Security assessments for cyber are all about understanding, managing, controlling and mitigating cyber security risk across your organisation. It's an essential part of the overall risk management strategy for an organisation and is required for rating existing cyber security controls, understanding your cyber security gaps and risk in order to drive cyber security improvement.
However, some organisations who have experience of security assessments have been frustrated with the process which all too often include poor scoping, slow and cumbersome delivery, together with generic poor-quality outputs, which lack practical next steps.
So, what makes a good cyber security assessment service?
Getting the scope and balance of the assessment is critical in ensuring that the assessment is successful, meaningful and provides the right level of assurance and detail to the areas required.
An assessment can range from a broad, high-level organisation wide security assessment, through to a detailed review of particular areas involving the testing of security controls. It's important that the scope is agreed, fixed and communicated prior to the assessment starting, so that everyone involved is on the same page.
Using well recognised frameworks is key for broader security maturity assessments, such as ISO27001, NIST or Savanti's very own Cyber Security Controls Framework.
Good frameworks provide standardisation, consistency and repeatability to show progress over time. This can then be used to help an organisation rate existing cyber security controls to enable prioritisation of improvements as well as understanding what they need to do to achieve a certification such as ISO27001 or meet regulatory requirements. They also can provide a holistic view of security maturity which considers the actual causes of cyber security incidents when assessing risk.
An external and independent team is crucial in performing an effective assessment, bringing fresh eyes to spot new issues or problems within the organisation. Avoid the over-familiarity problem of 'we can’t see the wood for the trees' that often happens with internally delivered security assessments.
The security team should work closely with the organisation and have the experience, knowledge and ability to quickly assimilate information in order to get a balanced view on effective information security controls. Looking at what is good, what works and what requires improvement.
How you conduct your assessment makes a big difference to the outcome. A good assessment should be thorough but at the same time minimises the impact on individuals within the business. This can be achieved through careful planning, including obtaining and reading relevant documentation up front. This enables any information gathering sessions with staff to be targeted, relevant and productive.
Assessing the level of security risk from any issues identified is an important part of any assessment and must take into account the nature of the organisation, mitigating controls already in place, what is important and the risk appetite. What is an acceptable risk to some organisations will not be acceptable to others.
The reporting process is a critical part of an assessment. Before formal reporting starts, a discussion of the assessment findings provides the organisation with a heads up on the issues and cyber security risks identified, an opportunity to provide feedback helps ensure factual accuracy and that relevant organisational context is built in. It also helps buy in to the findings.
The report itself should be clear, concise and well structured, providing meaningful reporting with prioritised, practical improvement actions. It should set out the steps and direction the organisation should move towards, making a real difference.
In conclusion, every organisation relies on information technology and information systems to conduct business. Performing security assessments to ensure you have a good cyber security setup in the workplace is an essential component of managing your cyber security risk. Implementing the findings from cyber security assessments will ensure that the cyber security posture and maturity within your organisation continues to improve.
Look out for our next blog which covers why you need tailored or focused assessments?
To discuss a security assessment with a member of the team, please provide your details below: