This document provides an overview of Business As Usual (BAU), an Australian consulting firm that specializes in business continuity, disaster recovery, risk management, and information security services. BAU works with organizations across multiple industries and geographic regions to help them achieve certifications like ISO 27001. The document introduces BAU's managing director, Rinske Geerlings, and describes some of the training and consulting services offered, like gap assessments, implementation support, and certification preparation. It also advertises upcoming public training courses on standards like ISO 27001.
2. 2
Business As Usual (BAU) snapshot
• Constantly implementing Business Continuity, Disaster Recovery, Service
Continuity, Security and Risk Management with medium & large organisations
across industries
• Geographical dispersion: Projects in Australia, New Zealand, Asia, Pacific, East
Africa, Latin America and Europe
• ISO 22301 / ISO 27001 / ISO 28000 / ISO 31000 public and in-house training
(PECB Gold training partner)
• All work and documentation is done in an easy-to-use and engaging way, whilst in
accordance with international standards (incl. ISO, COBIT DSS4, ITIL SCM, APRA
SPS/CPS 232, Bank Negara Malaysia, MAS, EAC, SS540 etc)
4. 4
• Gap analysis/‘health check’
• Consultancy/implementation
• Executive management briefing
• Process/framework implementation
• Test/exercise facilitation
• Training (in-house/public) incl ISO
examination
Australia wide – Malaysia – Singapore – Philippines – Thailand – East Africa – Europe
Latin America – New Zealand – Papua New Guinea – United Arab Emirates
Our service offering
5. 5
Rinske Geerlings, Founder, Managing Director & Principal Consultant at BAU
• MSc (Engineering)
• Accredited consultant & trainer (ISO 22301 Master / ISO 31000 Lead Risk Manager
/ ISO 27001 Master)
• CBCP by Disaster Recovery Institute (DRI) International
• MBCI (Business Continuity Institute) and RMIA member
• ITIL (IT Infrastructure Library) Master and COBIT certified
• Participant in AllFinance in the lead-up to APRA’s BCM standard (2005)
• Presented at 100+ BCM, Risk and Security related seminars/conferences
• 20+ years of consulting experience globally
• Awarded Alumnus of the Year 2012 (Delft, Netherlands)
• Awarded Business Woman of the Year 2010-2013 (BPW, global NGO with UN
consultative status)
• Awarded Risk Consultant of the Year 2017 (Australasia) by RMIA
Who am I?
6. 6
Are you in…
• Financial Services (banking, insurance)?
• Local/State/Federal Government, or
emergency services?
• (Health) care?
• Technology or utility sectors?
• Retail, manufacturing or transport?
• Media?
• Consultancy?
• Other?
What about you?
9. 9
0 points:
“Yikes! We’d struggle...”
1 point:
“We’d be in a state of flux, looking for some pieces to the
puzzle, but we’ll be fine”
2 points:
“We’re sweet! We’ve tested the plan, we know our roles,
we’re ready with our media response... Bring it on”
Your answer… be honest!
13. 13
• Good outline of Information Security controls
• Easy to use in order to start measuring maturity
• Well integrated with other ISO standards (ISO 22301, ISO 31000)
• A technical topic well explained in “laymen’s terms”
• Various options to delve deeper into the technical space
(e.g. ISO 27032: Cyber Risk)
ISO 27001 - Will it break or make you?
14. 14
• Good outline of Information Security controls
• Easy to use in order to start measuring maturity
• Well integrated with other ISO standards (ISO 22301, ISO 31000)
• A technical topic well explained in “laymen’s terms”
• Various options to delve deeper into the technical space
(e.g. ISO 27032: Cyber Risk)
• Not just regarding electronic
information
ISO 27001 - Will it break or make you?
16. 16
Delft University - Netherlands (26-30 Nov 2018)
ISO 31000 / ISO 27001 / ISO 22301
Sydney/Melbourne - Australia (March 2019)
ISO 31000 / ISO 27001 / ISO 22301
Dubai – UAE (April 2019)
ISO 31000 / ISO 27001 / ISO 22301
Tanzania / Kenya / Uganda – East Africa (April 2019)
ISO 31000 / ISO 27001 / ISO 22301
ISO 27001: Certification training
18. 18
• Form teams & team captains and complete basic information
• Facilitator reveals the scenario
• Teams send each other various ‘challenge cards’ (incl. a ‘Joker card’ – available
from 2nd round onwards)
• Complete each challenge card & ask sender for acceptance: signature & score
• Dispute? Facilitator to mediate.
• Winner is the team with the highest number of points
• Discussion: Conclusions & wrap-up
Game structure & Flow
19. 19
Team Captains
Who knows a little bit about any of the above?
Teams & Captains
Team I – Top Health Care’s Senior Management
Team II – Top Health Care’s IT and Security specialists (internal & external)
Team III – Patient’s Association (lobby group)
Team IV – Gov’t Department of Health & Human Services (regulator)
Team V – The Media (journalists, bloggers)
20. 20
Complete for your team the standard
questions (steps 1 and 2) using sheets
provided
Basic team information
21. 21
The scenario
Phones have been ringing off the hook since this morning, at the 14-hospital and
health services group ‘Top Health Care’.
Hundreds of patients have been reporting to have received improper/suspicious
emails from Top Health Care.
Some patients reported the receipt of fictitious offers for discounted health services
from Top Health Care, and the email showing their own personal data.
Others are reporting the receipt of an email with an attachment listing personal details
of 1000s of fellow patients, including name, email address, employment information
and protected health information.
24. 24
1. Ask one of the teams around you to give you your first challenge!
Note: this cannot be a Joker card in the first round.
2. Fill in your challenge response in the response form provided.
3. Ask challenger for acceptance and a score (must be min 6 to move on)
Note: Challenger must actually have further answers/details in mind, in order to be
able to reject the response.
4. Dispute? Facilitator to mediate between Team
Captains before next challenge can be requested.
5. Ask another team for your next challenge and keep going around the room.
Note: You must complete at least one challenge from each team around
you… but you can still be smart about picking your challengers!
Let the game begin!
But first: familiarise yourself with the challenge cards. Next:
31. 31
• Dynamic BCM framework
> prevent ‘collecting dust on the shelf’
• Consequence-based planning >
keep it simple
• Caters for fatigue/unavailability of staff
• ‘Top down’ approach based on time-critical
processes… we don’t need to continue everything to maintain our reputation
• Strong focus on communication/notification planning, incl. ‘pull communication’
• Colour-coded, matrix style documentation (incl. ‘BCP on a page’)
• Hyperlink/utilise what is already there > don’t duplicate
• Toolkit approach to BCP activation > easy to find what we need ‘on the spot’ (e.g. the
1-minute assessment tool)
• Optimally use agreed manual workarounds to reduce cost
• Overall: Prioritisation focus (being selective to reduce workload)
Key differences with traditional approach
34. 34
ISO 27001 ISO 22301 ISO 31000 COBIT 5
Information
Security (IS)
Business
Continuity
Planning
(BCP)
yes yes
Risk
Management
(RM)
IT
Governance
(ITG)
35. 35
Next ISO Certification Training Courses
Delft University - Netherlands (26-30 Nov 2018)
ISO 31000 / ISO 27001 / ISO 22301
Sydney/Melbourne - Australia (March 2019)
ISO 31000 / ISO 27001 / ISO 22301
Dubai – UAE (April 2019)
ISO 31000 / ISO 27001 / ISO 22301
Tanzania / Kenya / Uganda – East Africa (April 2019)
ISO 31000 / ISO 27001 / ISO 22301
Special prize draw for
November! Message me
on LinkedIn your reason
to receive a free pass and
you may be the winner!