Sapphire's Methodology
“Finding the right consultant was an important part of the project. Changing culture within an organisation and encouraging staff to embrace that culture can be difficult. Sapphire’s consultant worked with us to make this change. He knew the subject matter and was always helpful when we had any queries, or a change of focus. Sapphire’s process worked for us.”
Tim Loughlin, Chief Finance Officer, Esteem
How can Sapphire help your organisation?
Sapphire offers a modular stage-wise programme of consultancy services designed to assure the confidentiality, integrity and availability (CIA) of an organisations information assets. The organisation decides Sapphire's degree of involvement. Sapphire's methodology is based on ISO 27002 (ISO 17799:2005) 'Information Security Management' and will assist in the development of a robust information security management system.
For further information on how Sapphire can help your organisation, please download The Hannigan Report.
Sapphires stage-wise programme consists of the following phases:
Phase 0: Initial Scoping Meeting
Phase 1: Gap Analysis/Rick Assessment/Development of a Security Improvement
Phase 2: Implement Security Improvements (Plan)
Phase 3: Information Security Education and Training
Phase 4: Implementation Review and Compliance Checks
Phase 5: Final Mock Certification
Phase 0: Initial Scoping Meeting
This phase clearly defines the Scope of the ISMS. This is an organisational decision, an organisation can decided to have a very narrow scope (e.g. initially just the IT department) a medium scope (e.g. the head office) or a much wider scope (e.g. organisational wide). A SCOPE STATEMENT is produced at this stage which details which departments and business units are covered by the ISMS.
It is important to agree what parts of the organisation are to come under the control of the ISMS and the ‘dotted-line’ relationships with the other support functions. The scope statement tells external Certification assessors which areas of the business to audit and award a certification to.
Phase 1: Gap Analysis/Rick Assessment/Development of a Security Improvement
It is proposed that a staged project lifecycle is implemented to ensure that each stage has verified checkpoints and actions. This process forms the key milestones in the route-map to ISO 27001 compliance.
Stage 1: Gap Analysis
Stage 2: Development of a Risk Assessment/Management Approach
Stage 3: Development of Security Improvement Plan
Stage 1: Gap Analysis
The organisation is characterised to see how it compares with sector
standards and best practice. Gap Analysis studies compare its current capability with the requirements of ISO 27001. Best practice across the organisation is identified.
The main output of this Stage is a Current State Analysis that is then used to develop the Security Improvement Plan for Phase 2 to identify the next steps in the compliance programme.
Stage 2: Development of a Risk Assessment/Management Approach
The deployment of a Risk Assessment and Risk Management methodology to cover Information Assets. Risk Assessments are conducted to identify threats and associated vulnerabilities to your information assets. The findings of these Risk Assessments together with the results of the current state analysis are used to develop a security improvement plan and may also be used, if required, to develop a Business Continuity Plan. The main output is a Risk Assessment Sheet and Risk Register.
Stage 3: Development of Security Improvement Plan
A meeting with management to present the results of this Phase and the roll-out plans for Phases 2 and 3 will be conducted at the end of stage 2. Based on the results of the gap analysis and the risk assessment exercise a formal security improvement plan is devised to help steer the project forward.
Phase 2: Implement Security Improvements (Plan)
The Security Improvement Plan is developed and translated into an Information Security Management System typically comprising the Policy, Manual, and Procedures used to identify the rules and guidelines which have been identified from the Current state analysis and Risk Assessment needed to protect information assets and prevent security breaches.
A high level Security Policy would be written and signed by Executive management to demonstrate top level commitment for the ISMS.
This phase would ensure that all mandatory processes and documentation which must be operated continually in order to gain formal certification and subsequently maintain certification is generated.
Typically, Sapphire would generate the core procedures (Security Incident Reporting etc), and advise Departmental 'sponsors' how to write theirs.
This stage would establish an Internal Audit function against all security policy procedure and controls produce and maintain a document known as a Statement of Applicability (SoA) which lists selection and non selection of security controls.
Phase 3: Information Security Education and Training
Sapphire provides specific information security awareness training for specified groups e.g. Senior Management (including. HR and Legal); technical training; and general staff training to selected ‘IS co-ordinators’ (skills transfer) to develop an effective Information Security culture based upon ‘shared responsibility’, drawing on experience of wide ranging security practices across technical and systems disciplines. A recent addition in this area is what Sapphire calls ‘Forensics Readiness’ training to equip organisations with the minimum requirements in dealing with such cases appropriately.
As well as ISO 27001:2005 training Sapphire can provide general information security awareness training and internal auditor specific training, drawing on experience of a wide ranging security practice across technical and systems disciplines.
Phase 4: Implementation Review and Compliance Checks
The operation of key issues of Governance will be checked to ensure that they are functioning to guarantee that the new culture of information security is in place and that all staff are conscious of a more ‘security-focussed way of working’. The elements of the Information Security Management System are subjected to a cycle of compliance audits to objectively ensure that information handling and processing activities are in accordance with the relevant controls.
Phase 5: Final Mock Certification
This is an optional final ‘business as usual’ full mock audit to ensure the organisation is in a strong position to gain certification at the first attempt. This Phase will include a discussion surrounding the organisations next steps i.e. certification
Please download the 360CRM Case Study to learn how Sapphire helped 360CRM work towards ISO27001 certifictaion.
Sapphire’s Business Consultants
Sapphire’s Business Consultants are all ISO 27001:2005 Information Security Management experts and help at each stage of a project lifecycle, from the embryonic ideas for a potential business solution through to reviewing the effectiveness of a final system.
All members of the Business Assurance team are security cleared and compliment each others strengths with a varied range of skill sets including ISO 27001:2005 IRCA recognised Lead Auditors, CLAS Consultants and ISACA recognised CISM Professional Trainers as well as each holding several senior positions on professional bodies including BCS, ISACA Security Management Committee, CIPFA, IRCA, CESG (CLAS) Listed Advisor Scheme.
They are currently guiding many clients through the ISO 27001:2005 Certification process. Sapphire has a 100% success rate and having successfully gained Certification to the new ISO/IEC 27001:2005, Sapphire is particularly well placed to guide others toward this internationally recognised Standard.
Please download the Esteem Case Study for further information on how Sapphire helped Esteem achieve ISO27001 Compliance.
- Support 0845 58 27999
- General 0845 58 27001
- Request a Call / Quote
