audit Manager or similar? Short-term assignments are ideal for us - up to three months, long enough to help you locate and recruit a permanent replacement while we simply 'hold the fort' or perhaps restructure and re-energise the team, tackle longstanding issues, initiate new strategies or whatever you need to set things up for new recruit.

We can work remotely or hybrid:

  • Remote working avoids the travel and subsistence costs thanks to videoconferencing, email and phone calls. It gives you and us the flexibility to adapt to changing circumstances and priorities. If you need more from us, or if something comes up that needs our help, we can probably accommodate. If you are getting along just fine without us, that's OK too. Remote working is eco-friendly, low-stress, highly productive and cost-effective.

  • Hybrid approaches combine discrete (and discreet!) periods on-site (e.g. on-site audit fieldwork; requirements gathering; training courses; presentations; workshops) with remote working as appropriate (e.g. off-site planning/preparation and reporting; strategy, policy and business case development; web-based training or presentations ...).

Please visit our shop for off-the-shelf products, or get in touch to explore
how we can best help you.

ISMS Launchpad - the essentials
ISMS Takeoff - materials for management
ISMS Orbit - materials for specialists
ISMS Mission - a complete package of materials
Policy pyramid
Example of an awareness presentation on workplace infosec
ISECT logo