DELL SECUREWORKS CONSULTING SERVICES AGREEMENT
STATEMENT OF WORK NUMBER #____
This STATEMENT OF WORK (“SOW”), effective as of Insert Date is made pursuant to the [Master Services
Agreement], [Consulting Services Agreement] [Consulting Services Addendum] dated Insert Date by and between
Dell Corporation Limited trading as Dell SecureWorks with its registered office address at Dell House, Cain Road,
Bracknell, Berkshire RG12 1LF (“Dell SecureWorks”) and Insert Company Name with its principal place of
business located at Insert Company Location (“Client”).
1.0Scope
Geographic Locations
There are elements of this project that will be delivered remotely at Dell SecureWorks facilities and on-site at the
following location
●
CUSTOMER ADDRESS
ISO 27001 Gap Analysis
The scope of the service delivery outlined in the following sections is for the provision of consultancy services to
complete an ISO 27001 gap assessment. The gap assessment will be a study to compare existing information
security management practices and controls against, those recommended by the ISO27001 standard.
Future steps
Once the gap assessment has been completed, there are a number of steps required as part of the process towards
ISO27001 certification. The approach to these activities will require to be fully defined once the gap assessment is
complete and any remediation activities have been undertaken; however, an overview of the requirements have been
included within this Statement of Work for information purposes.
Out of Scope

Locations, devices or personnel not specifically listed as in scope is out of scope.
Note: If any IP addresses, hosts, facilities or web applications within scope are owned or hosted with a service
provider or other third party, it will be necessary for you to obtain permission from that party before Dell
SecureWorks will perform testing in writing or through email. Or you may provide a suitable alternate testing
environment.
2.0Statement of Work
Dell SecureWorks utilises a three phase methodology for delivering ISO27001 projects:
1)
Gap Analysis
2)
Remediation and Compliance Progression
3)
Pre-Audit
Starting with a Gap Analysis as the foundation for the project, the information gathered from this phase is then used
as a driver for the Remediation and Compliance Progression phases which tends to be the largest of the phases. This
utilises the Dell SecureWorks experts to help drive forward the compliance programme and assist in the building of
an Information Security Management System. The final phase is a Pre-Audit where our consultants will deliver a
mock ISO27001 audit to assess and also feedback on the customer’s environment prior to a real, third-party
assessment.
1 of 8
This project requires phases 1 and 2 only.
2.1
Phase 1 - Gap Analysis
Dell SecureWorks has been asked to deliver a gap analysis of existing policies and procedures against the standard.
Dell SecureWorks will provide the consultants from our information assurance team, all of whom have extensive
experience delivering similar projects across a wide range of environments. It is this team of consultants, their
experience, and our proven methodology which will ensure the success of this project in the most straightforward
and resource-effective manner.
The methodology that we are proposing to utilise has been developed specifically for use within organisations
looking to certify with ISO 27001 across business functions as opposed to those looking to focus exclusively on
Information Technology. Whilst adhering to ISO 27001 in pursuit of alignment, our approach ensures that we
deliver practical and achievable advice, support and guidance to effectively assist clients in achieving business buy
in and maintaining an acceptable information security process.
Developments within the field of ISO certification, in particular the focus now upon risk management and
measurement, have instigated the on-going development of our methodology to utilise elements of COBIT4 within a
5-point Capability Maturity Model. Our experience in delivering these projects for other customers has ensured that
this methodology provides support for the organisation during the initial stages of the project and during the
certification process.
Despite our innovative approach however we are committed to delivering and adhering to the specific requirements
of ISO 27001 which, by definition, requires the progression through standard, auditable phases.
The phases in the gap analysis are:
Scoping
This is a short exercise; however it is essential for the development of a well-defined project across all facets of the
business. Dell SecureWorks understands the expectation is to include all business processes. The scoping exercise
will identify the physical scoped environment, confirm the interdependencies with third parties, and define and
document the scope and boundaries of the Information Security Management System. This process will also define
the approach to the establishment and implementation of the ISMS.
Information gathering and analysis
Dell SecureWorks will collect and review existing information security policy and the policies, baselines and
procedures which support the information security policy and the business functions. Using the information gathered
in the scoping phase, a gap analysis against the requirements of ISO 27001 will be undertaken. The gap analysis
exercise is designed to identify variances between current information security management practices, encompassing
policies, standards and procedures and those suggested by the ISO 27001 standard for Information Security
Management Systems and the ISO 27002 code of practice. The gap analysis can be a rather intrusive exercise and
may require consultation with business area heads in addition to support staff (e.g. from IT, HR, Facilities,
Compliance/Legal).
Dell SecureWorks will conduct a survey of the security management practices in the following control categories:
●
Standards/Security policy - Provides management direction and support for information security.
●
Organization of assets and resources – helps manage information security within the organization
●
Asset classification and control – helps identify assets and appropriately protect them
●
Personnel security - reduces the risks of human error, theft, fraud or misuse of facilities
●
Physical and environmental security – prevents unauthorized access, damage and interference to business
premises and information
●
Communications and operations management – ensures the correct and secure operation of information
processing facilities
●
Access control – controls access to information
2 of 8
●
Systems development and maintenance – ensures that security is built into information systems
●
Business continuity management - counteracts interruptions to business activities and to protect critical
business processes from the effects of major failures or disasters
●
Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual
obligations, and any security requirement
●
Business Process Controls – Controls relating to select relevant SAS 70 control objectives relating to key
processes
●
Technical Controls
o
System access
o
Network Architecture
o
Network Access
o
Controls Zones
o
Encryption and Protocols
o
System secure state (vulnerability scans)
To conduct this gap analysis, the following methods may be used:
●
Collect documentation (policies, plans, standards, procedures, guidelines, drawings, etc)
●
Develop questionnaires for measuring control areas
●
Conduct Interviews to elicit conformance with best practices
●
Conduct technical tests of controls (vulnerability scanning, host audits, etc)
●
Elicitation sessions to produce adherence to formal company policies and procedures.
●
Conduct Interviews to elicit conformance to regulatory controls and guidance
●
Selectively validate configurations, procedures, and processes
Deliverables
The output from the gap analysis will be a detailed report and completed ISO 27001 statement of applicability on the
compliance of the customer’s information security management processes and controls against the ISO 27001
standard. This will include the results from assessment against the capability maturity model in order to assess the
maturity of the customer in each of the 12 focus areas of ISO 27001 (the Information Security Management System
plus the 11 sections of Annex A).
2.2
Phase 2 - Remediation and compliance progression
Once the current status of a customer is known with regard to ISO27001 compliance, Dell SecureWorks can assist
further in driving the compliance progression forward through remediation advice and guidance. This phase of an
ISO27001 project is generally the most effort intensive and consists of the following stages.
Establish Management Commitment and Organisational ISMS Structure
Preparation of a one page high-level management commitment statement will commence. This will serve as an
advertisement to all employees that senior management are committing to company wide information risk and
information security management. The statement will set out the aims and expectations of the approach and will
state that the customer is committed to aligning with the ISO 27001 framework in order to achieve the stated
goals. The statement will also seek to gain the buy-in of all staff by setting out Senior Management’s expectations
of participation, support and contribution of all staff to the development and operation of information security
management practices.
3 of 8
This stage also helps to identify the appropriate forum for the discussion of information security and oversight of the
information security management project.
Plan for and Establish ISMS Risk Assessment Methodology
A high-level assessment of information risks to customer key business processes as a result of failure or compromise
of information confidentiality, integrity or availability will be carried out across the agreed business divisions within
the customer’s organisation.
First stage of the risk assessment process: business impact analysis. Conduct a short workshop with senior
management to define what ISO 27001 is and how it may assist in delivering information risk management. This
workshop will also complete a business impact analysis to uncover what department heads see as the most relevant
information risks and help establish the business impacts that may result as a consequence of any information risk
occurring. The business impact analysis output will be used to feed into existing impact definitions.
The risk assessment will utilise the business impact analysis output as a starting point and use the defined impact
levels and risk appetite to analyse and assess the identified risks. The risk assessment exercise will allow for
meaningful prioritisation of the recommendations from the gap analysis report, allow for documentation of a
prioritised risk treatment plan and provide focus for the development of the Information Security Management
System.
ISMS Implementation
Now that the foundations of the security improvement programme are in place and the initial basic requirements of
ISO 27001 have been met, the next stage is to implement the risk management plan.
The output from the preceding risk assessment and gap analysis will form the basis of the development of on-going
information security risk management strategy. Utilising either the existing corporate risk management processes, or
introducing new processes, this stage will result in the development of the IS risk register/risk management plan, a
risk manual, and the agreement of an organisational framework to facilitate high level visibility of the organisation’s
information security risk footprint.
Where risk management is a new concept, then the elapsed time for this phase may be extended pending decisions
upon the approach to be adopted.
The risk management plan is the basis of this phase. The management forum established in the previous phase must
agree the risk treatment decisions and support the agreed actions. The Dell SecureWorks consultant will assist
where required with the specification and definition of controls and actions to mitigate identified risks.
In addition, during this phase, the Information Security Policy, supporting policies, procedures and work instructions
shall be created, as required. These items may exist either in paper form, electronically or delivered via an Intranet
however they should remain subject to version and publication control. Certification specific documentation may
also be prepared at this stage such as the Statement of Applicability, Compliance Programme, Security Framework
and metrics. The ISMS will include the security controls in ISO27002.
This phase will also require the completion of information security awareness education and training to ensure that
all staff are aware of their information security obligations and, where appropriate, are trained in the procedures
necessary to ensure the security of information.
The ISMS implementation is the longest phase in an ISO 27001 project - weighted at the beginning with
consultancy support from Dell SecureWorks, with an increased level of activity near the end of this phase.
2.3
Phase 3 - Pre-Audit
This phase will include focus on the audits of the newly developed ISMS and the successful implementation within
the customer.
ISMS audits are required for any organisation seeking certification. However, a compliance programme, utilising
audits as the main tool of investigation, should also be implemented even where certification is not the ultimate
goal. ISMS audits are a useful tool to assess the effectiveness of the ISMS and the controls implemented to mitigate
risks. Through a scheduled compliance programme of audits covering all requirements of ISO27001 as well as all
4 of 8
allocable control objectives from ISO 27002, weaknesses and non-compliances can be identified and improvements
made to the ISMS.
It is expected that by the time this phase is reached, most customers will have achieved a level of maturity in
operating the ISMS, that the Dell SecureWorks consultant will carry out the audits and provide reports to the
management forum, who will take forward actions to address any concerns or non-compliances raised.
This project will be delivered using the Dell SecureWorks project management methodology, templates and
processes.
3.0Deliverables
The output from the gap analysis will be a detailed report and completed ISO 27001 statement of applicability on the
compliance of the customer’s information security management processes and controls against the ISO 27001
standard. This will include the results from assessment against the capability maturity model in order to assess the
maturity of the customer in each of the 12 focus areas of ISO 27001 (the Information Security Management System
plus the 11 sections of Annex A).
4.0Draft and final report
Dell SecureWorks will provide preliminary draft findings to the technical point of contact for review and
clarification. The final report will be issued after review and discussion are complete. Presentation of the findings
and exact deliverables are custom tailored to the type of work performed, and to customer needs. Final reporting and
deliverables will be defined during the project, as well as interim or ad-hoc reporting. Dell SecureWorks
deliverables typically follow a standard format with two sections.
The first section is targeted toward a non-technical audience - Senior Management, Auditors, Board of Directors
and other concerned parties:
●
Executive summary – A jargon and buzz-word free true executive-level summary.
Summary of findings and recommendations – The report describes the environment and high-level
findings and root causes. We make recommendations based on risk to your organisation.
●
●
Compliance status – This section describes the compliance status measured against the ISO Standard.
The second section is targeted to technical staff and provides more granular detail:
●
Summary of methods – This section contains details specific to the engagement methodology.
Detailed findings and recommendations – This section documents the details of any findings as well as
recommendations for remediation. Evidence of controls and information sufficient to replicate the findings is
included. Recommendations are based on these root causes and prioritised for a risk-based remediation with an
estimation of relative work effort. Where strong controls in place have been identified they are described, as well
as their impact to the security of the organisation.
●
Attachments – Details and specific examples are provided, including screen shots, technical details, code
excerpts and other relevant observations. This section also contains documents or data which are relevant but do
not fit in other categories.
●
4.1
Report Timing
Within three weeks of concluding the work described above, we will issue a draft formal report to your point of
contact. The three weeks following delivery of this draft report are your opportunity to provide comments
concerning the nature and scope of the engagement to be included in the report. If there are no comments in the
three-week comment period, we will finalise the report for distribution. If no changes are required, we encourage
you to accept the formal report prior to the three week waiting period to expedite final delivery.
5 of 8
5.0Timing and Fees
5.1
Fees
The work shall be delivered as a fixed price engagement and limited to a maximum of <insert> days.
The cost of this engagement excluding expenses is £ZZZ
Including expenses, client's total payments under this SOW shall be limited to a maximum of £ZZZZ excluding
VAT.
Terms for this engagement;
 X% billed at point Y
The work is estimated as requiring <insert> days. This SOW is a Time & Materials engagement with an estimated
cost of £ZZZZ excluding VAT based on a daily billing rate of £XXXXX. The final amount shall be determined on
the basis of the actual amount of time spent on the work. The Parties shall agree any increase of the cost limit in
advance, in writing. Client will be invoiced monthly for work activity conducted against this SOW.
The price for the engagement is based on the target environment as discussed with Dell SecureWorks. If the
assumptions, client responsibilities and parameters within the scope of work used to develop this proposal are found
to be incorrect, or to have changed, the parties agree to pursue resolution through change management.
If any of the assumptions used in developing this proposal (including, time on tasks, locations and service
consumption) and relied upon by Dell SecureWorks vary by +/- five (5%) percent, Dell SecureWorks reserves the
right to adjust the pricing to reflect such changes.
Any additional work required beyond our current estimate will be added to our invoices at the daily billing rate
given above.
The following conditions apply to this SOW;
●
The fees outlined in our scope of services include all incidental out-of-pocket expenses including report
preparation and reproduction, faxes, copying, etc.
●
The fees outlined in our scope of services do NOT include out-of-pocket travel expenses, including
reasonable transportation, meals and lodging expenses incurred to perform any of the services outlined
hereunder. Such reasonable out of pocket expenses will be added at cost to Client’s invoice.
●
Terms for payments are net 30.
●
VAT, at the prevailing rate, will be added to all applicable charges.
5.2
Timing
Dell SecureWorks will make commercially reasonable efforts to meet Client’s requests for dates and times for the
contracted work to be performed. The fees do not include weekend or after hours work. Such work can only be
scheduled by mutual agreement, in advance. After hours and weekend work will be conducted at 1.5 times our
quoted rate. Email confirmation of an agreed upon schedule, sent by Dell SecureWorks, confirmed by email by the
Client, shall constitute formal acceptance of such schedule. Once scheduling of any work has been mutually agreed
upon, and the schedule is formally accepted by the Client, changes by the Client within 2 weeks of the project
initiation will incur a one day rate re-scheduling fee for each instance.
Dell SecureWorks has made the following assumptions in creating this SOW:
●
Client resources are scheduled and available to Dell SecureWorks;
●
Client has provided suitable workspace for Dell SecureWorks’ staff and equipment,
●
Client’s computer systems and network for testing, building access, etc. is made available to Dell
SecureWorks; and
6 of 8
●
5.3
Client replies to all document requests and other information in a timely manner.
Term
The term of this SOW and the Services hereunder shall commence on the date this SOW is executed by both parties
and terminate on the date which is one (1) year thereafter.
6.0 Disclaimers
Applicable to Security Services: Should a Statement of Work include security scanning, testing, assessment,
forensics, or remediation Services (“Security Services”), Client understands that Dell SecureWorks may use various
methods and software tools to probe network resources for security-related information and to detect actual or
potential security flaws and vulnerabilities. Client authorises Dell SecureWorks to perform such Security Services
(and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services or
otherwise approved by Client from time to time) on network resources with the IP Addresses identified by Client.
Client represents that, if Client does not own such network resources, it will have obtained consent and authorisation
from the applicable third party, in form and substance satisfactory to Dell SecureWorks, to permit Dell SecureWorks
to provide the Security Services. Dell SecureWorks shall perform Security Services during a timeframe mutually
agreed upon with Client. The Security Services, such as penetration testing or vulnerability assessments , may also
entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded
applications but will exclude intentional and deliberate Denial of Service Attacks. Furthermore, Client
acknowledges that the Security Services described herein could possibly result in service interruptions or
degradation regarding the Client’s systems and accepts those risks and consequences. Client hereby consents and
authorises Consultant to provide any or all the Security Services with respect to the Client’s systems. Client further
acknowledges it is the Client’s responsibility to restore network computer systems to a secure configuration after
Consultant testing.
Applicable to Compliance Services: Should a Statement of Work include compliance testing or assessment or
other similar compliance advisory Services (“Compliance Services”), Client understands that, although Dell
SecureWorks' Compliance Services may discuss or relate to legal issues, Dell SecureWorks does not provide legal
advice or services, none of such Services shall be deemed, construed as or constitute legal advice and that Client is
ultimately responsible for retaining its own legal counsel to provide legal advice, Furthermore, any written
summaries or reports provided by Dell SecureWorks in connection with any Compliance Services shall not be
deemed to be legal opinions and may not and should not be relied upon as proof, evidence or any guarantee or
assurance as to Client’s legal or regulatory compliance.
Applicable to PCI Compliance Services: Should a Statement of Work include PCI compliance auditing, testing or
assessment or other similar PCI compliance advisory Consulting Services (“PCI Compliance Services”), Client
understands that Dell SecureWorks' PCI Compliance Services do not constitute any guarantee or assurance that
security of Client’s systems, networks and assets cannot be breached or are not at risk. These Services are an
assessment, as of a particular date, of whether Client’s systems, networks and assets, and any compensating controls
meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks
of a security breach of Client’s systems, networks and assets. Furthermore, Dell SecureWorks is not responsible for
updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of subsequent
changes to Client’s systems, networks and assets after the date of Dell SecureWorks’ final report, absent a signed
Statement of Work expressly requiring the same.
Purchase Orders: This Statement of Work is agreed to by the parties. Any terms and conditions attached to, or
described within any purchase order outside of this Statement of Work by Client in connection with this Statement
of Work are null and void.
Applicable to Onsite Services: Notwithstanding employees’ placement at the Client location, Dell SecureWorks
retains the right to control the work of the employee. For international travel, Onsite Services may require additional
documentation, such as Visas, visitor invitations, etc. which may affect timing and out of pocket costs.
7 of 8
DELL CORPORATION LIMITED
Insert Company Name
By:_________________________
By:_____________________________
Title:_______________________
Title:___________________________
_____________________________
Date
________________________________
Date
8 of 8