Services

Information Security Reviews

We conduct information security reviews to help organisations understand the effectiveness of their security controls. We conduct reviews against a range of industry standards, including ISO 27001 and 27002, NIST CSF, APRA CPS 230 and 234, PCI DSS and the Australian Government’s ISM.

ISO 27002

The ISO 27002 International Standard provides additional guidance about the security controls in Annex A of 27001. It describes a list of best practice information security controls (e.g. antivirus, firewalls, passwords, backups, etc) that are applicable to most organisations. The standard is commonly used as a review checklist to determine whether any information security controls have been overlooked in an organisation.

Some organisations request 27002 compliance reports from their business partners. These reports help them determine whether appropriate information security controls have been implemented by their business partners, and whether they should be allowed access to information and IT systems. Questions related to the ISO 27002 controls also appear in tender requests.

NIST CSF

The National Institute of Standards and Technology (NIST) is a US Government agency. It publishes a range of standards and frameworks, many of which relate to cybersecurity. The NIST Cybersecurity Framework (CSF) provides guidance for organisations to manage and reduce cybersecurity risk. It is widely used both inside and outside of the US.

APRA CPS 234 and 230

The Australian Prudential Regulation Authority (APRA) is a statutory authority of the Australian Government and the prudential regulator of the Australian financial services industry. It produces a range of prudential standards, such as CPS 230 – Operational Risk Management (including business continuity management and service provider risk management) and CPS 234 – Information Security.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is developed by a consortium of payment card companies including Visa, MasterCard and American Express. It defines minimum requirements for information security that must be adopted by organisations storing, processing or transmitting payment card numbers.

ISM

The Australian Government’s Information Security Manual (ISM) details security controls that government agencies can use to protect their information and systems. It is developed by the Australian Signals Directorate. Compliance to the controls in the ISM is often mandated for companies providing services to government agencies. We conduct IRAP assessments against the controls in the ISM.