Information Risk Management

The risk from information systems can be managed by adopting globally accepted controls framework such as ISO 27001, ITIL, or CoBIT. Implementing any of these frameworks requires a systematic approach to analyzing the key risk areas, identifying and documenting the controls and then monitoring and measuring the compliance. Information Risk Management (IRM) can be extended to designing a Business Continuity Strategy and developing and testing business continuity plans. We offer the following services as part of the Information Risk Management service suite.

ISO 27001 (BS 7799)

We provide ISO 27001 compliance and pre-certification audit services. The ISO 27001 standard provides a structured framework for the implementation of an Information Security Management System (ISMS) within your organization.

Our team consists of experienced ISO 27001-certified lead auditors and implementation experts, with the right blend of technical and business process know-how. Thus providing a balanced approach to the entire exercise. Our focus is always on the triad of People, Processes, and Technology.

PCI DSS - Payment Card Industry Data Security Standard

We provide consulting services to comply with and audit the PCI DSS standard. PCI DSS, is jointly released by credit card companies aimed at protecting card holder data. The standard requires the members, merchants, and service providers using credit card facilities to carry out regular PCI Scans and PCI Security Audits post compliance. The PCI DSS version 1.2 is comprised of six control objectives, which in turn contain twelve specific controls. NII helps organizations meet all the requirements with the help of its robust consulting methodology.

PA DSS - Payment Application Data Security Standard

In addition to consulting services for PCI DSS we provide services for complying applications against PA DSS - Payment Application Data Security Standard (previously known as PABP - Payment Application Best Practices).

NII helps organizations meet all the requirements of PA DSS given its background in application security audits and PCI DSS implementations.

Banking and Financial Services Security and Compliance

In addition to generic information security best practices, each industry requires a nuanced approach to addressing domain-specific information security risks. For the Banking and Financial Services Industry (BFSI), we help with compliance to a wide array of regulations and frameworks. Be it your Internet Banking infrastructure or your Anti-Phishing Controls or your Records Retention Program, our domain experts can help provide the assurance that information security and regulatory risks are being properly managed. This consulting service extends also to service providers of BFSI companies. A list of the frameworks that we can help your organization comply to are:

Healthcare and Insurance (HIPAA and FDA Regulations)

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, is known as the Administrative Simplification (AS) provisions. The Administration Simplification provisions also address the security and privacy of health data. Per the requirements of Title II, the HHS (Department of Health and Human Services) has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

  • Readiness Assessment
    The objective of the HIPAA Readiness Assessment is to identify scope of compliance and the specific vulnerabilities that a company may need to remediate in order to successfully complete a HIPAA audit. During this exercise, we will analyze the design of the controls as well as the implementation effectiveness of the controls defined in line with requirements of the Administrative Simplification (AS) requirements of HIPAA.
  • HIPAA Audit Report Preparation
    We can help a client increase its assurance levels with regards to HIPAA compliance by conducting a pre-assessment internal audit. This will provide a clear picture to the company’s management about its compliance levels to HIPAA.
  • FDA Regulations
    • Title 21 Code of Federal Regulations (CFR) Part 11, dated March 20, 1997 ("Part 11")
    • ICH Harmonised Tripartite Guidelines for Good Clinical Practice ("ICH GCP")
    • FDA, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, dated January 11, 2002

SAS 70 Consultancy and Readiness Assessment

The Statement on Auditing Standards No. 70, Service Organizations, which is a widely recognized Auditing Standard issued by the American Institute of Certified Public Accountants (AICPA) in April 1992. The regulatory pressure – especially the introduction of the Sarbanes Oxley Act in 2002 – has led organizations to drive their vendors to also comply with controls to ensure risks to the business are kept at an acceptable level. An audit carried out as per this Statement, commonly called as SAS 70, represents that a service organization has been through an in-depth audit of their control activities. There are two types of SAS 70 reports - Type I and Type II. However, getting audited as per SAS 70 can be a daunting task and involves significant effort.

IT Service Management - ITIL and ISO/IEC 20000

IT Service Management Best Practices are being increasingly adopted by companies to improve the quality of their service and reduce their operational costs. NII Consulting can help organisations in successful adoption of best business practices and standards and thus maximise their value for IT investments.


CoBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. NII helps draft, review and implement policies and procedures to put IT controls in place for your organization. We help organizations increase the value attained from IT.

Business Continuity Management

Our Business Continuity Management services are based on BS 25999. We help you evaluate information assets and its criticality levels in determining the strategies for minimum loss in productivity through optimum utilization of resources.

Objectives as part of the Business Continuity Management service are

  • Minimize disruptions of business functions and external entities
  • Provide roadmap for disaster recovery operations
  • Ensure timely resumption of normal business at earliest possible time
  • Limit impact of disruption on company's mission and reputation
  • Limit financial losses

ISO 27004 - Information Security Metrics

Compliance to the ISO 27001 standard and associated controls helps an organization to understand information security risks and develop an information security management system (ISMS) in order to address the risks identified. The ISO 27001 implementation process aims to provide management an intuitive understanding of information security.

Security Awareness

Over the years, we have evolved a comprehensive offering on security awareness. The main benefits of this program are:

  • Helps you to enhance user resilience to new-age threats such as Advanced Persistent Threats (APTs), threats around BYOD policy implementation and social engineering attacks.
  • Ensures that the IT and security teams are aware of the latest developments in information security
  • Provides an easy to understand content which engages in unique and interesting ways with different stakeholder groups

Information Security Risk Assessment

NII provides Information Security Risk Management consulting services for managing and mitigating the risks to the organization.

IT Strategy

Policies & Procedures