14 september 2017 - dnv gl the... · 14 september 2017 webinar: ... jtag - copolco guide 14...
TRANSCRIPT
DNV GL © 2015 11 September 2017 SAFER, SMARTER, GREENERDNV GL © 2015
14 September 2017
WEBINAR: UNRAVELLING THE COMPLEXITY OF INFORMATION SECURITY CERTIFICATIONS TO IMPROVE YOUR RESILIENCY TO SURVIVE DISASTERS
1
BUSINESS ASSURANCE
DNV GL & Consultant are acting in cooperation to provide this Webinar purely as an
informational session to attendees & no relationship should be implied between DNV GL &
Consultant. Participation in this Webinar does not construe a request for auditing or
certification services nor implies any relationship between DNV GL & Consultant. DNV GL
remains impartial & does not recommend or endorse individual consulting companies or
seek to influence clients in deciding whether to use a consulting company or which to
select.
DNV GL © 2015 11 September 2017
DNV GL - Global reach – local competence
3
300+offices
100countries
14,000employees
150+years
DNV GL © 2015 11 September 2017
DNV GL :: Focused on your future
We help you build Sustainable
Business Performance through our
global certification, verification,
assessment & training services.
Tomorrow’s successful companies
will create value by meeting the
world’s social, economic
environmental needs.
and
SUSTAINABLE VALUE & STAKEHOLDER TRUST
DNV GL © 2015 11 September 2017
A Shared Ambition
▪ DNV GL:
– Sustainability in everything we do.
Partnering with our customers to build
sustainable business performance &
stakeholder trust, contributing to a safe &
sustainable future.
▪ ISO:
– Their vision is for the ISO standards to
contribute to innovation & sustainable
development
5
“In the longer term, we can
expect sustainability to become a
fundamental principle for ISO
standards in just the same way
as market relevance.”
DNV GL © 2015 11 September 2017
Certified Management Consultant (CMC)
Architect: SuMM/MSTM
(Sustainability Maturity Model/Management
System) (based on ISO 26000 Social Responsibility)
Expert Business Reviewer: Sustainable Development Technology Canada
(SDTC)
ex-IBMer (Toronto Development Lab: large & mid-sized systems, VM)
ISO Lead Auditor (IRCA) + TPECs-certified (Exemplar Global) ISO-MSS
Instructor:
✦ ISO/IEC 27001 (Information Security)
✦ ISO/IEC 27001/Cloud Services Alliance (CSA)
✦ ISO/IEC 20000-1 (ITIL-Service Management)
✦ ISO 20400 (Sustainable Procurement)
✦ ISO 22301 (Business Continuity)
✦ ISO 44001 (Collaborative Business Relationship Management)
✦ ISO 9001 (Quality)
✦ ISO 31000 (Risk)
✦ ISO/IEC 19770 + 55000 (Asset Management)
✦ ISO/IEC 38500/27014 (IT Governance)
✦ ISO 37001 (Anti-Bribery)
✦ISO/IEC 15504/3300x (SPICE) Lead Assessor +
SPICE Lead Assessor / Instructor:
✦ ISO/IEC 15504 (Software Process Improvement/Capability Determination)
✦ ISO/IEC 33072 (PCAM for Information Security)
✦ ISO/IEC 3300x (Process Assessment & Organizational Maturity Assessment)
✦ ISO/IEC 33071 (Enterprise System Assessment)
CMMI SCE Assessor (SW-CMMI, P-CMM, CMMI-Services)
IEEE Instructor:
✦ Requirements Engineering & Management
✦ Configuration Management IEEE 828
✦ SDLC/12207/15288 Life Cycle Management
✦ Moderated Inspections
✦ Quality Assurance
Standards Council of Canada SMC Chairs:
✦ ISO/PC280 Management Consulting
✦ ISO/PC277 Sustainable Procurement
✦ ISO/PC286 Collaborative business relationship mgmt
ISO/IEC Memberships:
ISO / ISO/IEC
✦ SC7 - Software & Systems Engineering
✦ SC27 - IT Security Techniques
✦ SC39 - Sustainability for & by Information Technology
✦ SC40 - IT Service Management & IT Governance
✦ SC41 - Internet of Things (loT)
✦ TCIT - Information Technology
✦ JTAG - COPOLCO Guide 14 Consumer Information
✦ TC260 - Human Resources
✦ TC262 - Risk Management
✦ TC268 - Sustainable Development in Communitiess -
Smart Urban Infrastructure Metrics
✦ TC279 - Innovation
✦ TC290 - Online Reputation
✦ TC292 - Societal Security
✦ TC309 - Organizational Governance
✦ COPOLCO - Ethical Labelling + Vulnerable People
✦ TMB/SR - Social Responsibility
IEEE Chair, SSIT Standards Committee✦ Social Implications of Technology (ethics, social responsibility,
sustainability) - Standards Chair
IEEE WG Memberships:
✦ P7000 Ethics in Systems Engineering
✦ Service Oriented Architecture
Some Clients:
Consumers Gas Bell Canada Canadian Institutes for Health Information Ontario Government Hydro One Networks Cree First Nation
New York Transit Authority Deloitte Telus Sony IBM Ontario Hydro State of California Greater Toronto Airports Authority
Webinar Leader: Victoria (Vicky) Hailey, CMC
All copyrights & referenced IP, Data, quotations, reports, & other evidence are owned by their respective owners.
DNV GL © 2015 11 September 2017
▪ A management systems framework for identifying, valuating, & safeguarding
business information & data assets through the design & integration of
appropriate & relevant information security policies & controls into the daily
business processes & culture according to risk-assessed levels of acceptable
loss
▪ A framework for business, information, & risk owners to collaborate in making
informed decisions regarding the confidentiality, integrity, & availability
(CIA) of their information that ensures the impacts of loss are understood by
having those making informed risk decisions also be accountable for them
▪ The implementation of these CIA non-functional requirements must be balanced
according to your organization’s business context and stakeholder needs, and
according to their levels of acceptable risks.
What is ISO/IEC 27001?
DNV GL © 2015 11 September 2017
CIA CIA
CIACIA
Interested
Parties
Information
Security
Requirements
and
expectations
Establish
the ISMS
Implement &
Operate the ISMS
Maintain &
Improve the ISMS
Monitor &
Review the ISMS
Do
Plan
Act
Check
Interested
Parties
Managed
information
security
ISO/IEC 27001 ISMS Framework: PDCA Improvement Cycle
DNV GL © 2015 11 September 2017
All copyrights & rferenced IP, Data, quotations, reports, & other evidence are owned by their respective owners.
ISO/IEC 27001 Business Continuity MS FW - Requirements
DNV GL © 2015 11 September 2017
14 Security Control
Clauses
___________
35 Security
Categories &
Objectives
___________
114 Controls
ISO/IEC 27001 Annex A Controls
DNV GL © 2015 11 September 2017
14 Security Control
Clauses
___________
35 Security
Categories &
Objectives
___________
114 Controls
ISO/IEC 27001 Annex A Controls
DNV GL © 2015 11 September 2017
4 Context of the
organization
4.1 Understanding of the
organization & its context
4.2 Understanding the
needs & expectations of
interested parties
4.2.2 Legal & regulatory
requirements
4.3 Determining the scope
of the business continuity
management system
5 Leadership
5.1 Leadership &
commitment
5.3 Policy
5.4 Organizational roles,
responsibilities &
authorities
6 Planning
6.1 Actions to address risk
& opportunities
6.2 BC objectives
& plans
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
8 Operation
8.1 Operational planning &
control
8.2 BIA &
risk assessment
8.3 BC strategy
8.4 Establish & implement
BC procedures
8.4.2 Incident response
8.4.3 Warning &
communication
8.4.4 BC Plans
5.4.5 Recovery
8.5 Exercise & testing
9 Performance
Evaluation
9.1 Monitoring,
measurement, analysis &
evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity &
corrective action
10.2 Continual
improvement
PLAN DO CHECK ACT
4.4 BCMS
7.5 Documented
information
ISO 22301 Business Continuity MS Framework - Requirements
5.2 Management
commitment
DNV GL © 2015 11 September 2017
All copyrights & rferenced IP, Data, quotations, reports, & other evidence are owned by their respective owners.
What does the ISMS look like?
DNV GL © 2015 11 September 2017
A Critical 27001 Implementation Success Factor
Regular, frequent, risk-based information security audits as the new
cultural norm, once the decision is made to adopt a systematic approach to
protecting assets:
Pre-Certification
ISMS/BCMS/IMS Audits
Post-Certification
ISMS/BCMS/IMS Audits
Consultant
• Pre-certification readiness audit —Stage 1 & Stage 2, IMS
• Pre-implementation benchmarking
• System / Process Capability & Organizational Maturity Assessment
• 2nd Party Audits
• Pre-procurement Audits
• Supplier Audits
• Outsourcing risk audits
• Risk assessments
• Business Impact Analysis
• Internal Audits
• Product / Service Performance Audits
• Customer/Supplier Contract Audit
3rd PartyRegistrar
• Gap Analysis Audit
• Pre-Assessment Audit
• Stage 1 & Stage 2
Certification
• IMS Audit (as with
ISO/IEC 27001 +
20000-1 + 9001)
• Joint Audit (as with a
Regulator)
Consultant
• Post-implementation benchmarking
• System / Process Capability & Organizational Maturity Assessment of improvements
• 2nd Party Audits
• Pre-procurement Audits
• Supplier Audits
• Outsourcing risk audits
• Risk assessments
• Business Impact Analysis
• Internal Audits
• Product / Service Performance Audits
• Customer/Supplier Contract Audit
• IMS Assessments
3rd PartyRegistrar
• Stage 1 & Stage 2
Certification
• Surveillance
• Recertification
• IMS Certification
• Joint Audit
DNV GL © 2015 11 September 2017
N A T U R A L D I S A S T E R S
Information Security vs Business Continuity
DNV GL © 2015 11 September 2017
Information Security vs Business Continuity
N A T U R A L D I S A S T E R S
PLANNING & INTELLIGENCE MAKE EVENTS MORE PREDICTABLE,
THEREFORE MORE CONTROLLABLE
RELATIVELY UNPREDICTABLE, = LESS CONTROLLABLE
DNV GL © 2015 11 September 2017
Board Prioritization of Risk
Expect 2017’snatural disastersto drive this riskarea way up.
DNV GL © 2015 11 September 2017
Naive End UsersLack of Security Awareness Training & AccountabilityThe Top
7
Causes of
Information
Security
Breaches
Vulnerabilities & Threats
DNV GL © 2015 11 September 2017
Threats Vulnerabilities
Controls RisksInformation/Asset
s
Security
Requirements
Asset Values
Protect
Against
Met by
Exploit
Increase
Increase
Expose
DetermineIncrease Have
Reduce
Potential Impact on Business
Risk Relationships
DNV GL © 2015 11 September 2017
ISO Integrated Management System Implementation Strategy
4. PROVE IT !- through integrated MS audits addressing common processes only once for all audited management systems
💻
🖥
2. DO WHAT YOU SAY…
1.SAY WHAT YOU DO - for each unique process in each discipline
3. WRITE IT DOWN !
🖥
📲🖥
📠
🖥
📡
🖥
💰⛓
IMS SAVES TIME, $$, EFFORT
DNV GL © 2015 11 September 2017
Only 8% reported that their competitors had already been certified, suggesting that those seeking competitive
advantage were doing so on the basis of being
first movers in the market.
ISO/IEC 27001 Global Survey
ISO/IEC 27001 Survey
DNV GL © 2015 11 September 2017
ISO/IEC 27001 Certifications Worldwide
24
ISO/IEC 27001 experience[d] the same annual growth of 20% annual increase as last year to 33,290 certificates worldwide (https://www.iso.org/the-iso-survey.html)
DNV GL © 2015 11 September 2017
Status of ISO/IEC 27001 Certifications NA & by Industry
25
(https://www.iso.org/the-iso-survey.html)
DNV GL © 2015 11 September 2017
Contact Us
Violet Masoud, Director of Sales, MSC, North [email protected]
Vicky Hailey, CMC, Founder of VHG, The Victoria Hailey Group [email protected]
Click on the links below for more information:
Find a Certified Management Consultant or Lead Auditor to assist you:
www.vhg.com