Home > Consultancy and training > Digital and information security > Information security frameworks

Information security frameworks

We recommend an information-first approach to security. It’s easy to begin with tools and tech – but without a clear understanding of what information matters and why, it’s hard to protect what counts.

Instead, we help organisations take an approach that focuses first on information: the assets you hold, their value, and the potential harms they present if exposed, lost, or misused. This provides a grounded, governed way to protect the right things in the right way – not just today, but as your organisation grows and changes.

If you’re already using a technical or compliance-based model, this may be a way to mature your approach – building consistency, repeatability, and resilience into your information security practice.

Our process

We begin with a light-touch gap analysis and work with you to build an information security framework tailored to your needs. This framework is built on tried and tested principles, and includes:

  • Information registry. A record of your key information assets, the risks they carry, and how they’re currently protected.
  • Technology registry. An overview of devices, systems, and services in use, including security requirements and configurations.
  • Document repository. A collection of relevant policies, procedures, and resources.
  • Priority queue. A practical, ranked list of security activities or projects to address next.

To get there, we’ll guide you through several steps:

  1. Change and communications planning. We help design a change process that brings key staff and stakeholders into the work.
  2. Baseline development. This may include:
    • Reviewing your existing documentation and policies.
    • Running workshops with relevant teams or departments.
    • Interviewing staff with key security responsibilities.
    • Supporting your team to complete templates for the registries.
  3. Gap analysis and reporting. We share our findings in a report and presentation to your senior team or board.
  4. Policy development. We help you develop or update a clear, risk-informed Information Security Policy, grounded in your reality.

What you’ll gain

At the end of this process, your organisation will:

  • Understand where the key gaps in your information security approach are.
  • Have started bridging them through baseline documentation and an agreed policy.
  • Be ready to move from one-off action to ongoing governance.

The priority queue will act as your roadmap – helping you make smart decisions about what to focus on as capacity and resources allow. This might include:

  • Developing procedures for high-risk scenarios.
  • Creating clear staff responsibilities.
  • Documenting policies and checklists.
  • Improving how you configure and maintain key tech tools.

We can support you in delivering these next steps – or simply help you prioritise and plan them.

Open Briefing is a certified social enterprise and a member of
the CIVICUS global civil society alliance and the Vuka! coalition

Share
Tweet
Pin
Share