Go home

So hot its nearly on fire
IT Audit FAQ

Metrics FAQ

ISO27k FAQ
Professional services
What we do

Governance

Governance involves strategic management activities such as strategy formulation and implementation, organizational structure and control, and assurance. 

Leading organizations are:

  • Drawing up business-focused GRC strategies that align with, complement and support other business strategies concerning IT, products and markets, HR, finances etc.;
  • Establishing professional GRC functions to take the lead on risk management, compliance management, information security management and assurance/audit;
  • Developing and implementing a suite of GRC-related policies;
  • Planning and executing GRC improvements sensibly and systematically throughout the organization.

Risk management

Taking risks is of course a natural part of corporate management.  Risk management essentially involves differentiating risks that can be accepted from those that need to be mitigated in some way, and monitoring residual risks in order avoid nasty surprises.

Leading organizations are:

  • Dynamically identifying and ranking risks in business terms;
  • Distinguishing and characterizing potential threats, vulnerabilities and impacts, and proactively looking for changes;
  • Exploiting opportunities to take calculated risks;
  • Reducing or avoiding unacceptable risks, largely through suitable controls;
  • Making incident management and business continuity arrangements in case controls fail and risks materialize.

Compliance

While ‘compliance’ is generally taken to refer to laws and regulations, in fact it covers a far broader set of rules including corporate policies, contracts, standards and codes of ethics. 

Leading organizations are:

  • Dynamically identifying compliance obligations from all sources;
  • Aligning and consolidating requirements and, where possible, implementing broad-based systems, processes and controls that simultaneously address multiple requirements;
  • Actively managing compliance risks, for example using management oversight, reviews and internal audits to identify and deal with trouble spots in order to avoid serious incidents, but tolerating minor compliance risks to save money;
  • Going beyond mere compliance where it makes business sense to do so;
  • Using enforcement as both carrot and stick.

IsecT’s core competencies

Our primary areas of interest and expertise are:

  1. Information security management - including information security strategy, policy and business case development, interim management and mentoring, bridging (linking business and technology), risk assessment and ranking, security process maturity assessment (benchmarking) and business continuity management (resilience, recovery and contingency).
  2. Information security awareness and training - we supply creative security awareness materials through NoticeBored, a unique monthly subscription service, always topical.
  3. ISO27k - understand and adopt good information security practices in the ISO/IEC 27000 international standards, particularly the broad spectrum of security controls recommended by ISO/IEC 27002.
  4. IT auditing - planning and conducting independent audits and tests on IT functions, projects and systems, including pre-certification ISO/IEC 27001 compliance assessments.
  5. An exciting new area of focus Security metrics - designing and implementing a suite of metrics to manage your GRC more systematically, effectively and efficiently, using PRAGMATIC security metrics: we literally wrote the book on it.

Bespoke consulting services

The outline descriptions above are simply a starting point.  If you need something that’s not specifically mentioned on this site - or even if it is - please contact us to discuss your requirements in more detail.  It is important, both for you and for us, to clarify exactly what you need and determine whether and how we might assist before we make a start.  Come to us for straight-talking advice, further information on any of our services and to check our availability. 

By the way, don’t let the fact that we are a small New Zealand company put you off.  We offer cost-effective online alternatives to traditional on-site consulting, and we have access to global networks of trusted professional peers, colleagues and partners.  If we can’t help you ourselves, we probably know someone who can.

Copyright © 2013 IsecT Ltd.