Governance, risk management and compliance activities are the set of policies, guidelines, and procedures that form the basis for a strong information and cybersecurity practice, designed according to international information security standards and local laws; the absence of which will result in administrative and technical problems.
One such internationally accepted standard that guides organizations to successfully implement GRC activities is the ISO 27000-series standards.
ISO 27001 provides a process framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with security policies, directives, and standards. ISO 27001 requires a company to establish, implement and maintain a continuous improvement approach to manage its information security management systems (ISMS).
ISO 27032 addresses “cybersecurity” or “the cyberspace security”, defined as the “preservation of confidentiality, integrity and availability of information in the cyberspace”.
ISO 27035 provides procedures on cyber incident response. To manage these incidents effectively, organizations need to implement effective controls (detective and corrective controls) designed to recognize and respond to events and incidents, minimise adverse impacts, gather forensic evidence (where applicable) and in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS, typically by improving the preventive controls or other risk treatments.
CyberHawk offers consultancy services to define and implement GRC, ISO 27000 family (001, 032, 035), NIST, and others, as well as their implementation.