Information Security & Compliance
Information Security and Data Protection are essential parts of any modern business
Information security isn’t just about information, it is about so much more! The use of technology in modern business means that most areas comes into contact with Information Security at some point. Therefore, it is about enabling safe business practices and protecting employees, customers and suppliers as much as information.
Compliance as a Service (CaaS)
Information Security and Data Protection are essential parts of any modern business, however for many SME’s employing specialists in these roles can be cost prohibitive and impractical.
This is where Compliance as a Service (CaaS) comes in. For a fixed monthly fee, we can provide you with all the benefits of having in-house expertise without the costs.
How? For many SMEs, their requirements do not amount to a full time role. Often as little as a day a month will be enough to ensure you can meet all your obligations ensuring robust information security and data protection management. Of course, in practice, it would be very difficult to employ someone for a day a month but outsourcing makes this a very real possibility.
We will become an extension of your team, providing month round coverage, responding to your enquiries in addition to any agreed dedicated days to deliver longer term projects. CaaS provides all the benefits and features listed below from as little as £500 per month. Get in touch to discuss your requirements and receive a tailored proposal.
SME’s employing Information Security and Data Protection specialists can be cost prohibitive and impractical. This is where Compliance as a Service (CaaS) comes in. For a fixed monthly fee, we can provide you with all the benefits of having in-house expertise with minimal costs.
Ensures robust Information Security
Free up your time to focus on your core business
Fixed monthly cost
Peace of mind
Compliance as a Service (CaaS) provides you with all following features
INFORMING AND ADVISING
✔ Guidance and advice on information security and data protection matters and issues.
✔ Answer queries from any member of your team
✔ Help raising awareness and providing training
✔ Share best practice tips
✔Embed information security and data protection needs into daily processes for ease of adoption and robust reporting
DOCUMENTATION AND RECORDS
✔ Creation of Information Security policy, process, and record documents (e.g. information security policy, access policy, incident management, etc)
✔ Risk Assessment and Register: Identify, score, and record information security and data protection risks to your business
✔ Change Management: Robust approach to managing information security and data protection risks when changes occur in your business
MONITORING AND REPORTING
✔ Records of processing activity: Detailing what information you collect, why you have it and what it is used for
✔ Supervisory authority contact records: Record when and why contact with authorities has been made as required under GDPR
✔ Log of individuals exercised rights: Records of who, when and why individuals asked to exercise their rights
✔ Supplier register: Centralise all supplier information with risk score, review schedule and key documents
✔ Access rights: Monitoring and recording of who can access what areas, information, and systems
✔ Information assets registers: Know what you have, where you have it and score its level of risk
✔ Annual reports on information security and data protection performance
✔ Senior management review meeting: Annual review of information security and data protection performance
✔ Supplier review: Make sure suppliers are meeting expected and contracted standards
✔ Annual documentation review: Keep policies and processes up to date
✔ Access rights review: Ensure access is only granted to those that need it.
Information Security Implementation
The below explains the key factors behind our approach to implementing successful information security management systems, ensuring they are relevant and effective.
KEEP INFORMATION SECURITY SIMPLE
An organised Information Security Management System will keep you focused on what truly matters, ensuring your information security controls do not become bureaucratic, over-bearing or worst still, blockers to achieving your business goals.
ONE SIZE DEFINITELY DOESN’T FIT ALL
Information Security is definitely not “one size fits all”! It requires a real understanding of organisational needs, objectives and culture. Only then can meaningful policies and procedures be implemented that will be understood, invested in and adopted by the most important resource in any company – the individuals that work there!
Therefore, it is not a good idea to use templates when creating your information security controls. Instead, they should be designed to match the specific needs of your business, taking account of how you work and your strategic goals. As a result, it will allow the development of embedded and robust information security controls and procedures that will work for your business, not against it!
THE HUMAN ELEMENT
It is very easy to lose sight of the human element of information security. All too often it is lost in the piles of policies, procedures, remote threats and many other concepts that make it very difficult for individuals to relate to. As a result, there is little engagement or understanding and information security procedures can be seen, a best, as tick box exercises and, at worst, as blockers to achieving goals.
Therefore, we believe that engaging with the people that make up organisations is the best way to implement and maintain excellent proactive information security controls. This starts with talking to them about how they work and their daily objectives and runs through to training in a manner that is tangible, provides realism and matches their needs and experiences.
When protecting information, and in particular personal information it is vital to remember that we are in fact, protecting people! Considering the impacts poor information security can have on the real people that make up our colleagues and customers, it is one of the best ways of focusing the mind, realising the importance and ensuring successful adoption.
EMBEDDED NOT ENFORCED
The approach in a lot of companies is to enforce information security controls whilst allowing them to exist separately from daily working practices. This, to us, is a mistake. If you embed information security processes into the normal operation of your business, requirements will naturally be fulfilled without the need to rely on people remembering to do them. Whether through integrations, reporting, monitoring or other approaches, the key is to ensure that the information security needs are fulfilled as part of daily practice, not in addition to!
May 25th 2018 saw a new era of data protection come into effect – the General Data Protection Regulation. The first ever “global” law governing data protection. As a result, we saw a lot of fear mongering and misinformation (ironically) about what needed to be done. The term “GDPR Compliant” made its way into our collective language, despite never using the phrase “DPA Compliant”! In real terms, there is no such thing, you are either abiding by data protection law or you aren’t – this is no different to how business has been for decades and for most companies is nothing to be afraid of.
Using our qualified GDPR Practitioner resources, we have developed ways of folding data protection and privacy requirements under the banner of information security, allowing smaller businesses lacking in resources to ensure effective management of their GDPR obligations.
Whether you simply need a review of your existing GDPR measures, or more involved assistance to develop controls and processes that scale with your business needs we are here to help.
ISO 27001 is the most well known standard for Information Security in the world. It stands for excellence and shows a genuine appetite to protect information in an ever changing landscape.
Understandably, ISO 27001 is often mistaken as being for large organisations with complex needs and large budgets, however this isn’t the case. It doesn’t state how you should implement security controls in your business. Instead, it provides a framework and lays out what you should address to ensure effective information security. HOW you address them, is up to you!
With experience in implementation and qualified auditor available, we are able to assist you with your ISO 27001 needs. From initial or internal audits, to a full programme of works to get your Information Security Management System in place, we can help.
Supporting you all the way
Working together ensuring your teams are trained, skilled up and confident
Planning and preparation are critical for a smooth switch over to the new system
Resolving post live issues and supporting as your business develops with knowledge and resources