MENU

Control Effectiveness Review

This service provides you with a fine grained approach to assessing efficacy of information security controls; as a standalone review and report, or as part of formal review of an ISMS.

Do you have a mature security function with an effective information security management system (ISMS), well-formed policies, mature standards and a well-staffed InfoSec team, strong management commitment and a current risk management (RM) framework in place?  As with any management system, it can often be difficult to have a clear picture as to how effective an ISMS of this nature actually is in operation - are controls effectively reducing risk? Are they being applied correctly? Is monitoring effective, and are metrics being reported on correctly?

We use the CMMI model (Capability Maturity Model Integration) to provide a consistent and repeatable measure for the maturity of the controls that have been implemented. This assessment can focus on a specific part of an organisation such as vulnerability or patch management, access control, logging and security event reporting, or across the entire organisation. For these engagements we work within your control framework, Risk Management and Treatment methodologies.

section icon security consulting Solutions + Partners

  • Outcome

    The outcome of this service is to identify and report on the effectiveness of information security controls.

    The outcome of this service is to identify and report on the effectiveness of information security controls. This service will facilitate improvements in the way you use your controls and also the ability to report on the effectiveness against defined outcomes.

    We work closely with your business owners and security teams (where present) to ensure full agreement on relevant control selection and that exclusions are fully justified. We will provide the expertise and perspective to this that can often be overlooked by internal teams.

  • Service Features

    Effectiveness of the control framework and its application will be analysed using evidence based assessment:

    Effectiveness of the control framework and its application will be analysed using evidence based assessment:

    • Is the Statement of Applicability comprehensive, are there any gaps and have exclusions been sufficiently justified?
    • What controls have been applied?
    • Have success criteria been clearly defined?
    • What metric and measurement framework has been implemented to report on control efficacy or defined success criteria?
    • Have the specific risk exposures been reduced or mitigated in line with the Risk Management and Risk Treatment Plan frameworks?
    • What artefacts are available to demonstrate effective implementation?
    • Have defined outcomes been achieved, how is this reported and signed off?