Governance and Assurance

Four Pillars of Cyber Security;

Governance and Assurance (current page)
Security Architecture
Managed Security Services
Penetration Testing

Risk management and validation of security controls

Sopra Steria’s Security Governance and Assurance team offers highly experienced consultants to support or fulfil a range of roles including CISO/Security Lead with the option of additional support from suitably qualified security specialists including but not limited to Security Architects and Technical Assurance consultants. The Governance and Assurance team offer a range of capabilities operating in the governance, risk and compliance space which can be delivered as a standalone activity or as part of a programme of work, the key decider being what meets the customer requirements and provides the best value and deliverables.

The Governance and Assurance team act as subject matter experts, called in as required to strength a customer’s security posture through point in time focussed engagements. If a client requires a more embedded role that takes ownership of a wider scope of security responsibilities, we can offer Operational Security Managers and/or Advisors as a service.

Benefits

Wide Range and Depth of Expertise -Knowledge and experience across many industry sectors and a successful track record of delivering information security and compliance programmes to global organisations.
Strong Relationship Management - expertise in building and maintaining a trusted relationship with stakeholders to allow open dialogue, collaboration and to ensure security activities and controls are aligned with business strategy and appropriate for identified risks.
Risk Understanding - identify business risks relevant to current threat landscape with expertise to articulate them and obtain business sponsorship to prioritise risks and drive remediation effort. Pragmatic approach based on understanding of business requirements vs identified risks.
Regulatory & Legal Enablement - Provide support to compliance activities including GDPR/Data Protection Act requirements and PCI DSS to reduce the risk of reputational damage, fines and other enforcements.
Use of Industry Recognised Standards and Certifications -Consultants are experienced in and certified against ISO 27001 (Lead Auditor and Implementor), ISC2 Cloud Security Professional, GDPR/DPA and ITIL amongst many other standards and frameworks.

Our Approach

Sopra Steria’s Cyber Governance and Assurance team consist of highly experienced security professionals covering a wide range of specialisms enabling the capture, understanding and advising on risk. This allows us to support our customers with skilled resources aligned to specific industry sectors, business requirements and role demands.

During an engagement, the initial activity is to capture and understand the customer requirements. This enables the assignment of the correct consultant to deliver the correct outcome. Once the deliverables have been established a plan to reach them is determined and details to the customer for approval and acceptance.

The Governance and Assurrance team understand the importance of meeting customer needs and expectations. Time is taken to capture and understand the requirements to then tailor an engagement that delivers an outcome of value that strengthens our customers’ security posture, this could be for a short term or long term period, the following are examples of specific capabilities that we can offer:

Security Management; supporting or fulfilling CISO/Security Lead.
Risk Management and Assurance.
Security Maturity Assessments.
Supply Chain Security.
Information Assurance.
Data Protection.
ISMS (ISO 27001) Implementation and Audit.
Operational Security management in BAU environment.
Security Strategy and Direction Definition.
Security Policy Development and/or Review.
Security Process Development, Implementation and/or Review.
Incident Management Guidance.
Security Risk Assessment.

Security Assessments

Sopra Steria’s Security Assessment service is based on the use of questionnaires, interviews and workshops with relevant customer teams and third party providers. We recommend that it be evidenced based with depth of analysis ranging from a light touch audit with anecdotal statements backed up by visibility of supporting documentation to a deep dive of processes and implemented controls in workshops combined with penetration testing and vulnerability scans available from Sopra Steria as additional services.

Sopra Steria are experienced in the use of assessment tooling such as the Information Security Forum (ISF) Healthcheck tool, against the ISF Standard of Good Practice which is aligned with NIST Cybersecurity Framework, Center for Internet Security (CIS) Top 20 Critical Security Controls V7.1, ISO/IEC 27002:2013, Payment Card Industry Data Security Standard (PCI DSS) and COBIT 5 for Information Security.

The assessment can be tailored to include control questions across a range of security categories, for example organisational controls, people controls, physical controls and technological controls the clauses from ISO/IEC 27001:2023.

We deliver this service through engagement with Senior management, Business Stakeholders, Technical and Service owners with a view to supporting the following outcomes:

Determine the maturity of security programmes, processes and capabilities in place.
Identify areas of strength and opportunities for improvement within these areas.
Make recommendations to align security posture against industry best practice and business objectives.
Initiate improvement based upon threat intelligence, current capabilities and engagement of key stakeholders.

A Security Lead will be allocated for each engagement to provide a point of contact and escalation path for any questions or issues that arise during the service. They will be responsible for overseeing the entire engagement and will be responsible for delivering final report, executive presentations, and high level solution recommendations.

Each assessment would typically include the following activities;

Agree scope of assessment including IT systems, services, locations, business units, standards to measure against and security controls to assess.

Identification of available documentation and customer stakeholders relevant to the security control being assessed. Confirmation of attendee availability for workshops.

Policies and procedures relating to the assessment subject e.g. Asset Management will be reviewed prior to workshops. Documentation will need to be made available to Sopra Steria in advance.

Meeting (face to face or online) with stakeholders to discuss the assessment subject through process walkthrough and follow-up questioning.

Onsite and/or offsite review of evidence to support information determined during workshops and provide assurance that controls have been appropriately implemented.

Offsite analysis of assessment findings and creation of report including recommendations for improvement. Report results can be presented in a variety of forms including graphical charts such as this example showing scores against ISG Standard of Good Practice categories.

graphical charts showing scores against ISG Standard of Good Practice categories.

Meetings to discuss findings, recommendations and next steps.

Certifications and skills

CISSP - Certified Information Systems Security Professional
CCSP - Certified Cloud Security Professional
NCSC Certified Cyber Professional Risk Management
ISO27001 Lead Auditor
ISO27001 Lead Implementer
CISMP - Certificate in Information Security Management Principles
CISM - Certified Information Security Manager
Certified EU GDPR Practitioner
PCI Professional (PCIP)