If you’re considering buying information security consulting services for your business, you then have to know what to look for in a security consultant.
Sooner or later, many managers or directors will have to consider buying such a product for his or her company. There are always a large amount of firms and individuals to choose from, and it may be confusing to assess their relative merits, especially when you’ve had little experience with information security. But there are a few general pointers that can help.
Firstly, you’ll need to find out perhaps the services are backed by membership of relevant professional bodies, and appropriate certifications. Like, in the UK, an information security consultant might be a member of CLAS (CESG Listed Advisor Scheme), that will be run by a government body, CESG (Communications-Electronics Security Group), that’s the UK Government’s technical authority on information security.
A CLAS membership implies that the security consulting services provided are approved for data that’s protectively marked up to and including the degree of SECRET. CLAS membership also indicates a specific level of expertise that non-Government organisations can draw upon, even though their data isn’t protectively marked CEO protection company in israel. In the latter case, however, CLAS membership shouldn’t be specified in any tender documents, as it might leave the tender open to challenge by non-CLAS security consultants.
Other memberships and certifications to check on for are the following:
For penetration testers: either CREST (Council of Registered Ethical Security Testers), or the Tiger Scheme. Alternatively, a British company offering information security consulting services to government departments might be a member of CHECK (a UK Government scheme for IT “Health Checks”).
For security consulting services that give attention to audit and compliance: CISA (Certified Information Systems Auditor) plus membership of ISACA (Information Security Audit and Compliance Association). Alternatively, chartered membership of an organisation including the BCS (formerly called the British Computer Society) might also indicate appropriate experience.
An information security consultant might have obtained the CISM (Certified Information Security Manager) qualification from ISACA, or possibly the new CGEIT certification (Certified in the Governance of Enterprise IT) from the same body. Another ISACA qualification is CRISC (Certified in Risk and Information Systems Control). Every one of these certificates connect with different emphases within information security consulting services.
THE CISSP (Certified Information Systems Security Professional) qualification is widely regarded as a “gold standard” for senior professionals in the field, and is awarded by (ISC)2, the International Information Systems Security Certification Consortium. It indicates not only competence but in addition several years of experience in information security.
However, memberships and certification are in no way the complete story. If you’re considering buying information security consulting services, you then will also need to look at background and testimonials from past clients. In addition, the security consultant’s website may be useful, though obviously any failings won’t be manufactured obvious there.
To find out about a consultancy’s financial trustworthiness, it may help to check on with the company information service Dun and Bradstreet, or perhaps Companies House (in the UK). But after carrying out each one of these checks, you will have no substitute for a face-to-face meeting and your personal educated business instincts. In the long run, only you are able to decide whether you would be happy to work well with the people who are offering you their security advice and services.