About SecAware

SecAware logo 150.gif

SecAware ISO27k ISMS materials are templates for your ISO/IEC 27001 Information Security Management System:

  • SecAware Launchpad gets you to the starting blocks with the documentation that is mandatory for any certified ISMS. These are basic but indispensable templates, the bare minimum.
     

  • SecAware Take-off adds a pack of discretionary (optional) materials for your managers to govern, direct and oversee the ISMS. If the ISMS is to add real value to the business and so earn its keep, genuine management engagement and support is essential. There's more to this than approving the implementation project budget! For a start, managers need to understand what a 'management system' is, and appreciate the business case for systematically managing information risks, security controls, incidents, compliance, exceptions and exemptions. They need more than just a clue about 'information risk management' since they will be making the key decisions about policies, risk appetite, risk treatments etc. If managers are to be held to account for protecting and exploiting information, the distinction between accountability and responsibility is crucial, along with an appreciation that IT or cyber-security only addresses part of the organisation's information risk landscape.
     

  • SecAware Orbit is a stack of discretionary materials for the specialists currently designing and building the ISMS ready for the launch, who in due course will be operating and maintaining it. This content is more detailed and often technical, written in a style that suits the intended audience. It distils real-world experience of building, running and auditing ISMSs, supplemented with good practices that work well in practice.

Despite what you may have read elsewhere, an ISMS can be certified with only the bare minimum of mandatory documentation and processes specified in the main body of ISO/IEC 27001, and whatever information security controls management feels are appropriate (theoretically, that may be none at all!). In practice, while the information security controls from Annex A may be appropriate as described, most organisations require custom controls - perhaps adapted/interpreted versions of the Annex A controls supplemented by controls from other sources (e.g. privacy, cloud and business continuity controls).

The SecAware ISMS templates contain top-quality generic content based on our decades of experience in the field. These are the materials we use in our consulting gigs: we wrote it all. Adapting or customising the templates to your particular circumstances is straightforward, easier, quicker, and much more cost-effective than writing everything from scratch, or adapting disparate materials written by various authors for various purposes. Get a head-start with SecAware.

SecAware information security policies are formal statements of management intent concerning a wide variety of aspects of information security. Most are what ISO/IEC 27002 calls 'topic-specific policy - intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management'.

Despite the inevitable formalities, we've developed a readable, consistent style of policies.

In a background section, the the reasoning/rationale behind each policy is explained, followed by one or two* high-level 'policy axioms', the most formal part. The axioms succinctly promote good security practices.

The axioms, in turn, are elaborated into about a dozen* policy statements, expanding on and explaining how the axioms are to be implemented in practice. These embody pragmatic guidance - stuff that people can realistically and reasonably be expected to do. The aim here is to guide, encourage and support your people to do the right things and do thigs right, rather than constrain them so tightly that they have no breathing space.

Each policy concludes with a set of responsibilities associated with specific roles.

The policies have been researched, prepared and continually refined over many years (three decades!) as a coherent, comprehensive suite. While they have meaning and value individually, the policies complement each other, working together to raise your game.

* Those numbers vary between policies. 
Most policy templates are about 3 sides.

SecAware security awareness "modules" are zip files containing editable Microsoft Office files:

  • Briefings - designed to appeal to particular audiences: relatively simple, straightforward, action-oriented and informative for general employees; succinct guidance focused on governance, strategy, policy, compliance, metrics etc. for managers including execs and board members; more technical/in-depth information for the professionals from IT, risk, security, HR. legal/compliance and other corporate support functions;

  • Checklists including Internal Control Questionnaires to review/audit things;

  • Diagrams such as mind maps, Probability Impact Graphs, risk-control spectra and process flowcharts;

  • FAQs - Frequently Asked Questions with straightforward answers;

  • Leaflets - single or double-sided glossies, readable and engaging awareness materials;

  • Metrics - suggested ways to measure in order to improve various aspects of information risk and security;

  • Newsletters demonstrating that information risks are real, not merely academic concerns;

  • Policies - generic/model "topic-specific" policy templates to consider, adapt and adopt for your organization;

  • Posters - bright, eye-catching, thought-provoking artwork supplied as high-resolution JPGs suitable for professional or desktop printing, or to illustrate other materials (such as an infosec area on your intranet);

  • Puzzles such as as word searches, so people become security-aware while having fun on their breaks;

  • Quizzes, tests and challenges - designed to set people thinking, assess their understanding and engage them with the awareness program;

  • Slide decks - largely graphical/visual slides with detailed speaker notes, for seminars, meetings, briefings and courses, including self-study using Learning Management Systems or the intranet;

  • Train-the-trainer guides - bags of creative suggestions for security awareness and training activities.

There is a lot of content in each SecAware awareness module, giving you plenty of choice. You are not expected to use everything - simply pick out the items that suit your purposes. We do it this way because every customer is different: some of you are new at this and only need the basics right now, while others who have been doing awareness for a while are looking for something fresh, perhaps more in-depth or simply 'different'. All of you have a range of workers, some of whom will appreciate the one-page leaflets and pretty pictures, and some who need something more meaty to get their teeth into, or need to be shown stuff. 

It should be obvious from the module descriptions that SecAware makes extensive use of powerful graphical images as well as written words. Perhaps less obviously, the materials delve into fundamental concepts, ideas and approaches, while offering pragmatic, down-to-Earth guidance according to the topic and the audience. We're talking breadth and depth here - an innovative and creative yet mature and proven approach to security awareness.

All the SecAware materials have been researched and prepared to a consistently high standard of quality by an experienced, competent team of information risk and security professionals, providing continuity across all the materials and topics. This is what we do

SecAware content can be used straight out of the box if you want. However, we use our own templates and MS Word styles making it simple to adopt your corporate look-and-feel. If terms such as "Help Desk" and "Security Zone" don't suit you, simply search-and-replace with whatever you prefer. If you use "cybersecurity" or "IT security" rather than "information security", go ahead, be our guest. Swap your ISMS logo in place of ours, and include your contact details. Rather than pay an arm and a leg for consultants to develop ISMS, policy and awareness content for your organization, simply adapt the SecAware templates to get it exactly how you want it - or talk to us about your specific requirements. We'd love to help, and we don't even demand fingers or toes. ...

SecAware management consulting services are custom-designed according to your needs.

Examples of our assignments:

  • Strategic reviews, strategy and policy development: do you know how information security supports and enables the business? Scared by the prospect of selecting and implementing security controls? Need to develop an approach that holds water and secures long-term advantage? Puzzled and annoyed by persistant problems or incidents? We can help!

  • Gap analyses and pre-ISMS implementation reviews: reviewing information risk and security management arrangements, governance, policies etc.;

  • ISMS implementation project proposals: helping to draft, review, promote and finalise proposals, budget requests, business cases etc.;

  • ISMS briefings for management (up to Board level, down to supervisor/team leader, sideways through all departments and even out to business partners and external stakeholders), plus security awareness sessions , risk workshops, courses and what-have-you;

  • ISMS implementation support: mentoring the CISO, implementation project manager and team, providing feedback, guidance, suggestions and support on demand;

  • ISMS/infosec documentation: drafting, customising, updating/refreshing and generally tarting-up documentation of all types, including ISMS IT system documentation, plus procedures, guidelines and associated collateral - forms, user guides, diagrams ... Are your pre-packaged ISMS materials lousy, incomplete, out-of-date and unsuited to your particular business?
  • ISMS management reviews: review the ISMS from management's overall perspective, emphasising the business angles (e.g. the busioness case, information risk and security strategies, policies, implementation plans, governance arrangements, security metrics, continuous improvement, cost-effectiveness ...);
  • ISMS internal audits: review the ISMS independently and dispassionately, focusing on addressing compliance requirements and perhaps smoothing-off any rough edges;

  • Training: information risk and security management, IT auditing, metrics, ISO27k ... whatever you need in this general area really;

  • ISMS certification readiness reviews and stage 1 or stage 2 certification audit support: is your ISMS implementation project on-track to complete all the essentials before the certification auditors turn up? Do you need an 'expert' on-hand to smooth the way, accompany/shadow the auditors, deal with issues arising, negotiate a settlement ...?

  • General IT audits, IT installation audits, security maturity benchmarking, supplier assessments, cybersecurity audits, accreditation ...: a competent, thorough assessment provides assurance and rational improvement recommendations, free of the inevitable biases and prejudices of those directly involved. We bring fresh eyes, experience, insight ... and being independent, we have no axe to grind;

  • Security measurement & reporting reviews, metrics development: of all the myriad aspects that could be measured, what are the handful that really matter, and why is that? How will measuring those things drive meaningful improvements in information risk and security that truly support/enable the business?

  • Interim management: need a CISO, Information Security Manager, IT Audit Manager or similar? Short-term assignments are ideal for us - maybe two or three months, long enough to help you locate and recruit a permanent replacement while we simply 'hold the fort' or perhaps restructure and re-energise the team, tackle longstanding issues, initiate new strategies or whatever you need to set things up for new recruit.

We can work remotely or hybrid:

  • Remote working avoids the travel and subsistence costs thanks to videoconferencing, email and phone calls: we charge only for the hours actually worked, providing detailed timesheets with our invoices, giving you and us the flexibility to adapt to changing circumstances and priorities. If you need more from us, or if something comes up that needs our help, we can almost certainly accomodate. If you are getting along just fine without us, that's OK too. Remote working is eco-friendly, low-stress, highly productive and cost-effective.

  • Hybrid approaches combine discrete (and discreet!) periods on-site (e.g. on-site audit fieldwork; requirements gathering; training courses; presentations; workshops) with remote working as appropriate (e.g. off-site planning/preparation and reporting; strategy, policy and business case development; web-based training or presentations ...).

Please visit our shop for off-the-shelf products,
or get in touch to explore how we can best help you.