Gap Analysis and Hand Holding to Certifications

1) Information Security Management System: ISO 27001:2013
Help define the scope, create policies and procedures, perform the gap analysis, asset identification and classification, conduct risk assessment, prepare statement of applicability, ISMS internal audit, corrective and preventive actions, annual surveillance audit, external audit, and certification.

2) Payment Card Industry: PCI DSS
Help define the scope, conduct gap analysis, uplift from v3.2.1 to latest version. Conduct Quarterly ASV scans, monthly infrastructure scans and other.

3) Service Organization Controls: SOC 2
Type 1: is a point in time opinion on design of controls and procedures
​Type 2: over a period of time opinion on design and operating effectiveness of controls. Check our articles on Medium for detail- Click Here

4) Service Organization Controls: SOC 3
This is a lighter version than SOC2. This is excellent for marketing purposes. It is only available in Type 2.

5) FedRAMP Moderate Authorization / Continuous Monitoring
Help with authorization journey from Preparation stages (gap analysis, readiness assessment report, remediation, working with PMO, get ready state designation) to Authorization stages (SSP, Attachments, SAP, SAR, POAM, Inventory Workbook, CIS Workbook), and to Post Authorization stages (continuous monitoring, incident reporting, vulnerability scanning, update Max.gov, annual assessment, and more)

6) ISO 27017:2015 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services)
Help define the scope, perform the gap analysis, asset identification and classification for cloud resources, conduct risk assessment, internal audit, external audit, and certification.

7) ISO 27018:2019 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) 
​Help define the scope, perform the gap analysis, asset identification and classification for cloud resources, conduct risk assessment, internal audit, external audit, and certification.

Information Security Certifications Uplift
We help organizations perform gap analysis to uplift their compliance posture from old version to new one.
1) ISO 2700:2013 ---TO--- ISO 27001:2022
2) PCI DSS v3.2.1 ---TO--- PCI DSS v4.0
​3) FedRAMP Authorization NIST800-53 Rev4 ---TO--- NIST800-53 Rev5

Process Improvement
We can help organization design and establish simple, operational, efficient, and effective process in several areas (mentioning few below)-
1. Third Party Security Risk Management Program (Vendor Onboarding, Off-boarding, Annual Assessment of High Risk Vendors, Information Security Agreements, and Service Monitoring)
2. Security Awareness and Training (Powerpoint slides / videos / third-party contents for new hires, annual refreshers training, and role-based training)
3. Information Security Policies and Procedures (create policies document based on domains, procedures (step by step instructions), standards, data flow diagram, whitepaper, and blogs)

Governance Risk Compliance (GRC) Strategy and Tools

Governance: We can help the organization establish the policies, standards, and frameworks. 
Risk: Help organization perform annual and adhoc qualitative risk assessment and risk treatment. The risk management provides the metrics, KPIs, KRIs, and other dashboards to board to understand the risk tolerance.
​Compliance: Help organization with mapping different frameworks, conduct gap analysis, internal assessment, external audit, and get certifications.

EMAIL US