Advisory & Assurance

Advisory & Assurance Services

The Problem We Help You Address:

Some questions that organizations are grappling with today are: ‘Is what we are doing currently to manage the Information Security and Risk Posture of the organization enough? Do we need to do more? Are we missing some pieces? If yes, in what areas? For eg, do we need to invest more in technology? Or do we need to focus on implementing robust processes? How does this tie in with our business risks? Are we meeting our compliance requirements?’ We at Arrka help you answer these questions – and more.

Our Solution Approach:

We follow a four-pronged approach to help answer the above questions:

Step 1: Assess

Assessment comprises understanding:
  • Where are we today (As-Is)
  • Where Do we Want to be (To-Be)
  • Identifying the Gap between the two
1) Understanding Where We are Today:

Arrka analyses this against the four key pillars (4Ps) that determine an organization’s Information Risk Posture:

  • Policies
  • Processes
  • Products (Technology)
  • People
Methodology Used

Arrka uses a combination of:

  • People Interactions – where we have detailed interviews and sessions with various key people and teams in your organization
  • Arrka Lab Testing – where we run a series of technical tests. The typical parlance used for this is conducting a Vulnerability Assessment & Penetration Testing (VA PT)

2) Understanding Where We Want To Be:

This understanding can often be a complex one. It needs to factor one or more of the following requirements that an organization may have:


Standards and Frameworks
These are standards and frameworks in this domain that your organization may be required to and wish to comply with to meet one or more business objectives. These could include, for eg, ISO 27001, PCI DSS, NIST framework, SOC I, etc

Regulatory & Legal Requirements
These include laws and regulations that your organization may be required to comply with. For eg: The Indian IT Act, EU GDPR, The RBI CyberSecurity Framework, etc.

Industry Best Practices
These may include specific best practices or recommendations that certain sectors or industry verticals may have developed

Maturity Frameworks
While ensuring the above, you may also want to evolve over maturity levels over a period of time. This also needs to be factored in

Arrka helps your organization arrive at this understanding. We do this by understanding your business & business plans, your goals and commitments, your business risks, your compliance requirements, etc and then arriving at what is it that you need to focus on and adopt at what point in time.

3) Identifying the Gaps
Based on our in-depth understanding of your organization’s As-Is and To-Be state, we identify the gaps between the two states – so you have a clear understand of what are the precise gaps and hence what needs to be done to mitigate those gaps.

Step 2: Design

The Design stage involves designing the roadmap and the specific solutions along each of the 4P parameters to address the gaps identified in Step 1.
The key in the Design stage is to take into account all the investments that have already gone in, the products and solutions purchased, the policies and processes implemented and ensuring that the organizations builds on them – so existing investments and efforts are maximised to the extent possible.

Step 3: Implement:

We are sure your organization works with multiple security solution vendors, service delivery and integration partners, managed service providers, etc who address different aspects of your privacy program.

Hence implementation of the design involves working with multiple parties and stakeholders in order to ensure that the implementation is carried out successfully.

Here, Arrka helps organizations manage this keeping in mind its plans, goals and roadmap.

Step 4: Monitor & Manage:

Any program is successful only when it is effectively monitored and managed. Hence this stage involves

  • identifying various parameters & metrics for managing your Information Risk program on an ongoing, continual and transparent basis
  • Building appropriate dashboards and trackers to track and manage the above
  • Monitor the same on a regular basis so that regular course corrections can be made.


  • We at Arrka understand two realities of today’s world:
  • The business environment is rapidly changing and evolving
  • The threat landscape is changing even more rapidly
  • Hence any plan that does not continually remain updated with current realities is doomed to fail. And therefore, we endeavour to work with and support our clients on this aspect

    Our entire approach is supported by the Arrka platform with requisite toolkits to enable each of the above.

    How does Arrka deliver the above approach to all types of clients?

    We at Arrka have always believed that there no ‘one solution fits all’. The needs and realities of a large enterprise are very different from a small or mid-size organization. Moreover, no two large enterprises are similar.

    Hence, we have two distinct and different models for each market segment below:

    • Large Enterprises
    • Small and Mid-Size Enterprises (SMEs)

    While we employ the ‘traditional’ consulting model for our large enterprise clients, we have a unique model developed specially for our SME clients. Read more about this here – the ArrkaCISO model
    For further details, do contact us