Aiming to help its members increase their cyber resilience, the Information Security Forum (ISF) today launched its global ISF Consultancy Services, focused on providing short-term, professional counsel to support the implementation of the non-profit association's resources and products.
"We're providing practical support to use the ISF tools either on a skills transfer basis, or facilitation or just to come in and do the job," explains Steve Durbin, managing director of the ISF.
"This is a big departure for the ISF," Durbin says. "In the past, we've worked to provide research, tools and methodologies our members can use."
But Durbin notes that members have expressed the desire for help implementing the tools and methodologies ISF produces.
"One of the things that became very obvious as we started going through some of these things is that there is a demand, or a shortage in the market, of people who are able to pick these things up and implement them," he says. "There's a role for a third party to come in and help an organization work through that overall process. While our members would do that themselves, sometimes they don't have the bandwidth or skill set to do it."
Durbin says the new ISF Consultancy Services provide businesses with customized professional support and training to strengthen their cyber resilience and improve their security posture. The services available include the following:
- Security governance, policies, compliance, standards and control framework. This service is about helping organizations implement ISF's Standard of Good Practice for Information Security (the Standard), a comprehensive information security standard that provides complete coverage of the topics set out in ISO/IEC 27002:2013, COBIT 5 for Information Security, NIST Cybersecurity Framework, CIS Top 20 Critical Security Controls for Effective Cyber Defense and Payment Card Industry Data Security Standard (PCI:DSS) version 3.1. This service is intended to help organizations meet their regulatory and compliance requirements, gain agility while ensuring the information risks associated with new business opportunities are managed to acceptable levels, respond to rapidly evolving threats and update existing internal security policies or develop new ones.
- Risk assessment (IRAM2). This service leverages ISF's Information Risk Assessment Methodology 2 (IRAM2) to perform end-to-end business-focused information risk assessments. Consultants will use IRAM2 to help organizations define a risk appetite and supporting resources, identify their threat profile, assess existing vulnerabilities and develop pragmatic risk treatment plans. The service can include training an organization's staff to perform IRAM2 assessments on their own, performing full risk assessments for the organization, or a combination of approaches.
- Information security assessment, controls assurance and ISO 27011/2 readiness. This service uses the ISF Benchmark, a tool that provides in-depth and/or high-level assessments of an organizations security arrangements, to determine how an organization's security arrangements stack up against both the Standard, other internationally recognized standards and other leading organizations. Through the service, consultants can help organizations determine their readiness to achieve compliance with ISO 27001, evaluate information security policy by identifying which areas require enhancement or fresh content, assess security performance across a range of different environments and build a plan for improvement.
- CISO as a service. When necessary, the ISF can provide an organization with an interim CISO while the organization is recruiting for a permanent CISO, or when an organization has no CISO or security leadership role but needs immediate advice. The service can also help CISOs present the value of information security to the business at the board level, or provide immediate direction and coordination of activities in the wake of a significant incident.
- Critical asset management and protection. With expertise in disciplines like information classification and information risk assessment, ISF consultants can help organizations identify their critical information assets, reflect the latest information risk assessment techniques to identify the threat profile of critical assets, provide the right level of protection to those assets and maintain a consistent approach that allows for factors that may change over time.
- Supply chain/third-party assessment. The ISF's Supply Chain Risk tool helps organizations identify information risk exposure in their supply chains and then manage that risk according to their risk appetite. Through this service, ISF consultants will apply the ISF's Supply Chain Information Risk Assurance Process and Supply Chain Assurance Framework to help organizations identify instances of information risk exposure in existing supplier and third-party relationships, rank suppliers by the level of information risk identified, identify enhancements to ongoing vendor management processes and implement processes for initial and periodic supplier control assessments.
- The EU General Data Protection Regulation (GDPR). Through this service, ISF consultants will leverage the ISF's expertise in building standards, benchmarking and risk assessments to determine an organization's readiness for GDPR, which takes effect in May 2018. Consultants can help identify likely areas of non-compliance and help organizations develop a roadmap for full GDPR readiness.
"The ethos at the ISF is to get in, do as much as we can as quickly as possible, and get out," Durbin says. "Our model is geared around impact and doing that at a price point that is attractive to the member; in fact, ISF Consultancy Services are subsidized for members."
Generally, he says, engagements will last several weeks to as much as three months and consist of between one and four consultants.