Your SlideShare is downloading. ×
0
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,
CISSP, CISM,...
• Agility
• Governance
• Risk Management
• Verify & Validate
• Innovation
• Conclusion
*** THIS DOCUMENT IS CLASSIFIED FOR...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
a) flexibility, adaptability and scalability, to reflect new and evo...
• Reduce risks and threats to the Confidentiality, Integrity and Availability of Information Assets
and System Resources b...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
a) flexibility, adaptability and scalability, to reflect new and
evo...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compliance
Management can
be broken down
into 4 general
categories
s...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
b). Ownership and maintenance of process documentation,
control acti...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
c). Process documentation, control activities and evidence of
operat...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Similarly, Service
Level Agreements
could be established
between the...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
A Risk
Assessment is
necessary once all
assets have been
identified ...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
strategic planning,
credit, market and
financi...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated
with compliance
to statutes,
regulations and
contra...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
operations are the
most common risks
that exte...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
d). The return of Internal Audit to its primary role, that of
provid...
The statement of applicability (SoA) is
created following a risk assessment
against organizational assets that are
in scop...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Traceability Matrix
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
e). Support and encouragement for the evolution and
increased capabi...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ControlDesign
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Sustainable compliance is achievable and within the
grasp of every o...
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact
Skype; Mark_E_S_Bernard
Twitter; @MESB_...
Upcoming SlideShare
Loading in...5
×

Implementing a sustainable compliance framework

4,369

Published on

Implementing a Sustainable Compliance Framework v01r1 draft

Published in: Business, Technology
3 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
4,369
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
159
Comments
3
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Implementing a sustainable compliance framework"

  1. 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  2. 2. • Agility • Governance • Risk Management • Verify & Validate • Innovation • Conclusion *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  3. 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  4. 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** a) flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations. b) Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team. c) Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes. d) The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness. e) Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.
  5. 5. • Reduce risks and threats to the Confidentiality, Integrity and Availability of Information Assets and System Resources by providing policies, practices and standards designed to mitigate or eliminate all known risks and threat. • Improve the effectiveness and efficiency of Security and Privacy Management by implementing a world class best practice and framework for consistent, concise security administration. • Improve effectiveness and efficiencies of existing security and privacy mechanisms by formalizing new practices to monitor compliance and maintain sensitive data awareness. • Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to further assure Executive Management Team that the organization’s Information Assets and System Resources are in secure. • Reduce the likelihood that an accidental security incident or breach of personal information caused by staff could have an adverse affect on the organization’s reputation or liabilities potentially leading to financial losses, by providing an ongoing information security education and awareness program. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  6. 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** a) flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.
  7. 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  8. 8. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing.
  9. 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** b). Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.
  10. 10. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  11. 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  12. 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  13. 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** c). Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.
  14. 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Similarly, Service Level Agreements could be established between the business unit or line of business seeking ISO 27001 Registration /Certification and external parties like, Cloud Computing Services, Vendors and Suppliers.
  15. 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A Risk Assessment is necessary once all assets have been identified within the scope of service. These assets are utilized for the product or service delivery and the revenue stream.
  16. 16. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with strategic planning, credit, market and financial that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 – 5 impact a threshold can be added for clarity. These risk are for internal report purposes and probable would not be shared or reviewed with the external party.
  17. 17. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with compliance to statutes, regulations and contractual obligations that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 – 5 impact a threshold can be added for clarity.
  18. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with operations are the most common risks that external parties can positively or negatively impact. that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 – 5 impact a threshold can be added for clarity.
  19. 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** d). The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.
  20. 20. The statement of applicability (SoA) is created following a risk assessment against organizational assets that are in scope for protection from threats and vulnerabilities leading to loss of confidentiality, integrity and availability. Internal and external audits are facilitated against the SoA. The flexibility of the ISMS allows additional security control decks to be added such as SANS CSC 20 if they can be justified. The framework also streamlines any overlapping controls minimizing or eliminating costly overlaps while improving the effectiveness and efficiency of the ISMS. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  21. 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Traceability Matrix
  22. 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** e). Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.
  23. 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** ControlDesign
  24. 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Sustainable compliance is achievable and within the grasp of every organization regardless of size with the integration of internationally accepted quality management standards like ISO/IEC 27001:2013. This approach enforces governance and risk management while establishing an agile program that seeks out innovation and quality.
  25. 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×