Cyber Security Audit & Assurance
Nexor’s cyber security audit and assurance service is designed to assess whether your security processes and technologies are working as intended and providing the protection the business requires.
Nexor specialises in working with organisations that require information to be exchanged between networks in a high assurance environment. Our CyberShield Secure methodology – of which security auditing is one part – is intended to ensure that your organisation’s security requirements effectively protect you from threats without compromising your operational processes.
Your Security Management System
Implementing effective cyber security involves a lot more than just applying the latest technology. You need to enact appropriate supporting policies/processes and ensure your staff are effectively trained to follow them. These factors taken together are what is referred to as a Security Management System.
What does a security assessment involve?
A security assessment is a structured approach to assessing the security measures that a company has in place, using a set of defined criteria. Typically, the criteria will be a security framework such as ISO 27001, NIST Cyber Security Framework, Cyber Essentials or a technology specific standard such as EIDAS (ETSI EN 319 411).
During the assessment, the auditor will look to identify the policy and or processes that have been defined and determine if they meet the business needs.
In a formal audit, they then seek evidence that the policy/process is being followed. When looking for evidence, the auditor will typically use a sampling approach. Rather than look at every record to assert compliance, they will look at a randomly chosen sample.
How can Nexor help with security assessments?
If you are interested in a security audit for your business, but are unsure on the best way of going about it we provide the following relevant services:
- A gap assessment , which is a one-off exercise to assess an organisation against a benchmark or specified standard and then provide advice and guidance on the changes that your business needs to make. We can perform an assessment against the following standards; ISO 27001, Cyber Essentials, 10 Steps to Cyber Security, NIST Cyber Framework and NCSC Cyber Assessment Framework.
- A pre-audit health check prior to a formal audit to verify your security processes and procedures are up to the required standard. This will highlight any potential issues prior to the formal audit and greatly improve your chances of receiving your desired certifications. We can perform pre-audits against ISO 27001 and Cyber Essentials.
- We can undertake 2nd party audits of you supply chain.
- We can also arrange a formal 3rd party audit via our business partners.
Types of security audits
Security audits may be carried out through 1st, 2nd or 3rd parties.
A first party audit, often referred to as an internal audit, is where a member of your own staff, usually a CISO or equivalent looks at the controls you have in place and provides recommendations. These audits should be as comprehensive as possible, as first party audits are a great tool for finding areas in which your business can improve.
A second party audit is where your company audits a key supplier (or a key customer/partner audits you). These typically occur when you are looking to enter into business with someone and information security is a priority. One of the parties involved may audit the other to ensure that their Security Management System is operating at the desired standards.
A third party audit is where a fully independent organisation audits you against a set of criteria, such as ISO 27001. These audits are typically undertaken to achieve accreditation in the desired standard and have the benefit of being completely free from any of the conflicts of interest that may arise from the other two types of audit.
Typically, third-party auditors will themselves be audited to assert compliance to ISO 19011 – the international standard for auditing!
For more information on security audits, you can contact our team on 0115 952 0500 or you can email us at: firstname.lastname@example.org.
Preventing document-based malware from devastating your business - Viruses used to be the province of hackers whose aim was to demonstrate their technical prowess by defacing web sites. Today, security attacks are becoming much more sophisticated and infinitely more dangerous. MORE DETAILS
Be the first to know about developments in secure information exchange