If you’re considering buying information security consulting services for your company, then you definitely need to know what to look for in a protection consultant.
At some point, many managers or directors will have to consider buying such a product for their company. There are certainly a lot of firms and individuals to choose from, and it can be confusing to assess their relative merits, particularly when you’ve had little experience with information security. But there are some general pointers that could help.
Firstly, you need to find out perhaps the services are backed by membership of relevant professional bodies, and appropriate certifications. Like, in the UK, an information security consultant might be described as a member of CLAS (CESG Listed Advisor Scheme), that will be run with a government body, CESG (Communications-Electronics Security Group), that’s the UK Government’s technical authority on information security.
A CLAS membership ensures that the security consulting services provided are approved for data that’s protectively marked around and including the amount of SECRET. CLAS membership also indicates a specific level of expertise that non-Government organisations can draw upon, even if their data is not protectively marked private intelligence israel. In the latter case, however, CLAS membership should not be specified in any tender documents, as it might leave the tender available to challenge by non-CLAS security consultants.
Other memberships and certifications to test for are the next:
For penetration testers: either CREST (Council of Registered Ethical Security Testers), or the Tiger Scheme. Alternatively, a British company offering information security consulting services to government departments might be described as a member of CHECK (a UK Government scheme for IT “Health Checks”).
For security consulting services that give attention to audit and compliance: CISA (Certified Information Systems Auditor) plus membership of ISACA (Information Security Audit and Compliance Association). Alternatively, chartered membership of an organisation including the BCS (formerly referred to as the British Computer Society) could also indicate appropriate experience.
An information security consultant may have obtained the CISM (Certified Information Security Manager) qualification from ISACA, or perhaps the new CGEIT certification (Certified in the Governance of Enterprise IT) from exactly the same body. Another ISACA qualification is CRISC (Certified in Risk and Information Systems Control). All these certificates relate to different emphases within information security consulting services.
THE CISSP (Certified Information Systems Security Professional) qualification is widely regarded as a “gold standard” for senior professionals in the field, and is awarded by (ISC)2, the International Information Systems Security Certification Consortium. It indicates not just competence but in addition several years of experience in information security.
However, memberships and certification are certainly not the whole story. If you are considering buying information security consulting services, then you definitely will also need to consider track record and testimonials from past clients. In addition, the security consultant’s website might be useful, though of course any failings will not be made obvious there.
To learn more about a consultancy’s financial trustworthiness, it might help to test with the business enterprise information service Dun and Bradstreet, or perhaps Companies House (in the UK). But after carrying out each one of these checks, there will be no replacement a face-to-face meeting and your own educated business instincts. Ultimately, only you can decide whether you would be happy to utilize the folks who are offering you their security advice and services.