About SecAware
Supporting your ISO/IEC 27001 Information Security Management System
ISMS Launchpad gets you to the starting blocks with the essential documentation that is mandatory for every certified ISMS. These are basic but indispensable materials, the bare minimum.
Despite what you may have read elsewhere, an ISMS can be certified with only the bare minimum of mandatory documentation and processes specified in the main body of ISO/IEC 27001, and whichever information security controls management feels are appropriate (theoretically, that may be none at all!). In practice, while the information security controls from Annex A may be appropriate as described, most organisations require custom controls - perhaps adapted/interpreted versions of the Annex A controls supplemented by controls from other sources (e.g. privacy and business continuity controls).
ISMS Take-off adds a pack of discretionary (optional) materials for your managers to govern, direct and oversee the ISMS.
If the ISMS is to add real value to the business and so earn its keep, genuine management engagement and support is essential. There's more to this than approving the implementation project budget! For a start, managers need to understand what a 'management system' is, and appreciate the business case for systematically managing information risks, security controls, incidents, compliance, exceptions and exemptions. They need more than just a clue about 'information risk management' since they will be making the key decisions about policies, risk appetite, risk treatments etc. If managers are to be held to account for protecting and exploiting information, the distinction between accountability and responsibility is crucial, along with an appreciation that, important though it is, IT or cybersecurity only addresses part of the organisation's information risk landscape.
ISMS Orbit adds a further stack of discretionary materials for the specialists currently designing and building the ISMS ready for the launch, who in due course will be operating and maintaining it.
This content is more detailed and often technical, written in a style that suits the professional audience. It distils real-world experience of building, running and auditing ISMSs, supplemented with good practices that we know work well in practice. Your colleagues in Risk Management, IT, HR, Legal/Compliance and other business functions are more likely to engage with and support the ISMS if they understand what it is meant to achieve and how it is structured. Even the language can be confusing for specialist from other areas, so there's a comprehensive hyperlinked glossary in Orbit. If eyes glaze-over when you use terms-of-art such as certification and accreditation, compliance and conformity, vulnerability, threat and risk, you may have lost your audience.
ISMS Mission puts it all together - a cut-price package deal for all the above materials, plus the full suite of topic-specific information security policies.
The SecAware ISMS templates contain top-quality generic content based on our decades of experience in the field. These are the materials we use in our consulting gigs: we wrote it all. Adapting or customising the templates to your particular circumstances is straightforward, easier, quicker, and much more cost-effective than writing everything from scratch, or adapting disparate materials written by various authors for various purposes. Get a head-start on ISO 27001 with SecAware.
SecAware information security policies are formal statements of management intent concerning various aspects of information risk and security. These are what ISO/IEC 27002 calls 'topic-specific policies - intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management'.
Despite the inevitable formalities, we've developed a readable, consistent style and format for the policy templates:
-
In a background section, the the reasoning/rationale behind each policy is explained, followed by one or two* high-level axioms succinctly mandating good security practices.
-
The axioms, in turn, are elaborated into about a dozen* policy statements, expanding on and explaining how the axioms are to be implemented in practice. These embody pragmatic guidance - stuff that people can realistically and reasonably be expected to do. The aim here is to guide, encourage and support your people to do the right things and do thigs right, rather than constrain them so tightly that they have no breathing space.
-
Each policy concludes with a set of responsibilities associated with specific roles.
The policies have been researched, prepared and continually refined over decades as a coherent, comprehensive suite. While they have meaning and value individually, the policies complement and support each other, working together to raise your game.
* Those numbers vary between policies.
Most policy templates are about 3-4 sides
SecAware security awareness modules are zip files containing editable Microsoft Office files on a variety of topics - creative content for your information security awareness and training program.
-
Briefings - designed to appeal to particular audiences: relatively simple, straightforward, action-oriented and informative for general employees; succinct guidance focused on governance, strategy, policy, compliance, metrics etc. for managers including execs and board members; more technical/in-depth information for the professionals from IT, risk, security, HR. legal/compliance and other corporate support functions;
-
Checklists including Internal Control Questionnaires to review/audit things;
-
Diagrams such as mind maps, Probability Impact Graphs, risk-control spectra and process flowcharts;
-
FAQs - Frequently Asked Questions with straightforward answers;
-
Leaflets - single or double-sided glossies, readable and engaging awareness materials;
-
Metrics - suggested ways to measure in order to improve various aspects of information risk and security;
-
Newsletters demonstrating that information risks are real, not merely academic concerns;
-
Policies - generic/model "topic-specific" policy templates to consider, adapt and adopt for your organization;
-
Posters - bright, eye-catching, thought-provoking artwork supplied as high-resolution JPGs suitable for professional or desktop printing, or to illustrate other materials (such as an infosec area on your intranet);
-
Puzzles such as as word searches, so people become security-aware while having fun on their breaks;
-
Quizzes, tests and challenges - designed to set people thinking, assess their understanding and engage them with the awareness program;
-
Slide decks - largely graphical/visual slides with detailed speaker notes, for seminars, meetings, briefings and courses, including self-study using Learning Management Systems or on your intranet;
-
Train-the-trainer guides - bags of creative suggestions to bring your security awareness and training activities to life.
There is a lot of content in each SecAware awareness module, giving you plenty of choice. You are not expected to use everything - simply pick out the items that suit your purposes. We do it this way because every customer is different: some of you are new at this and only need the basics right now, while others who have been doing awareness for a while are looking for something fresh, perhaps more in-depth or simply 'different'. All of you have a range of workers, some of whom will appreciate the one-page leaflets and pretty pictures, and some who need something more meaty to get their teeth into, or need to be shown stuff.
SecAware combines striking graphics with powerful words. Perhaps less obviously, the materials delve into fundamental concepts, ideas and approaches, while offering pragmatic, down-to-Earth guidance according to the topic and the audience. We're talking breadth and depth here - an innovative and creative yet mature and proven approach to security awareness.
All the SecAware materials have been researched and prepared to a consistently high standard of quality by an experienced, competent team of information risk and security professionals, providing continuity across all the materials and topics.
SecAware content can be used straight out of the box if you want. However, we use our own templates and MS Word styles making it simple to adopt your corporate look-and-feel. If terms such as "Help Desk" and "Security Zone" don't suit you, simply search-and-replace with whatever you prefer. If you use "cybersecurity" or "IT security" rather than "information security", go ahead, be our guest. Swap your ISMS logo in place of ours, and include your contact details. Rather than employing a specialist to develop ISMS, policy and awareness content specifically for your organization from ground zero, simply adapt the SecAware templates to get quickly up to speed ... and we can even help you with that ...
SecAware/IsecT management consulting services are custom-designed according to your situation and needs.
Typical assignments:
-
Strategic reviews, strategy and policy development: do you know how information security supports and enables the business? Scared by the prospect of selecting and implementing security controls? Need to develop an approach that holds water and secures long-term advantage? Puzzled and annoyed by persistant problems or incidents? We can help!
-
Gap analyses and pre-ISMS implementation reviews: reviewing information risk and security management arrangements, governance, policies etc.;
-
ISMS implementation project proposals: helping to draft, review, promote and finalise proposals, budget requests, business cases etc.;
-
ISMS briefings for management (up to Board level, down to supervisor/team leader, sideways through all departments and even out to business partners and external stakeholders), plus security awareness sessions , risk workshops, courses and what-have-you;
-
ISMS implementation support: mentoring the CISO, implementation project manager and team, providing feedback, guidance, suggestions and support on demand;
- ISMS/infosec documentation: drafting, customising, updating/refreshing and generally tarting-up documentation of all types, including ISMS IT system documentation, plus policies, procedures, guidelines and associated collateral - forms, user guides, diagrams ... Are your pre-packaged ISMS materials lousy, incomplete, out-of-date and unsuited to your particular business?
- ISMS management reviews: review the ISMS from management's overall perspective, emphasising the business angles (e.g. the busioness case, information risk and security strategies, policies, implementation plans, governance arrangements, security metrics, continuous improvement, cost-effectiveness ...);
-
ISMS internal audits: review the ISMS independently and dispassionately, focusing on addressing conformity and/or compliance requirements and perhaps smoothing-off any rough edges;
-
Training: information risk and security management, IT auditing, metrics, ISO27k ... whatever you need in this general area really;
-
ISMS certification readiness reviews and stage 1 or stage 2 certification audit support: is your ISMS implementation project on-track to complete all the essentials before the certification auditors turn up? How are you doing on conformity and compliance? Do you need an expert on-hand to smooth the way, accompany/shadow the certification auditors, deal with issues arising, negotiate a settlement ...?
-
General IT audits, IT installation audits, security maturity benchmarking, supplier assessments, cybersecurity audits, accreditation ...: a competent, thorough assessment provides assurance and rational improvement recommendations, free of the inevitable biases and prejudices of those directly involved. We bring fresh eyes, experience, insight ... and being independent, we have no axe to grind: we'll tell it like it is.
-
Security measurement & reporting reviews, metrics development: of all the myriad aspects that could be measured, what are the handful that really matter, and why is that? How will measuring those things drive meaningful improvements in information risk and security that truly support/enable the business?
-
Interim management: need a CISO, Information Security Manager, IT Audit Manager or similar? Short-term assignments are ideal for us - up to three months, long enough to help you locate and recruit a permanent replacement while we simply 'hold the fort' or perhaps restructure and re-energise the team, tackle longstanding issues, initiate new strategies or whatever you need to set things up for new recruit.
We prefer remote working wherever possible, avoiding the travel and subsistence costs thanks to videoconferencing, email and phone calls. It gives you and us the flexibility to adapt to changing circumstances and priorities. If you need more from us, or if something comes up that needs our help, we can probably accommodate. If you are getting along just fine without us, that's OK too. Remote working is eco-friendly, low-stress, highly productive and cost-effective since we only charge for hours worked!
Hybrid approaches combine discrete (and discreet!) periods on-site (e.g. ISMS audit fieldwork; requirements gathering; training courses; presentations; workshops) with remote working as appropriate (e.g. off-site planning/preparation and reporting; strategy, policy and business case development; web-based training or presentations ...). Travel and subsistence costs are chargeable but you have the benefit of our full attention while on-site.
Please browse the shop for off-the-shelf products,
or get in touch to explore how we can best help you.