SECURITY ASSESSMENT
Jerakano carries out an on-site assessment of your organisation's security management arrangements
– helping you to protect your critical assets, be they information, systems, equipment, people or
locations - by using our innovative Business-focused Information Security Management
Assessment approach - BISMA.
BISMA includes a review of the level of maturity for each
of the elements above, taking account of the depth and breadth of security arrangements (including their
effectiveness); roles and responsibilities; approval and review mechanisms; essential documentation;
deployment of tools and techniques; and the impact of services provided to or from third parties (eg customers,
suppliers or partners).
The output from this assessment is presented in a structured report, using graphics and tables to
present key findings in an easy-to-understand manner; identifying pragmatic actions to both
address issues raised and improve your security programme overall.
|
SECURITY GOVERNANCE |
- Strategic alignment
- Value delivery (expectations, costs, benefits and performance management)
- Information risk management (approach, risk appetite,
risk register and ISMS)
- Security organisation and policy
- Resource and financial management
- Third party management (eg customers, partners,
suppliers or cloud service providers)
- The annual information security programme.
|
CRITICAL ASSETS |
- Information asset register
- Information classification scheme
- Information life cycle
- Business processes
- System criticality assessment (criticality of information,
software, equipment, people and locations)
- Ownership and accountability
|
INFORMATION RISK ASSESSMENT |
- Structured, systematic methodology
(eg ISO 27005, IRAM2 or FAIR)
- Business impact assessment
- Threat and vulnerability assessments
- Risk assessment results (impact and likelihood determination)
- Residual risk
- Risk treatment plan
|
CONTROL FRAMEWORK |
- Recognised international control sets
(eg ISO 27002, ISF SOGP or NIST Cybersecurity Framework)
- Coverage of key controls (meeting risk and compliance
requirements)
- Supporting processes, standards, procedures and guidelines
- Control selection and implementation
|
INCIDENT MANAGEMENT |
- Incident management capability
- Incident management process (diagnosis, containment,
resolution and recovery)
- Incident recording and trend analysis
- Crisis management
- Business continuity and disaster recovery
|
SECURITY ASSURANCE |
- Systematic, structured monitoring and review
- Self-assessments; internal and external audit
- Independent review (eg penetration testing)
- Risk reporting (dashboard showing security weaknesses,
incidents, return on investment, costs and remediation
activities)
|
|