If you’re considering buying information security consulting services for your organization, you then need to know what to look for in a protection consultant.
At some point, many managers or directors will have to consider buying this type of product due to their company. There are certainly a large amount of firms and individuals to choose from, and it could be confusing to assess their relative merits, particularly when you’ve had little experience with information security. But there are several general pointers that may help.
Firstly, you need to find out whether the services are backed by membership of relevant professional bodies, and appropriate certifications. For instance, in the UK, an information security consultant might be considered a person in CLAS (CESG Listed Advisor Scheme), which can be run by way of a government body, CESG (Communications-Electronics Security Group), that is the UK Government’s technical authority on information security.
A CLAS membership ensures that the security consulting services provided are approved for data that is protectively marked up to and including the amount of SECRET. CLAS membership also indicates a certain degree of expertise that non-Government organisations can draw upon, even when their data is not protectively marked security consulting in israel. In the latter case, however, CLAS membership should not be specified in just about any tender documents, as it can certainly leave the tender ready to accept challenge by non-CLAS security consultants.
Other memberships and certifications to check for are the next:
For penetration testers: either CREST (Council of Registered Ethical Security Testers), or the Tiger Scheme. Alternatively, a British company offering information security consulting services to government departments might be considered a person in CHECK (a UK Government scheme for IT “Health Checks”).
For security consulting services that focus on audit and compliance: CISA (Certified Information Systems Auditor) plus membership of ISACA (Information Security Audit and Compliance Association). Alternatively, chartered membership of an organisation such as the BCS (formerly referred to as the British Computer Society) can also indicate appropriate experience.
An information security consultant could have obtained the CISM (Certified Information Security Manager) qualification from ISACA, or possibly the new CGEIT certification (Certified in the Governance of Enterprise IT) from the same body. Another ISACA qualification is CRISC (Certified in Risk and Information Systems Control). All these certificates connect with different emphases within information security consulting services.
THE CISSP (Certified Information Systems Security Professional) qualification is widely regarded as a “gold standard” for senior professionals in the field, and is awarded by (ISC)2, the International Information Systems Security Certification Consortium. It indicates not just competence but in addition several years of experience in information security.
However, memberships and certification are by no means the complete story. If you’re considering buying information security consulting services, you then will even need to consider history and testimonials from past clients. Furthermore, the security consultant’s website may be useful, though needless to say any failings won’t be manufactured obvious there.
To find out more about a consultancy’s financial trustworthiness, it could help to check with the company information service Dun and Bradstreet, or perhaps Companies House (in the UK). But after carrying out every one of these checks, you will see no substitute for a face-to-face meeting and your own educated business instincts. In the long run, only you can decide whether you’d be happy to work well with the people who are offering you their security advice and services.