Go home

So hot its nearly on fire
IT Audit FAQ

Metrics FAQ


Professional services
What we do


Governance involves strategic management activities such as strategy formulation and implementation, organizational structure and control, and assurance.

Leading organizations are:

  • Drawing up business-focused GRC strategies that align with, complement and support other business strategies concerning IT, products and markets, HR, finances etc.;
  • Establishing professional GRC functions to take the lead on risk management, compliance management, information security management and assurance/audit;
  • Developing and implementing a suite of GRC-related policies;
  • Planning and executing GRC improvements sensibly and systematically throughout the organization.

Risk management

Taking risks is of course a natural part of corporate management. Risk management essentially involves differentiating risks that can be accepted from those that need to be mitigated in some way, and monitoring residual risks in order avoid nasty surprises.

Leading organizations are:

  • Dynamically identifying and ranking risks in business terms;
  • Distinguishing and characterizing potential threats, vulnerabilities and impacts, and proactively looking for changes or trends of note;
  • Exploiting opportunities and taking calculated risks, where appropriate;
  • Reducing or avoiding unacceptable risks, largely through suitable controls;
  • Emphasizing incident detection, incident management and business continuity arrangements for when (not if) risks eventuate.


While ‘compliance’ is generally taken to refer to laws and regulations, in fact it concerns fulfilling obligations under a far broader set of rules including corporate policies, contracts, standards and codes of ethics.

Leading organizations are:

  • Dynamically identifying compliance obligations from all sources;
  • Aligning and consolidating requirements and, where possible, implementing broad-based systems, processes and controls that simultaneously address multiple requirements (more cost-effective and comprehensive than point solutions);
  • Actively managing compliance risks, for example using management oversight, reviews and internal audits to identify and deal with trouble spots in order to avoid serious incidents, but consciously accepting minor compliance risks to save money;
  • Going beyond mere compliance where it makes good business sense to do so;
  • Using carrot and stick - encouraging and rewarding compliance as much as penalizing noncompliance.

IsecT’s core competencies

Our primary areas of interest and expertise are:

  1. Information risk and security management - including information security strategy, policy and business case development, interim management and mentoring, bridging (linking business and technology), identifying, assessing, ranking and treating risks, security process maturity assessment (benchmarking) and business continuity management (resilience, recovery and contingency).
  2. Information security awareness programs - we supply creative security awareness materials on an industry-leading range of topics through NoticeBored, a unique subscription service. Instead of slaving away researching, drafting and polishing your content from scratch, invest your time in social interaction with employees as a means to grow the security culture.
  3. Security metrics - designing and implementing a suite of metrics to manage information security systematically, effectively and efficiently, using PRAGMATIC security metrics: we literally wrote the book on it.
  4. ISO27k - we are keen to help you understand and adopt the good practices outlined in the ISO/IEC 27000 standards. We have used, contributed to and promoted the ISO27k standards since the 1980s.
  5. IT auditing - read all about what this involves in our IT audit FAQ. We particularly enjoy auditing data centers and software development projects, but we can turn our hand to any form of IT audit, giving you the benefit of an independent perspective, a competent review, and a no-holds-barred audit report with sensible, pragmatic recommendations.

Training courses

We provide training in information security and related areas through ALC. Please contact ALC for more information on courses, schedules, locations and pricing. As well as a wide range of public courses (CISM, CISA, Prince2, TOGAF, ITIL, SABSA and many more), ALC offers very cost-effective in-house training for organizations with more than a handful of students, plus bespoke courses and consultancy tailored to your specific requirements.

Bespoke consulting services

The brief descriptions above are simply a starting point. If you are looking for advice or assistance in our domain, please contact us to discuss your requirements in more detail. It is important, both for you and for us, to clarify exactly what you need and determine whether and how we might assist before we make a start. Come to us for straight-talking advice, further information on any of our services and to check our availability.

By the way, don’t let the fact that we are a small New Zealand company put you off. We offer cost-effective online “virtual consulting” alternatives to the traditional on-site approach, and we have access to a global network of trusted professional peers, colleagues and partners. If we can’t help you ourselves, we may know someone who can.

Copyright © 2015 IsecT Ltd.