We perform a thorough audit of ISO 27001 (Information Security), ISO 22301 (Business Continuity) and General Data Protection Regulation (GDPR). We identify, evaluate, and estimate the levels of risk involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.
In an audit, our empaneled auditor compares the customer’s activities against a list of requirements of an industry management standard. Basically, the audit identifies whether or not the customer complies with these requirements, but not necessarily whether the customer exceeds them.
We deliver a report containing the results against a specific standard or set of standards, and mention identified gaps and areas where the standard is not being met or achieved.
We perform assessments to understand the customer’s security position. The goal of the assessment is to enable the assessors to use their experience and practical knowledge in conjunction with other recognized standards/frameworks and guidelines for IT security, and to look for ways the customer can achieve a higher level of performance, and not simply meet minimum compliance. The assessment is not a strictly pass or fail approach but is instead projected to give the customer a sense of the current security reality.
Assessments also normally provide different gradients/characters/dimensions of risk to the organization and its operations. For instance, an assessment may categorize the risk findings as critical impact, high impact, medium impact or low impact. The assessment should also technically provide feedback to the customer on identified strengths, as well as informational findings that are outside the scope of the security assessment.
Basically, an assessment gives the customer a list of actions to take in order to mitigate identified issues and to achieve a more ideal situation rather than simply satisfying a minimum compliance requirement.