We are not trying invite the wheel - we are using existing knowledge putted into standards like for IT risk management ISO 27005, for information security management system ISO 27001, for security controls ISO 27002, some special standards for industrial control systems security like IEC 62443 etc.
Best practices
We are not trying to develop what is already proven - we are using for example RiskIT approach introduced by ISACA, we may use list of SANS critical controls if appropriate, we may have to consider baseline security by BSI, UK cyber essentials scheme etc.
Frameworks
We are trying to propose the most suitable frameworks according to the client needs - it may start from security hygiene to employees, proceed with cyber essentials in organizational level, add some extra from regulatory side, improve to baseline level, go ahead with standardized approach and end up with advanced security solutions.
Experience
If something works and creates a value to the client we use it again and improve it - for example we have experiences in certain business sector (i.e. finance, critical infrastructure, public sector) and use this experience for others. And not only for business sectors, the same apply for country level.
Research
We are making close co-operation with researchers and universities to find and create better methods and tools to manage information- and cyber security issues. Some focus areas may be highlighted: secure behaviour, situational awareness, security management metrics, information security economics.
Basic tools
We are using existing tools to build up our assurance services, for example for risk tables we propose use Excel sheets, for information security policy we create Word documents, for business process modelling and IT infrastructure description we are using Visio diagrams, for planning controls we use Project software, etc.
Technical tools
For technical side, we are using experienced partners to use technical cybersecurity tools like vulnerability scanners, forensic analysis, penetration testing, monitoring, traffic analysis etc.
Systems
For more advanced cases, we are working on our own tool called security oversight system (SOS) which will rely on our own information and cyber security assurance concept and may be categorized as a decision support system (DSS) for information- and cyber security. Hope provide some new information soon!