The need for an independent cyber audit and review

The National Cyber Security Centre (NCSC) Certified Cyber Security Consultancy gives customers independent, expert cyber security advice from a pool of certified professional service providers. Certified consultancies have proved that the services they deliver meet the NCSC’s standard for high quality, tailored cyber security advice.

The increased risk of a cyber attack

The National Cyber Strategy 2016–-2021, highlights that the public sector is at increasingly high risk of cyber attacks. The WannaCry ransomware attack in early 2017 caused chaos for the NHS and many local councils’ IT services, spread through the EternalBlue exploit. Although Microsoft had released patches to close the exploit, many public-sector organisations hadn’t applied them, demonstrating their inability to adapt to new and emerging threats.

The need to defend against and block attacks has been amplified by the introduction of the EU Directive on security of network and information systems (NIS Directive) and EU General Data Protection Regulation (GDPR), which focus on CNI and the processing of EU residents’ data respectively. With an upward fine of 4% of global turnover or €20 million – whichever is greater – it is essential that public-sector organisations take proactive measures to defend themselves from cyber attacks.

How to protect your organisation

To protect your organisation, you must plan and enact a cyber strategy. At a minimum, you should enforce strict cyber security practices documented within policies and defined in clear working procedures that are built upon best practice. These must be distributed among all employees and, where relevant, third parties. You should document critical assets and introduce controls proportionate to the risk posed to those assets. Such an approach is followed when implementing standards such as ISO 27001.

To build upon these minimum recommendations, public-sector organisations should align themselves with recognised cyber security standards, schemes and guidance such as Cyber Essentials, 10 Steps to Cyber Security, ISO 27001, NIST or SOC 2. These follow a procedural approach to cyber security, with controls introduced to mitigate identified risks and enable the organisation to respond to cyber security incidents. External validation through certification audits provides third-party approval of your controls .

Once your chosen standard or framework has been implemented and policies and procedures have been written and rolled out, the next step is to carry out an independent audit, which will verify and assure you that everything is working as it should.

How we can help

IT Governance has been certified by the NCSC to deliver its Cyber Security Audit and Review consultancy service to government, wider public sector and critical national infrastructure (CNI) organisations, and to private organisations that have partnerships and ongoing contractual obligations with the public sector.

The consultancy service offers a comprehensive and detailed audit and review of an organisation’s cyber security posture in relation to its compliance with UK government, NCSC and wider public-sector standards, policies and frameworks.

Our Cyber Security Audit and Review service focuses on:

  • Verifying that information processes meet the security criteria, requirements or policy, standards and procedures;
  • Defining and implementing processes and techniques to ensure ongoing conformance to security policies, standards, and legal and regulatory requirements;
  • Carrying out security compliance audits in accordance with an appropriate methodology, standard or framework;
  • Providing impartial assessment and audit reports covering security compliance audits, investigations and information risk management;
  • Providing an independent opinion on whether your organisation is meeting information assurance control objectives;
  • Developing audit plans and audit regimes that match your organisation’s business needs and risk appetite;
  • Identifying your organisation’s systemic trends and weaknesses in security;
  • Recommending responses to audit findings and appropriate corrective actions;
  • Recommending appropriate security controls;
  • Assessing the management of information risk across the organisation or business unit;
  • Recommending efficiencies and cost-effective options to address non-compliance issues and information assurance gaps identified during the audit process; and
  • Objectively assessing the maturity of an existing information auditing function using cross-government benchmark standards.

We also offer consultancy services in other cyber security areas. These include carrying out an independent assessment of your current risks and threats, recommendation of controls to mitigate these identified risks, and conducting PSN readiness assessments, Cloud security compliance assessments and technical assurance audits.

IT Governance is one of only a handful of organisations certified by the NCSC to provide an Audit and Review service to public-sector organisations. Our extensive experience helping organisations achieve compliance with best-practice cyber frameworks and standards is backed by deep technical cyber security expertise. Our implementation approach is pragmatic, proven and straightforward and has been honed over 15+ years. We have helped more than 600 companies implement and certify to ISO 27001. We can help organisations of all sizes, in any sector, in any location.

To find out more about how we can help you get cyber secure, speak to an expert today >>