ISO 27001
Vernance consultants are experts in implementing and assessing the controls that enable adherence to ISO 27001. ISO is a network of national standardization bodies from over 160 countries, the final results of ISO work sessions are published as international standards. Over 19000 standards have been published since 1947.
ISO27001 started as “Code of best practices in 1990 and evolved to a fully matured standard after 2000 when the British Standard 7799 (BS7799) became ISO 27001, in 2013 ISO 27001 had its fourth revision becoming one of the most mature and certifiable ISMS standards.
The management system defined in ISO27001 is a risk-based approach that ensures establishing, implementing, operating, monitoring, reviewing and improving in formation security. All the activities defined by the ISO27001 are supported in a streamlined and consistent way by the organizational structure, and IT governance environment (Policies, Procedures, SOP’s , and resources).
Vernance has experts in implementing all necessary areas to help achieve the ISO27001 compliance. We have experts in implementing:
- Documenting the plan of action to implement priorities, and responsibilities related to risk treatment plan.
- designing and Implementing efficient controls to be used for the risk treatment plan
- Documenting and establishing the awareness plan
- Define and document the ISMS processes and responsibilities to be used for continuous management and improvement of the IS organization.
- Design, document and implement processes including incident management.
ISO 27002
Part of the same family with ISO27001 directly related standard, the international standard ISO27002 has an advisory character. ISO27002 should be interpreted and applied regardless of the type and size of organization according to the specific information security risks.
Given its flexibility ISO27002 gives adopters the opportunity to selectively chose and implement information security controls based on their environment. While having widely applicable standards non-industry specific is a great concept, this renders the ISO27002 unsuitable for standardized compliance testing and implicitly for defined and formal certification schemes.
Vernance consultants are experts in Risk Management including risk identification and risk treatment controls design and implementation. We can help organizations to overcome any risk related challenges and together with internal teams we can define, design and implement the most appropriate, cost effective, and scalable risk treatment controls so that our clients can meet with minimal effort any applicable mandatory compliance standard.
NIST family of standards
NIST 800-53
One of the most prescriptive Information Security US standards that has its roots in the 2001 President’s Management Agenda, has been formally established in February 2005 and it is a close relative of the ISO having as target “protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
NIST 800-53 serves as a base for all current industry standards in the US and aims to “lover the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals, resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring”
NIST 800-55
Yet another NIST-family standard that describes the approach for development and implementation of information security measurement program to develop, select, and implement information system-level and program-level.
NIST 800-55 measures and defines the how to identify the adequacy of in-place security controls, policies, and procedures through the use of measures. Provides an approach to help management decide where to invest in additional information security resources, identify and evaluate unproductive security controls, and prioritize security controls for continuous monitoring
NIST 800-55 scope can encompass organizational units, sites, or other organizational constructs and be based on:
- Stakeholder needs
- Strategic goals and objectives
- Operating environments
- Risk priorities
- Information security program maturity
NIST 800-144
As an extension of NIST 800-53, NIST 800-144 scope is to provide an overview of public cloud computing and the security and privacy challenges related to this technology. The standard targets the threats, technology risks, and safeguards for public cloud environments, and provides the insight needed to make informed information technology decisions on their treatment.
Vernance’s consultants are experts in helping companies to carefully plan the security and privacy aspects of cloud computing solutions before their adoption. Through targeted yet broad analysis we help customers ensure that the selected cloud computing solution satisfy the organizational security and privacy requirements. Our expertise enable customers to maintain accountability over the privacy and security of data and applications implemented and deployed in cloud computing environments.
CSF-Cyber Security Framework
“The Framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks. For organizations that don’t know where to start, the Framework provides a road map. For organizations with more advanced cybersecurity, the Framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks. Organizations outside the United States may also wish use the Framework to support their own cybersecurity efforts.
Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions — Identify, Protect, Detect, Respond, Recover — that provide a high-level view of an organization’s management of cyber risks.
The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.” – source:Source-White House, Office of the Press Secretary
Through combined expertise in International Standards and NIST, Vernance has the ability and capacity to help with NIST 800-53 implementations, Gap analysis and controls re-alignment. We have experts that can actively assist in defining and addressing every NIST control objective and assist to establishing appropriate management practices.