Our staff has been working on ISO 27001 projects for 20 years. Let us show you how to transform your Information Security Program into a high-performing business enabler. We have the expertise to identify your gaps, build a mitigation plan, and help you build your program from the ground up, or take an existing one to the next level. We’re proud to help shape how leading companies structure and manage the protection of information assets.
To help understand where your organization's operational control posture is, compared to a specific standard or regulation, we conduct assessments of management and technical controls. In addition to identifying what is and is not in place, we also work with our clients to understand the depth of control implementation through the creation of, or use an existing capability maturity model (CMM) in the client environment. This approach provides far greater value to clients to help understand the full and true effort needed achieve program goals.
We have also extended this to the level of working with client operational areas to perform an impact assessment of gaps, to ensure we are able to help clients develop a qualified program budget proposal.
To help our clients achieve focus and ensure the success of business goals, we offer management consulting services to help you build a winning strategy and supporting business case for your standards and regulatory driven program. This is done in a collaborative approach between the our engagement team and your key leadership stakeholders, following a gap assessment.
Where not in place, we help clients design an enterprise steering committee, establish the committee's charter document and engage target participants from the organization's management team.
Program Management Support
Many of our clients are already inundated with existing operational commitments and are understaffed, however customer, business partner, or regulatory expectations dictate the compliance with one or more standards or regulations that are currently not aligned with the business operations.
CIMA provides the resource support you on the ground to help manage the implementation of an ISO 27001 program based on the standard and your legal and regulatory requirements. Our Program Management support will work with you and other leaders in your organization from start to full implementation, and as required, assist you with a transition plan to migrate program components to operational owners.
Our resources have substantial Program Management experience in the development and rollout of information technology management and assurance standards and regulatory driven programs.
Program Presentation Support
In most cases, you have one shot at presenting your business case to top management for support and sponsorship.
CIMA provides management consulting support to help you design and develop a winning business case and supporting presentation package for your leadership presentation, focusing on up to and including Board and customer presentations.
Communication Program Support
Every program that is driven by standards and regulations, introduces significant change in the way technology and business employees perform their jobs.
Managing change is a critical activity of any program initiative. The most effective tool to manage change is an organized, structured, and focused communication plan. CIMA provides clients with consulting support to help build effective communication plans and supporting tools including full awareness and training programs.
Component Level Development and Roll-out Support
Every program has various moving pieces, some of which are similar from one standard or regulation to the next, and some are very unique. We help clients design and develop any and all components of their program. Areas include:
Governance Framework Development
Many companies jump into developing their governance documentation without establishing a clear understanding of their governance scope. By way of example, ISO 27001 has a mandatory requirement that the organization perform a Legal and Regulatory review and encompass all such requirements into their governance framework. In order to achieve ISO 27001 organizational certification, the organization must provide evidence they have performed this review and incorporated all requirements into their new governance framework. CIMA has experience working collaboratively with client legal, business and technology leaders to help them accomplish this and yield a structured governance framework, from which all other governance can begin to be developed. The framework model approach that CIMA uses to assist clients, provides a hierachal structure allowing various author and approving authorities at different levels of the framework. As part of the deliverables we yield first and foremost a control catalog, and from there construct the framework in a logical and structured fashion. As needed we also assist clients in the development of a process to develop and approve governance components.
Similar to its use in the Project Management world, a Program Charter establishes the mandate for the program, as well as, fundamental roles and responsibility for its development and maintenance. Through a collaborative approach, we help clients develop the organization's Program Charter to ensure it has a solid foundation, and inter-departmental support is assured. One of the critical aspect of the Program Charter is the demonstration of alignment to the business' critical objectives. When we work with client, we ensure a clear demonstration of Program to Business goals is articulated so the Program's value is understood all the way up to and including the organization's Board.
It is well understood by today's business community that a policy is a statement of management's expectations. Across the board, ISO standards and regulations dictate the development of a policy to communicate to the body of the organization and other stakeholders, the need for and adherence to a set of controls related to the mandating standard or regulation. We help clients collaboratively draft and socialize a policy document to ensure stakeholder buy-in.
Standards are, in their simplest form, a collection of theme-based controls. We work with clients to follow on from the work in the Governance Framework effort to develop individual heterogeneous policy standards, meaning they are technology agnostic. During this work, once we have developed a satisfactory draft standard, we facilitate an internal client focus session to review the document based on three factors, namely that each control statement in the document is:
For an organization's operational technology teams to understand how to configure and maintain technology solutions in a standardized fashion that meet stated expectations of a standard, organizations must develop technical standards articulating how the requirements of a given standard are to be achieved. We work with client technology teams and empower them to develop technical standards for individual technology environments through the development of standardized templates and offering facilitation approach.
Processes are an organized set of actions designed to achieve a specific outcome. All standards and regulations, either implicitly or explicitly mandate specific processes in order to achieve compliance. CIMA helps clients in a collaborative fashion to develop process documentation to meet the spirit and intention of standards and regulations.
Procedures are detailed sub-activities of a process, typically that drill down into one step of a process, which are a set of integrated tasks.
In many cases, organization must reach to technology to help solve stated control requirements from standards, legal and regulatory requirements. CIMA helps clients define technology requirements before its technology staff begins solution evaluation to help ensure appropriate alignment with the requirement. Typical engagement activity, provides for the client's technology teams selecting evaluating and selecting solutions autonomously, with CIMA's team validating it meet the stated requirements.
Awareness and Training
No matter whether implementing management or technical controls, ensuring a smooth rollout is critical to the Program's success. We help clients build awareness and training tools to achieve program goals.
Interim Information Security Manager / Leader / CISO
The role of the Chief Information Security Officer is a high-visibility and highly sensitive role. On occasion changes puts organizations in a situation when they have to operate for a period of time in the absence of an internal CISO.
CIMA fills this void through a term contract placement of an experienced information security leader.
We help good businesses become great,
ISO 27001 certification