Jerakano carries out an on-site assessment of your organisation's security management arrangements – helping you to protect your critical assets, be they information, systems, equipment, people or locations - by using our innovative Business-focused Information Security Management Assessment approach - BISMA.

BISMA includes a review of the level of maturity for each of the elements above, taking account of the depth and breadth of security arrangements (including their effectiveness); roles and responsibilities; approval and review mechanisms; essential documentation; deployment of tools and techniques; and the impact of services provided to or from third parties (eg customers, suppliers or partners).

The output from this assessment is presented in a structured report, using graphics and tables to present key findings in an easy-to-understand manner; identifying pragmatic actions to both address issues raised and improve your security programme overall.

SECURITY GOVERNANCE

• Strategic alignment
• Value delivery (expectations, costs, benefits and performance management)
• Information risk management (approach, risk appetite,
  risk register and ISMS)
• Security organisation and policy
• Resource and financial management
• Third party management (eg customers, partners,
  suppliers or cloud service providers)
• The annual information security programme.

CRITICAL ASSETS

• Information asset register
• Information classification scheme
• Information life cycle
• Business processes
• System criticality assessment (criticality of information,
  software, equipment, people and locations)
• Ownership and accountability

 

INFORMATION RISK ASSESSMENT

• Structured, systematic methodology
  (eg ISO 27005, IRAM2 or FAIR)
• Business impact assessment
• Threat and vulnerability assessments
• Risk assessment results (impact and likelihood determination)
• Residual risk
• Risk treatment plan

CONTROL FRAMEWORK

• Recognised international control sets
  (eg ISO 27002, ISF SOGP or NIST Cybersecurity Framework)
• Coverage of key controls (meeting risk and compliance
  requirements)
• Supporting processes, standards, procedures and guidelines
• Control selection and implementation

 

INCIDENT MANAGEMENT

• Incident management capability
• Incident management process (diagnosis, containment,
  resolution and recovery)
• Incident recording and trend analysis
• Crisis management
• Business continuity and disaster recovery

 

SECURITY ASSURANCE

• Systematic, structured monitoring and review
• Self-assessments; internal and external audit
• Independent review (eg penetration testing)
• Risk reporting (dashboard showing security weaknesses,
  incidents, return on investment, costs and remediation
  activities)