Zygma’s Services

Zygma has provided its services in over twenty countries, to governments, commercial organisations in many sectors, standards bodies, technical specialists and forensic IT specialists.

We cover a wide range of information security topics and have the right understanding and contacts to effectively undertake assignments in our specialist domain.

We address the management, policy, procedural and technical areas of information security, and when necessary work with an international network of partners and associates with whom we can build a team with the requisite competences to fulfil our clients’ requirements.

We work with our clients, not just for them, making sure we understand the client’s context and real needs, rather than ‘drop-forging’ their problem into our solution.

We list below the principal areas in which we are active, but if what you want doesn’t appear here, get in touch with us and we’ll be pleased to respond in terms of your specific requirements.

Jump to…


Information Security Management Systems

An ISMS is built around the requirements of the de facto IT security standard ISO/IEC 27001 “Information security management systems – Requirements“, supported by the Code of practice given in ISO/IEC 27002.

Zygma specializes in the provision of ISMS-related services.

We can:

  • help you build your ISO/IEC 27001-conformant ISMS;
  • give your own staff training and awareness of the 27000-series standards and practical issues concerning implementation and internal audit;
  • develop your policies and procedures;
  • provide a fast-track development tool (AIMS) to help you quickly establish your ISMS and move towards certification;
  • apply an appropriate risk assessment methodology;
  • undertake independent audits of your ISMS, and;
  • help ensure your ISMS provides you with compliance with specific regulation and/or other standards, e.g. FISMA, GLB, HIPAA, ISO 9001, SOX, CA SB 1386, FISMA, FIPS 201, SP 800-53 and others such as data protection.

You can find out more about ISMSs and the applicable standards by reviewing Zygma’s ‘Questions You Should Ask‘.


Information Technology Service Management Systems

An IT Service Management System is built around the requirements of the standard ISO/IEC 20000-1 “Information security management systems – Requirements”, supported by the guidance given in ISO/IEC 20000-2.

Zygma can:

  • help you build your ISO/IEC 20000-1 conformant ITSM system;
  • give your own staff training and awareness of the 20000-series standards and practical issues about implementation and internal audit;
  • develop your policies and procedures;
  • provide a fast-track development tool to help you quickly establish your ITSM system and move towards certification;
  • apply an appropriate risk assessment methodology;
  • undertake independent audits of your ITSM system, and;
  • help ensure your ITSM system provides you with compliance with specific regulation and/or other standards, e.g. FFIEC IT Examination Handbook criteria and others such as data protection.

Trust / Assurance frameworks

By this term we mean organizational frameworks within which electronic services operate according to defined (usually openly-published) regulations and/or performance and operational criteria, and thereby are trusted by others within the scope of the framework.

Zygma has a well-proven track record in setting up assurance frameworks and understands how to design the processes and procedures necessary to make them operationally effective, not just technically well-specified.

Most significant of these is Zygma’s role in the development of the Kantara Initiative’s Identity Assurance Framework. The IAF is a framework which is built upon compliance criteria and supporting processes which respond to the needs of end-users (identity credential holders), relying parties and identity and credential service providers. Review further details here.

Zygma played a significant role in the development of assessment criteria and operational procedures for the US Federal government’s E-Authentication Initiative and with the government / industry group, the Electronic Authentication Partnership.

Zygma also developed the basic criteria for the International Identity-proofing and Verification Framework (I-IPVF) for the Trans-Atlantic Secure Collaboration Program and was instrumental in setting-up the UK’s independent industry-led voluntary approval scheme for trust services, tScheme.

In the context of the European Directive on electronic signatures, Zygma has given support and guidance to the UK government’s Department of Trade and Industry over many years, and also to the governments of Greece and Turkey.


Standardization

We have extensive experience in the development of standards, and can assist standards bodies and other agencies and organizations wanting to develop standards documents.

Zygma is a voting member the Inter-National Committee for Information Technology Standards (INCITS) Technical Committee on Cyber Security, CS1. CS1 is the US national body which advises ISO (the international standards development organization) on international information security and other cyber security standards.

We developed FIPS 201 assessment criteria on behalf of the Federal Identity Credentialing Committee in order to facilitate the owners and operators of PIV-systems in their determination of compliance with the FIPS 201 requirements.

Zygma has also been contracted to the European Electronic Signature Standardization Initiative (EESSI), providing expert contribution and editorship over the period 2001 – 2006.


Independent auditor / Expert reviewer

Zygma can provide an independent perspective on plans, specifications, security systems etc. We can do this by applying formal auditing techniques against a specific standard or audit plan – our specialisms in this regard are in the context of ISO/IEC 20000-1 and 27001.

We can also act as an expert witness. e.g. in cases where diligence is an issue in information technology disputes between parties. As an example, Zygma has acted in this regard to investigate disputed stock transfers between a major US financial institution and La Bourse (the French stock exchange), for independent projects and on behalf of the European Commission.


General consultancy

We can fulfill needs not readily categorized in the specific areas discussed above. Such client needs which we have fulfilled in the past have been assessments of applicable technical standards for a specific development, assessment of applicable regulation across multiple states in a specific sectors, creating and operating a product validation program for businesses wanting to procure or develop in specific directions, performing a general ‘health check’ on an organization’s information

We’re sure that if you have needs in the information security area we can respond to them. And if we can’t, we’ll tell you straight and help you find someone who can, first of all (and with your agreement) by discussing your needs with our Partners.