Documented controls such as policy and procedures can be both timely and costly to implement. Our data security consultants have many years experience auditing and implementing policy and procedures.
Data Compliance Limited ease the pain of documenting controls by delivering a customised security and data protection compliance manual based on your specific business requirements.
There is little value in policies or documented procedures that is not up to date. We can review your existing documentation or provide you with the basics to begin with.
STARTING POINT FOR INFORMATION SECURITY
If you are a small business with limited resources, it may be difficult to realise where to start with information security. How do you prioritise your needs with your limited resources?
Following security guidelines like ISO 27001 can be a good start.
Controls considered to be essential to an organisation from a legislative point of view include,
depending on applicable legislation:
a) data protection and privacy of personal information (see 15.1.4);
b) protection of organisational records (see 15.1.3);
c) intellectual property rights (see 15.1.2).
Controls considered to be
for information security include:
a) information security policy document (see 5.1.1);
b) allocation of information security responsibilities (see 6.1.3);
c) information security awareness, education, and training (see 8.2.2);
d) correct processing in applications (see 12.2);
e) technical vulnerability management (see 12.6);
f) business continuity management (see 14);
g) management of information security incidents and improvements (see 13.2).
These controls apply to most organisations and in most environments.
It should be noted that although all controls in this standard are important and should be considered, the relevance of any control should be determined in the light of the specific risks an organisation is facing. Hence, although the above approach is considered a good starting point, it does not replace selection of controls based on a risk assessment.