Apastron Lab will carry out the project based on the following main stages:

• Project Planning & Preparation – Aimed at obtaining a fuller understanding, through discussion with the relevant business and technical staff in an open forum. This could include, among others, defining key personnel, deliverable requirements, interview questionnaire formulation, key technologies involved and timeframes.
• Information Gathering – Aimed at gaining an in-depth understanding of the organization’s current information security environment, infrastructure and processes.
• Information Analysis – The information analysis is aimed at evaluating. The gap between the organization’s current information security status and the ISO 27001 requirements.
• Deliverables Development – Involves developing the ISO 27001 gap analysis report. The report will clarify the organization’s current state of security, and set a recommended action plan to help it reach its goals.

The gap analysis findings will define the required activities for closing the gap and complying with the required security standards. The report will cite effective recommendations for addressing these weaknesses and enhancing organization’s information security.

• Defining the scope of the ISMS (information security management system).
• Building an asset mapping registry which includes inventory, ownership, acceptable use and returning of assets.
• Performing a risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability (CIA) of information within the scope
• Formulate an information security risk treatment mitigation plan based on the risk assessment.
• Execute a risk mitigation program to determine the controls that are necessary to mitigate the relevant information security risk.
• Formulate a set of required policies and procedures to support the ISMS.
• Produce an SOA (Statement of Applicability), a registry of all controls stating the level of compliance to each control in the ISO27001 standard and in any other set of controls.
• Assistance in final audit and certification.

• Our CISO as a Service offering provides you with the right person for your needs. The function can be built to match the organization’s requirements in terms of time dedicated (ranging from 2 days a month to 5 days a week) and activities required.
• In addition to a dedicated resource, we provide the flexibility to access the full Apastron Lab resource pool enabling delivery of a diverse range of services and knowledge, which typically cannot be provided by an individual CISO.
• Depending on the nature of your organization and its needs, we can provide a CISO with technical hands-on experience, specialization in legal requirements, regulation (such as GDPR, Domestic Privacy Protection Regulations, SOX, etc.), and security standards (such as ISO 2700x, NIST, COBIT, etc.), or specialization in secure software development life cycle (SSDLC).
• The CISO activities may include:
1. Information Security Leadership and Guidance
2. Steering Committee Leadership or Participation
3. Security Compliance Management
4. Security Policy, Process, and Procedure Development
5. Security Training and Awareness
6. Incidents – Identify, Report and Control
7. Managing the Information Security Budget
8. Security Testing
9. Identification and Access Management
10. Monitoring Threats and Taking Preventive Measures
11. Establishing a Disaster Recovery Plan and a Business Continuity Plan
12. Conducting Third-Party Vendor Security Assessments
13. Risk Management

• We will work closely with you to simplify the Security Product Market noise, and help you identify organizational efficiencies & gaps, across your existing security technologies.
• Our Technology Stack Audit & Optimization Workshop has been designed as a consultative experience. This is not an assessment service, but a hands-on, discovery exercise that:
1. Prioritizes cyber hygiene
2. Optimizes existing technology investment
3. Identifies security/product specific gaps