DNV GL © 2015 11 September 2017 SAFER, SMARTER, GREENERDNV GL © 2015

14 September 2017

WEBINAR: UNRAVELLING THE COMPLEXITY OF INFORMATION SECURITY CERTIFICATIONS TO IMPROVE YOUR RESILIENCY TO SURVIVE DISASTERS

1

BUSINESS ASSURANCE

DNV GL & Consultant are acting in cooperation to provide this Webinar purely as an

informational session to attendees & no relationship should be implied between DNV GL &

Consultant. Participation in this Webinar does not construe a request for auditing or

certification services nor implies any relationship between DNV GL & Consultant. DNV GL

remains impartial & does not recommend or endorse individual consulting companies or

seek to influence clients in deciding whether to use a consulting company or which to

select.

DNV GL © 2015 11 September 2017

DNV GL

2

DNV GL © 2015 11 September 2017

DNV GL - Global reach – local competence

3

300+offices

100countries

14,000employees

150+years

DNV GL © 2015 11 September 2017

DNV GL :: Focused on your future

We help you build Sustainable

Business Performance through our

global certification, verification,

assessment & training services.

Tomorrow’s successful companies

will create value by meeting the

world’s social, economic

environmental needs.

and

SUSTAINABLE VALUE & STAKEHOLDER TRUST

DNV GL © 2015 11 September 2017

A Shared Ambition

▪ DNV GL:

– Sustainability in everything we do.

Partnering with our customers to build

sustainable business performance &

stakeholder trust, contributing to a safe &

sustainable future.

▪ ISO:

– Their vision is for the ISO standards to

contribute to innovation & sustainable

development

5

“In the longer term, we can

expect sustainability to become a

fundamental principle for ISO

standards in just the same way

as market relevance.”

DNV GL © 2015 11 September 2017

Certified Management Consultant (CMC)

Architect: SuMM/MSTM

(Sustainability Maturity Model/Management

System) (based on ISO 26000 Social Responsibility)

Expert Business Reviewer: Sustainable Development Technology Canada

(SDTC)

ex-IBMer (Toronto Development Lab: large & mid-sized systems, VM)

ISO Lead Auditor (IRCA) + TPECs-certified (Exemplar Global) ISO-MSS

Instructor:

✦ ISO/IEC 27001 (Information Security)

✦ ISO/IEC 27001/Cloud Services Alliance (CSA)

✦ ISO/IEC 20000-1 (ITIL-Service Management)

✦ ISO 20400 (Sustainable Procurement)

✦ ISO 22301 (Business Continuity)

✦ ISO 44001 (Collaborative Business Relationship Management)

✦ ISO 9001 (Quality)

✦ ISO 31000 (Risk)

✦ ISO/IEC 19770 + 55000 (Asset Management)

✦ ISO/IEC 38500/27014 (IT Governance)

✦ ISO 37001 (Anti-Bribery)

✦ISO/IEC 15504/3300x (SPICE) Lead Assessor +

SPICE Lead Assessor / Instructor:

✦ ISO/IEC 15504 (Software Process Improvement/Capability Determination)

✦ ISO/IEC 33072 (PCAM for Information Security)

✦ ISO/IEC 3300x (Process Assessment & Organizational Maturity Assessment)

✦ ISO/IEC 33071 (Enterprise System Assessment)

CMMI SCE Assessor (SW-CMMI, P-CMM, CMMI-Services)

IEEE Instructor:

✦ Requirements Engineering & Management

✦ Configuration Management IEEE 828

✦ SDLC/12207/15288 Life Cycle Management

✦ Moderated Inspections

✦ Quality Assurance

Standards Council of Canada SMC Chairs:

✦ ISO/PC280 Management Consulting

✦ ISO/PC277 Sustainable Procurement

✦ ISO/PC286 Collaborative business relationship mgmt

ISO/IEC Memberships:

ISO / ISO/IEC

✦ SC7 - Software & Systems Engineering

✦ SC27 - IT Security Techniques

✦ SC39 - Sustainability for & by Information Technology

✦ SC40 - IT Service Management & IT Governance

✦ SC41 - Internet of Things (loT)

✦ TCIT - Information Technology

✦ JTAG - COPOLCO Guide 14 Consumer Information

✦ TC260 - Human Resources

✦ TC262 - Risk Management

✦ TC268 - Sustainable Development in Communitiess -

Smart Urban Infrastructure Metrics

✦ TC279 - Innovation

✦ TC290 - Online Reputation

✦ TC292 - Societal Security

✦ TC309 - Organizational Governance

✦ COPOLCO - Ethical Labelling + Vulnerable People

✦ TMB/SR - Social Responsibility

IEEE Chair, SSIT Standards Committee✦ Social Implications of Technology (ethics, social responsibility,

sustainability) - Standards Chair

IEEE WG Memberships:

✦ P7000 Ethics in Systems Engineering

✦ Service Oriented Architecture

Some Clients:

Consumers Gas Bell Canada Canadian Institutes for Health Information Ontario Government Hydro One Networks Cree First Nation

New York Transit Authority Deloitte Telus Sony IBM Ontario Hydro State of California Greater Toronto Airports Authority

Webinar Leader: Victoria (Vicky) Hailey, CMC

All copyrights & referenced IP, Data, quotations, reports, & other evidence are owned by their respective owners.

DNV GL © 2015 11 September 2017

▪ A management systems framework for identifying, valuating, & safeguarding

business information & data assets through the design & integration of

appropriate & relevant information security policies & controls into the daily

business processes & culture according to risk-assessed levels of acceptable

loss

▪ A framework for business, information, & risk owners to collaborate in making

informed decisions regarding the confidentiality, integrity, & availability

(CIA) of their information that ensures the impacts of loss are understood by

having those making informed risk decisions also be accountable for them

▪ The implementation of these CIA non-functional requirements must be balanced

according to your organization’s business context and stakeholder needs, and

according to their levels of acceptable risks.

What is ISO/IEC 27001?

DNV GL © 2015 11 September 2017

CIA CIA

CIACIA

Interested

Parties

Information

Security

Requirements

and

expectations

Establish

the ISMS

Implement &

Operate the ISMS

Maintain &

Improve the ISMS

Monitor &

Review the ISMS

Do

Plan

Act

Check

Interested

Parties

Managed

information

security

ISO/IEC 27001 ISMS Framework: PDCA Improvement Cycle

DNV GL © 2015 11 September 2017

All copyrights & rferenced IP, Data, quotations, reports, & other evidence are owned by their respective owners.

ISO/IEC 27001 Business Continuity MS FW - Requirements

DNV GL © 2015 11 September 2017

14 Security Control

Clauses

___________

35 Security

Categories &

Objectives

___________

114 Controls

ISO/IEC 27001 Annex A Controls

DNV GL © 2015 11 September 2017

14 Security Control

Clauses

___________

35 Security

Categories &

Objectives

___________

114 Controls

ISO/IEC 27001 Annex A Controls

DNV GL © 2015 11 September 2017

4 Context of the

organization

4.1 Understanding of the

organization & its context

4.2 Understanding the

needs & expectations of

interested parties

4.2.2 Legal & regulatory

requirements

4.3 Determining the scope

of the business continuity

management system

5 Leadership

5.1 Leadership &

commitment

5.3 Policy

5.4 Organizational roles,

responsibilities &

authorities

6 Planning

6.1 Actions to address risk

& opportunities

6.2 BC objectives

& plans

7 Support

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

8 Operation

8.1 Operational planning &

control

8.2 BIA &

risk assessment

8.3 BC strategy

8.4 Establish & implement

BC procedures

8.4.2 Incident response

8.4.3 Warning &

communication

8.4.4 BC Plans

5.4.5 Recovery

8.5 Exercise & testing

9 Performance

Evaluation

9.1 Monitoring,

measurement, analysis &

evaluation

9.2 Internal audit

9.3 Management review

10 Improvement

10.1 Nonconformity &

corrective action

10.2 Continual

improvement

PLAN DO CHECK ACT

4.4 BCMS

7.5 Documented

information

ISO 22301 Business Continuity MS Framework - Requirements

5.2 Management

commitment

DNV GL © 2015 11 September 2017

All copyrights & rferenced IP, Data, quotations, reports, & other evidence are owned by their respective owners.

What does the ISMS look like?

DNV GL © 2015 11 September 2017

A Critical 27001 Implementation Success Factor

Regular, frequent, risk-based information security audits as the new

cultural norm, once the decision is made to adopt a systematic approach to

protecting assets:

Pre-Certification

ISMS/BCMS/IMS Audits

Post-Certification

ISMS/BCMS/IMS Audits

Consultant

• Pre-certification readiness audit —Stage 1 & Stage 2, IMS

• Pre-implementation benchmarking

• System / Process Capability & Organizational Maturity Assessment

• 2nd Party Audits

• Pre-procurement Audits

• Supplier Audits

• Outsourcing risk audits

• Risk assessments

• Business Impact Analysis

• Internal Audits

• Product / Service Performance Audits

• Customer/Supplier Contract Audit

3rd PartyRegistrar

• Gap Analysis Audit

• Pre-Assessment Audit

• Stage 1 & Stage 2

Certification

• IMS Audit (as with

ISO/IEC 27001 +

20000-1 + 9001)

• Joint Audit (as with a

Regulator)

Consultant

• Post-implementation benchmarking

• System / Process Capability & Organizational Maturity Assessment of improvements

• 2nd Party Audits

• Pre-procurement Audits

• Supplier Audits

• Outsourcing risk audits

• Risk assessments

• Business Impact Analysis

• Internal Audits

• Product / Service Performance Audits

• Customer/Supplier Contract Audit

• IMS Assessments

3rd PartyRegistrar

• Stage 1 & Stage 2

Certification

• Surveillance

• Recertification

• IMS Certification

• Joint Audit

DNV GL © 2015 11 September 2017

N A T U R A L D I S A S T E R S

Information Security vs Business Continuity

DNV GL © 2015 11 September 2017

Information Security vs Business Continuity

N A T U R A L D I S A S T E R S

PLANNING & INTELLIGENCE MAKE EVENTS MORE PREDICTABLE,

THEREFORE MORE CONTROLLABLE

RELATIVELY UNPREDICTABLE, = LESS CONTROLLABLE

DNV GL © 2015 11 September 2017

Board Prioritization of Risk

Expect 2017’snatural disastersto drive this riskarea way up.

DNV GL © 2015 11 September 2017

Naive End UsersLack of Security Awareness Training & AccountabilityThe Top

7

Causes of

Information

Security

Breaches

Vulnerabilities & Threats

DNV GL © 2015 11 September 2017

Threats Vulnerabilities

Controls RisksInformation/Asset

s

Security

Requirements

Asset Values

Protect

Against

Met by

Exploit

Increase

Increase

Expose

DetermineIncrease Have

Reduce

Potential Impact on Business

Risk Relationships

DNV GL © 2015 11 September 2017

ISO Integrated Management System Implementation Strategy

4. PROVE IT !- through integrated MS audits addressing common processes only once for all audited management systems

💻

🖥

2. DO WHAT YOU SAY…

1.SAY WHAT YOU DO - for each unique process in each discipline

3. WRITE IT DOWN !

🖥

📲🖥

📠

🖥

📡

🖥

💰⛓

IMS SAVES TIME, $$, EFFORT

DNV GL © 2015 11 September 2017

ISO/IEC JTC1/SC27 2700x BoK

DNV GL © 2015 11 September 2017

Only 8% reported that their competitors had already been certified, suggesting that those seeking competitive

advantage were doing so on the basis of being

first movers in the market.

ISO/IEC 27001 Global Survey

ISO/IEC 27001 Survey

DNV GL © 2015 11 September 2017

ISO/IEC 27001 Certifications Worldwide

24

ISO/IEC 27001 experience[d] the same annual growth of 20% annual increase as last year to 33,290 certificates worldwide (https://www.iso.org/the-iso-survey.html)

DNV GL © 2015 11 September 2017

Status of ISO/IEC 27001 Certifications NA & by Industry

25

(https://www.iso.org/the-iso-survey.html)

DNV GL © 2015 11 September 2017

THANK YOU! Questions?

26

DNV GL © 2015 11 September 2017

Contact Us

Violet Masoud, Director of Sales, MSC, North AmericaViolet.Masoud@dnvgl.com289.795.6586

Vicky Hailey, CMC, Founder of VHG, The Victoria Hailey Group CorporationVicky@vhg.com416.565.4750

Click on the links below for more information:

Find a Certified Management Consultant or Lead Auditor to assist you:

www.vhg.com