Services

GRC Management Consulting provides a broad spectrum of services which can be loosely grouped as follows. It is worth noting that there are considerable overlaps between these services and the benefits that GRC Management Consulting can help you achieve:

• Governance and Risk

This includes guiding clients through the establishment of a robust governance framework and the development of a sound approach to risk identification, assessment, and management. GRC Management Consulting offers executive support to assist in business planning and in meeting legislative, regulatory, and standards compliance.

• Certification

Regardless of the certification being sought, risk management is a core element. Success invariably involves the development of a ‘management system’ which includes developing compliant policies, processes & procedures as well as supporting documentation. Once the document set is developed, ‘concrete’ components (such as registers) must be developed to support the operation, performance monitoring and continuous improvement of the management system. GRC Management Consulting leads clients through the whole journey toward certification, from the development of bespoke, organisational appropriate and standards compliant, documentation through to, and beyond, the certification audit cycle.

• Management System Operation

Once certification is achieved, organisations must use and maintain the management system. This also involves monitoring the performance of the system and seeking out opportunities for improvement. This can be time consuming, and many organisations employ dedicated resources for this purpose. GRC Management Consulting can assist in this capacity, reducing the need for human resources and allowing the client to focus on its core business.

Note: The term ‘certification’ includes accreditation against non-certified standards (such as Right Fit For Risk).

​

Approach

GRC Management Consulting provides the services necessary to maintain the Information Security Management System, including compliance with, and certification against ISO 27001, Essential Eight, Right Fit For Risk standards.

Essential Eight and Right Fit For Risk, in particular, are continuously evolving and present challenges in maintaining compliance. Support options are included to address both the day-to-day requirements for the operation of the Information Security Management System, as well assisting management and executive teams in meeting their oversight and compliance responsibilities.

Beyond any legislative or contractual requirement to have an ISMS for compliance, embracing the ISMS will improve information and cyber security posture, helping to protect against a wide array of threats (esp. data breaches).

​

Standards

There is a complex information security standards landscape in Australia. Aside from the well-recognised international standard, ISO 27001, there are several other uniquely Australian information security programs.

ISO/IEC 27001

An internationally recognised standard, ISO/IEC 27001 is published by the International Organization for Standardization (ISO) in conjunction with the International Electrotechnical Commission (IEC). This standard has a broad focus on the security of information, as opposed to cyber security specifically. The standard takes a risk-based approach and undergoes periodic updates. The current version was released in 2022 with the previous release being in 2013.

In Australia and New Zealand, the standard is also ratified separately, where a national variant is published. While in theory this could include regional differences, in practice this does not happen. The latest version of this standard is AS/NZS 27001:2023, which is consistent with ISO/IEC 27001:2022. To extend international recognition, most organisations certify against the ISO/IEC ISO 27001 standard rather than the Australian and New Zealand variant.

To be certified against the ISO 27001 standard, an organisation must implement a compliant Information Security Management System (ISMS). This is then audited by an independent, qualified and accredited Certification Body in a two-stage process. The Stage 1 audit focuses on documentation and capability, including organisational and topic-specific policies and procedures, while Stage 2 reviews the implementation and use of the ISMS. To maintain certification, further audits must be conducted annually. To be compliant, the ISMS must address topic-focused standards requirements, known as Clauses. These are:

• Clause 4: Context of the organization

• Clause 5: Leadership

• Clause 6: Planning

• Clause 7: Support

• Clause 8: Operations

• Clause 9: Performance evaluation

• Clause 10: Improvement

Note: There are subtle changes to these clauses between the 2013 and 2022 versions of ISO 27001. These clauses are also generally consistent across other well recognised ISO standards, such as ISO 9001 (Quality Management).

In addition to the clauses, the ISMS must consider a set of organisational and technical controls known collectively as Annex A.

In the 2013 version of the standard there were 114 controls grouped into domains of related controls. However, in the 2022 version these have been reorganised and reduced to 93 and are organised based on the intended approach to meeting the control.

While an organisation can choose to exclude controls which do not apply to their products or services, a good example being software development related controls, this generally only leads to a small reduction in the number of controls to be implemented. Examples of these controls include:

• Requirements of policy and procedure, and the roles and responsibilities for information security management

• Dealing with suppliers and the information security requirements of contracts

• Handling of, and recovery from, information security incidents

• Preparedness for continuity during disruptive events

• Information security aspects relating to personnel, incl. prior to and during employment, and after termination

• Physical security of premises and equipment

• Management of information and technical assets

• Technical protections including anti-malware, software vulnerability scanning, and patching

Note: The Annex A controls are a distillation of the controls documented in ISO 27002 where more implementation information is provided.

 

ASD Information Security Manual (ISM)

The Australian Signals Directorate (ASD) and their Australian Cyber Security Centre (ACSC) is the federal government agency responsible for cyber security. The agency falls under the Department of Defence. The ACSC publishes the Information Security Manual, a set of 913 controls (as at June 2024) that can be loosely considered as organisational and/or technical.

While ISO 27001 addresses information security in broad terms, the ISM aims to address rapidly emerging threats in the cyber security arena. There is, however, a great deal of overlap between the controls in the ISO 27001 Annex A, and controls in the ISM. Generally, the controls in the ISM can be seen as a more granular representation of ISO 27001 controls. Updates to the Information Security Manual are published quarterly.

The ISM primarily focuses on threats relating to the handling of government information categorised as OFFICIAL or OFFICIAL:Sensitive, or classified as PROTECTED, SECRET or TOP SECRET. However, with the increase in cyber security attacks targeting the private sector, including recent high-profile cases, the ACSC now includes recommendations for control implementation by private enterprise.

The value of controls in the ISM cannot be overstated in improving an organisation’s cyber security posture. However, implementing a large number of controls can be an expensive exercise. It is also worth noting that implementation of ISM controls is not a requirement for achieving ISO 27001 certification though organisations that must achieve Right Fit For Risk (RFFR) accreditation (see below) need to consider many of them.

With the exception of the government’s Right Fit For Risk (RFFR) program, GRC Management Consulting recommends that clients consider the implementation of a small subset of ISM controls. Assessing organisational risk and then selecting controls to minimise the most significant of these, allows an organisation to cost-effectively improve its cyber security posture.

ASD Essential Eight (E8)

The ACSC has developed a set of prioritised cyber security mitigation strategies. These 37 strategies are designed to assist organisations in focusing their cyber security protection efforts. Of these, the Essential Eight strategies are considered the most important and effective.

The Essential Eight strategies have been designed, primarily, to protect Microsoft Windows-based internet-connected networks though they can be applied to cloud services, enterprise mobility, and other operating environments.

The Essential Eight strategies are:

• Patch applications

• Patch operating systems

• Multi-factor authentication

• Restrict administrative privileges

• Application control

• Restrict Microsoft Office macros

• User application hardening

• Regular backups

To support the efforts of small, medium and large organisations, each strategy details three maturity levels, with increasing levels of cyber security sophistication and protection, though this comes at a cost. Generally, it is recommended that small organisations address all strategies at Maturity Level 1.

Over time, the controls in the Information Security Manual have been aligned with Essential Eight, and the Maturity Levels. Significant progress toward implementing a given E8 Maturity Level, can be achieved by selecting and implementing the corresponding ISM controls. While not a requirement for achieving ISO 27001 certification, GRC Management Consulting recommends that clients aim to implement at least E8 Maturity Level 1 to provide protections against current and emerging cyber security threats.

 

Right Fit For Risk (RFFR)

The Australian government has created the Right Fit For Risk program based on the ISO 27001 standard. Achieving government accreditation against this standard is increasingly becoming a requirement to obtain, and retain, government contracts. This is already the case for many of the contracts issued by the Department of Social Services (DSS) and the Department of Employment and Workplace Relations (DEWR).

Right Fit For Risk is a complex program consisting of controls taken from ISO 27001 as well as those controls from the ISM that relate to OFFICIAL:Sensitive information. As noted previously, revisions of the ISM are published quarterly. The June 2024 version of the ISM has 813 relevant controls. When added to the 93 controls of the ISO 27001:2022 standard, this means that organisations must consider, and potentially implement, 906 controls. Additionally, as new versions of the ISM are published quarterly, those organisations subject to Right Fit For Risk must assess, plan and implement any new controls as well as consider the implications of changes to existing controls. As with ISO 27001, on which the RFFR accreditation is based, annual audits are required to maintain the accreditation and meet government requirements.

Note: Where previously organisations were required to undertake in-depth, RFFR specific audits, this is no longer the case. Organisations are now only required to undertake ISO 27001 audits. However, the ISM controls must still be assessed and implemented (where applicable) even though an external audit is not required.

This makes managing and maintaining the Right Fit For Risk program, as well as operating the Information Security Management System on which it depends, time consuming and expensive. Experience with information security, ISO 27001, and especially with RFFR can help manage costs while ensuring compliance with the requirements of RFFR and the contracts that depend on it. GRC Management Consulting are experts in the RFFR program, having led a number of organisations through the preparation and audit process to successfully achieve RFFR accreditation.

​

​

​

​