With an Orange Parachute ISMS, you would answer yes to ALL of these questions in as little as 6-months:

• Are you currently able to make risk-based, informed choices before purchasing security products or services?
• Do you suppose your organization would save quite a bit of money if you could make a risk-based, informed choice before you ever purchased any security products or services?
• Do you suppose your organization would save time and money if you could simply add a line item in a standard into your program every time a new compliance requirement came down the pipe?
• Do you meet compliance quickly and easily to PCI, GLBA, HIPAA, SOX, and others?
• Are your Governance, Risk Management and Compliance iniatives addressed simultaneously, or are they separate functions or projects, with separate points of responsibility? In other words, is it all addressed under one system or structure?
• If you could pull ALL of your Governance, Risk, and Compliance initiatives into a cohesive system or program structure, addressing requirements simultaneously, would your organization save time and money, as well as avoid duplicating efforts?
• Are you able to simply map new GRC requirements into your current program, utilizing an existing framework/structure or management system?
• Do you currently have customers that send you questionnaires regarding your security practices, and asking how you protect information?
• Are you able to respond to these questionnaires quickly without having to spend much time or internal resources to do so?
• Let's combine this with another possible scenario, lets say you have one customer who wants you to be compliant with a standard like ISO 27001 or ISO 27002, and another client wants you to have a SAS 70 type 2, and yet another client wants you to be compliant with an industry specific standard that you've never heard of before. Do you currently have the structure in place to meet the requirements for all of these different needs immediately?
• Do you currently have a master glossary of terms specific to your information security program? In other words, have you clearly defined the definition of terms like policy, program, service, standards, specifications, etc. and are they clearly communicated throughout your program?
• Do you currently have documented program level roles and responsibilities? In other words, are all of your people doing what you say they are doing?
• Do you currently have documented responsibility agreements between appropriate risk management functions?
• Do you have a documented information security program mission and charter?
• Do you have a completed and documented information security management framework or structure?
• Do you have a documented analysis and interpretation of laws and regulations impacting your information security program? If so, do you have documented buy-in from your legal counsel or compliance officer regarding this?
• Are your current security processes documented, and if so, do they conform to a standard, such as ISO 27001?
• Do you have an information security program administration and evaluation plan?
• Do you have a documented risk assessment methodology?
• Do you have existing templates and tools to align risk with controls?
• Do you use an existing catalog of controls?
• Do you have clearly defined security domains?
• Do you have clearly defined span of control over those security domains?
• Are you currently practicing proactive security management?
• Do you feel comfortable that your organization has time based assurance?
• Have you clearly defined metrics that matter to your organization?
• Are you addressing legal and regulatory compliance under one program structure or "framework"?
• Do you have a consistent approach to managing third-party governance, risk, and compliance?
• Is your program defensible and is there a documented, visible audit trail?
• Does your security program provide market differentiation for your business as a whole?
• Are your products/services differentiated as it pertains to the security of your product/service?
• If you are SAS 70 Type 2 certified, and your competitors are SAS 70 Type 2 certified, do you currently possess a differentiator for your company as it pertains to how secure your product/service is? Is this differentiator validated objectively by an objective third party? Is it certified?
• Do you currently have an option to avoid having SAS 70 Type II audits conducted regarding your security practices?
• If you could change your audit cycle to a few days a year and then one week every 3 years, do you suppose you would save an extensive amount of time and money for your organization?
• Assuming you field multiple calls every week from security tool or product vendors touting the next great thing in security or Governance, Risk, & Compliance, are you able to quickly and easily determine who might have something useful to you?
• Do you have a methodology in place to vet these vendors and make an informed choice?
• Do you have an existing system in place that actually excites auditors for ease of use, speeding up audits and saving time and money in the meantime?

Orange Parachute ISMS = YES