Project:

Assess IT Security Environment for ISO-17799 Compliance

Client:

Confidential

- CC Pace was prime contractor

Benefit:

Client 's executive management received an expert, unbiased assessment of an acquisition target firm's IT information security management programs status - strengths and weaknesses - and conformance to the ISO-17799 Information Security Management Systems standard. Mr. Rondot was one of the supervising Certified ISO Auditor on the assessment team.

• The target firm's Information Security Management System was patterned after the ISO-17799 standard and was partially implemented. The assessment focused on:

  • The first item examined was the target's management statement regarding which portions of the standard were to be implemented. Implementing every portion and control outlined in the standard is not required as long as management has documented the decision and basis for declining to implement one or more controls.

  • The existing policies, procedures and reporting processes were evaluated against the guidelines presented in the standard for completeness, reasonableness, and actual usage in the enterprise.

  • The prioritized list and schedule for developing and implementing the balance of the controls outlined in the standard. The acquiring firm's management wanted an opinion of the target's information security decision making processes, thus the evaluation of the target's basis for prioritizing the work as documented at the time.