Information Security Assessments

Information Security Assessments

The goal of the Information Security assessment is to ensure that the necessary security controls are integrated and implemented in the organization or the business in scope. With the exploding changes in the technology that has paved way for new vulnerabilities that creates an opportunity for the threats to exploit them, causing a change in the organizational risks. This has forced every organization to perform multiple assessments to ensure that the risks are identified and mitigated.

These assessments help you to find answer to the below questions

Are you aware of the People Process and Technology Weaknesses in your organization?

Are you aware of the information security risks that exist?

Do you need to perform a periodic check to ascertain the current risks?

Are your employees fully trained to identify and address the risks in the changing landscape?

Do you have the necessary tools to identify and remediate the inherent risks?

Are you compliant to the regulatory, customer and business requirements?

These are some of the common questions to the leadership either by customers or regulators or the board.

Our focus is specific to the few assessments that covers all aspects of information security and data protection in an organization.

ISO 27001:2013

ISO 27001:2013 is a standard specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

ISO/IEC 27001:2013 has ten short clauses, plus a long annex with 114 controls across 35 control categories and 14 domains

SSAE 18 SOC 2

SSAE stands for Statement on Standards for Attestation Engagements, which is overseen by The American Institute of Certified Public Accountants (AICPA) and more specifically the Auditing Standards Board (ASB).

According to the AICPA, “Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.” In other words, SSAE is used to regulate how companies conduct business, and more specifically it defines how companies report on compliance controls. These reports are called SOC 1, SOC 2, and SOC 3.

SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.

SOC 2 is a report using the existing SysTrust and WebTrust principles. This report evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy.

SOC 3 is also based on SysTrust and WebTrust principles. But the SOC 3 report does not go into as much detail as SOC2 and is primarily used as marketing material.

One of the ways to comply with SSAE 18 is to have a risk assessment through these reports.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Cyber Security Risk Assessment

The Cyber Security Risk Assessment uses a Maturity Model construct for assessment and report development based on the Critical Security Controls (v7) published by the Center for Internet Security. This assessment focuses on how effective the organization’s current cybersecurity protection is programmatically to operate in a “Modern IT” environment, or sometimes referred to as “Hybrid IT”.

The CIS Controls approach cyber defense with prioritized and prescriptive security guidance. There are 20 top-level CIS Controls and 171 Sub-Controls, prioritized into three Implementation Groups (IGs). The CIS Controls IGs prioritize cybersecurity actions based on organizational maturity level and available resources.

The maturity of the organization against the CIS controls are measured using the ISO/IEC defined six capability levels and a four-point rating scale

Level Name
5 Optimizing process
4 Predictable process
3 Established process
2 Managed process
1 Performed process
0 Incomplete process
Rating scale
Not achieved (0–15%)
Partially achieved (>15–50%)
Largely achieved (>50–85%)
Fully achieved (>85–100%)