Information Security review process

We regularly review the information security of organisations. The goal is to give independent confirmation whether the organisation are doing the right things and to help organisations improve. Below are the six main steps of such a security review.

When to conduct a review

We can conduct a review on any organisation that has a security team and that has started creating an information security policy. Our review is well suited for organisations that are implementing an information security based on the standard ISO 27001, but can also be used by organisations that use a more lightweight standard such as Security Verified. The review is most often requested by the management of the organisation. It can also be requested by a stakeholder such as a customer or potential investor. In each case we try to understand what the goals of the information security team are and which standard they are using, so that we use the right standard as the basis for the review.

The review can be conducted when the information security team already has a few years of experience, as a longer term checkup. It can also be conducted after a few months, when the information security team believes the basics are in place. It is not so useful to conduct a review when the team just started: in those cases it is more useful to have an informal training or workshop.

Security review process

1. Intake: A meeting between management or information security team of the organisation and a senior reviewer to determine the goals, scope, approach and timeline for the review.
2. Preparation: the information security team collects the information security policy documents and process descriptions and sends it (securely) to the review team. The review team analyses the documents and prepares questions
3. Site visit: The review team (consisting of two information security experts) visits the organisation on site, interviews the information security team, inspects additional documents/evidence and asks control questions to management or staff during an office inspection
4. Issue resolution. The review team shares the initial findings and suggested improvements with the information security team. The information security team has to handle each finding within two weeks and report back how each issue has been handled. Ways of handling issues are to either take immediate action, plan an action, modify a policy, or add the issue to a backlog so that it is resolved within reasonable time via an already existing improvement process.
5. Report creation. The review team prepares the final review report. Each expert in the review fills in the checklist of criteria objectively, based on their own observations. If all criteria are met, they can conclude that the organisation qualifies for a certificate.
6. Final results and possibly certification. The organisation receives the final review report. If the organisation qualifies according to the review report, a ‘Security Verified‘ certificate can also issued.

The total duration of the review is typically 2-3 weeks, depending on the availability of the people in the information security team, and the speed of step 4: issue resolution.