ISMS (ISO 27001), S-SDLC, DevSecOps, built-in security & privacy (gdpr), GRC

Our main consulting service encompasses all aspects of cyber security and security governance. These services helps you gain control over your information security requirements and risk.

Information Security Management Systems (ISMS)

An Information Security Management System (ISMS) based on ISO/IEC 27001 is one of the main deliveries of a Chief Information Security Officer (CISO) or a Security Governance function. This is typically a document structure communicating a company’s security requirements both to itself as an organization, their partners and customers or to ensure the products it makes follows the necessary security and privacy requirements.

Requirements are often selected based on the company’s risk appetite, the company’s strategy, tone-at-the-top, their regulatory requirements, their contractual obligations, customer expectations and standards expected in the market. Therefore, cyber security governance, risk and compliance (GRC) is key. A well-built ISMS can both comply with requirements and simplify the requirements for the employees looking to them. An integral part of an ISMS is therefore the employee security training program.

Our philosophy is that the security function does the “heavy lifting”, so the ISMS is as stress-free as possible for the organization.

Our goal is to make an ISMS that is both compliant, but also helps the company be future-ready and supports the company’s strategy without being overwhelming.

How? We do this by getting to know your company’s strategy, its risk appetite, regulatory requirements and company culture to make a good fit for your needs and budget. Based on this and our own experience building such programs in practice, we help you build a program that works for you.

Example key deliveries;

  • ISMS
  • Security Governance
  • Risk assessments
  • Threat updates
  • Security training

Secure Software Development LifeCycle (S-SDLC) and DevSecOps

Companies producing products and services based on development and source code, needs to have built-in security & privacy. This is essential both from a regulatory point of view, but also to keep their customer’s trust. The main key drivers here are the requirements set by national privacy laws, but also GDPR requirements. The challenge for companies, developers, team leaders and Chief Technology Officers (CTOs) are creating a living process that follows best practices. All the while you need to ensure that your software and services are ready to handle and detect cyber-attacks and handle information security incidents.

Our philosophy is that we adapt the process to your existing development process, regardless if you choose DevSecOps , S-SDLC or have your own process. We enable each development team to implement small, but important key-activities based on risk assessments to get a continual improvement loop up and running for the teams.

Our goal is how do we make a process that is both compliant, but also helps the company be future-ready and supports the company’s strategy without being overwhelming. We do this by getting to know your company’s strategy, its risk appetite, regulatory requirements and company culture to make a good fit for your needs and budget.

How? We do this by following best practice material such as The Norwegian Data Protection Authority’s – Software development with Data Protection by Design and by Default, Microsoft’s SDL and our own experience building such programs in practice.

Example key deliveries;

  • DevSecOps
  • S-SDLC
  • Built-in security and privacy
  • Security incident management
  • Security incident response

Contact CISO Services