This generic guideline encourages clients and providers to identify, evaluate and address information risks relating to professional services engagements. It suggests information security, privacy, governance and other controls to mitigate unacceptable information risks. Pragmatic guidance and checklists make this guideline worthwhile even for small organizations.
‘Professional services’ involve the provision of advice and guidance by competent and experienced specialists to their business clients or customers. The umbrella term ‘consulting’ encompasses a broad range of information-centric professional services such as:
- Building and construction services e.g. architecture, surveying;
- Business services e.g. marketing and sales, strategy and management consulting, auditing, quality consulting;
- Engineering services e.g. electrical and electronic design, materials science, measurement and calibration;
- Financial services e.g. book-keeping and accounting, plus investment, tax and insurance advice;
- Human resources services e.g. recruitment, employment disputes, mentoring and training;
- Information technology and telecommunications services e.g. Internet services, cloud computing, technical support, outsourced development, datacentre facilities;
- Legal services e.g. commercial and family law, contracting, compliance, forensics, prosecution and defence, intellectual property protection;
- Security services e.g. information risk and security consulting, IT auditing, digital forensics, background checking, surveillance;
- Other specialist advice and information processing services.
Through one or more assignments, jobs, projects, activities or tasks within an engagement, professional services clients and providers exchange, generate and utilize valuable and often sensitive information. Information is the raw material and work product of the engagement.
In line with the ISO27k standards, this guideline takes a risk-based approach, advising both clients and providers to identify, evaluate and treat (address, deal with) information risks relating to or arising from professional services, proactively (meaning systematically, deliberately and explicitly).
It suggests a range of information security, privacy, governance and other controls to mitigate unacceptable information risks using practical, conventional and well-proven measures that are applicable to all types and sizes of organization. Simple, straightforward guidance and checklists cover three main phases of a professional services engagement, making this guideline eminently pragmatic and worthwhile even for small and medium-sized organizations that do not employ specialists in this area.