_edited.png)
POLICIES AND PROCEDURES
01. Strategic framing
This work consists of carrying out an audit to evaluate the organisation's security posture (i.e. an evaluation of the company's assets and weaknesses in relation to the market's expectations of the company, its size, its field of activity, etc.). This audit allows the identification of security projects and their associated priorities and therefore the design of a security strategy for the organisation.​
​
Workload: from 8 days to +20 days (highly variable depending on the organisation).
02. ISSP writing
An Information Systems Security Policy defines the strategic vision of the organisation in terms of information systems security, and frames its implementation. An ISSP is a living document, essential for effective cybersecurity governance.
The objective of an ISSP is to provide the operating framework to ensure the appropriate level of security for the organisation.
​
This service includes:
-
Definition of your assets, your challenges, your needs and objectives (audit);
-
Elaboration and drafting of your ISSP;
-
Evaluation and monitoring of its relevance (coaching);
-
Evolutions/updates (coaching);
-
Drafting of business continuity and disaster recovery plans.
As part of the implementation of an ISSP, an audit should be carried out upstream in order to define the assets, the challenges and the needs of the organisation. Afterwards, coaching and implementation support services are included to assist you in the implementation of these new security practices and procedures.
​​
Workload: from 15 days to 25 days depending on the organisation.
The drafting of an ISSP also includes the drafting of a Business Recovery Plan (BRP), a Business Continuity Plan (BCP) and an Incident Response Plan (IRP), detailed below.
However, these requirements can be formulated separately, and it is quite possible to call upon CyberSecura for the drafting of a BRP, BCP or IRP, without drafting the entire ISSP.
03. Business continuity plan
The success of an organisation depends on the preservation of critical operations and essential functions used to deliver key products and services.
The objective of a BCP is to ensure that the organisation establishes objectives, plans and procedures to reduce and minimise a major disruption to the company's core business. The plan thus organises the continuation of a company's activities in the event of a disruption. It enables companies to avoid being completely paralysed following an incident or natural disaster.
The aim of BCP is to enable a company to continue its activities following the occurrence of an incident, not just a cyber incident. The BCP includes a BRP (detailed below).
Thus, this document includes:
-
A BIA (Business Impact Analysis);
-
The structure and authority for ensuring the resilience of key business processes and systems;
-
Requirements for initiatives to manage a disaster or other disruptive event;
-
Criteria for efficient and effective resumption of normal operations after a disruption;
-
Writing a disaster recovery plan.
​
Workload: from 7 to 10 days
04. Business recovery plan
A Business Recovery Plan is the set of procedures and material, technical and human resources that will enable a company to restore and resume its activity after an incident or natural disaster. It proposes a plan of actions that will facilitate the resumption of activity under normal conditions. The BRP is important for all companies, regardless of size or sector of activity.
The BRP includes:
-
An inventory of the company's challenges and needs;
-
A detailed listing of the company's key activities;
-
Identification of potential security incidents;
-
Prior actions to be taken to limit the impact of these incidents on key activities;
-
A list of key resources (human, technical, technological) that are essential to the performance of the company's key activities;
-
The steps to be taken to restart the activity.
​
Workload: from 5 to 7 days
05. Incident response plan
The incident response plan sets out in detail how the organisation will respond to and manage an information security incident. It is intended to be used at the time an incident occurs. The incident response plan enables organisations to ensure that in the event of a security breach, staff are aware of and follow the appropriate procedures in place to respond to the threat. In addition, it ensures that the organisation is able to respond effectively and appropriately to the threat within a timeframe acceptable to the business.
This document includes.
-
Stakeholders and responsible parties for the implementation and operation of the incident response plan, and their roles and responsibilities;
-
Internal and external communication procedures;
-
Procedures for activating the incident response and mitigation plan.
​
​
Workload: from 5 to 7 days
N.B.: the hourly volumes are indicative only, and may vary according to the size of the organisation, the objectives, and various other factors.