As we approach the new year, the importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential. Amongst others, the webinar covers: • ISO/IEC 27001 and ISO/IEC 27035 and their key components • Key Components of a Resilient Cybersecurity Strategy • Best practices for building a resilient cybersecurity strategy in 2024 Presenters: Rinske Geerlings Rinske is an internationally known consultant, speaker and certified Business Continuity, Information Security & Risk Management trainer. She was awarded Alumnus of the Year 2012 of Delft University, Australian Business Woman of the Year 2010-13 by BPW, Risk Consultant of the Year 2017 (RMIA/Australasia) and Outstanding Security Consultant 2019 Finalist (OSPAs) Rinske has consulted to the Department of Prime Minister & Cabinet, 15 Central Banks, APEC, BBC, Shell, Fuji Xerox, NIB Health Funds, ASIC, Departments of Defense, Immigration, Health, Industry, Education, Foreign Affairs and 100s of other public and private organizations across 5 continents. She has been changing the way organizations ‘plan for the unexpected’. Her facilitation skills enable organizations to achieve their own results and simplify their processes. She applies a fresh, energetic, fun, practical, easy-to-apply, innovative approach to BCM, Security, and Risk. Her 'alter ego' includes being a lead singer in SophieG Music and contributing to the global charity playing for Change, which provides music education to children in disadvantaged regions. Loris Mansiamina A Senior GRC Professional consultant for Small, Medium and large companies. Over 10 years, Loris has been assisting clients in both public and private sectors about various matters relating to Gouvernance, Risk Management and Compliance (GRC), Digital transformation, cyber security program management, ISO 27k & ISO 20k implementation, COBIT & ITIL implementation, etc. Date: December 19, 2023 Tags: ISO, ISO/IEC 27001, ISO/IEC 27035, Cybersecurity, Information Security ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 ISO/IEC 27035 Information Security Incident Management - EN | PECB Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/yT8gxRZD_4c

2. Agenda
 Speaker introduction:
Loris Mansiamina
Common cyber attacks in 2023
 Speaker introduction:
Rinske Geerlings
Key benefits of ISO compliance
 Process & People aspects of:
ISO 27001: Information Security Management
ISO 27035: Information Security Incident Management
Cyber resilience strategies for 2024
 Technical aspects of:
ISO 27001: Information Security Management
ISO 27035: Information Security Incident Management
Cyber resilience strategies for 2024
 Case studies
 Q&A

3. Background: Rinske Geerlings
• Founder, Principal Consultant and MD of Business As Usual (since 2006)
• 20+ years of consulting experience globally
• ISO 22301 Master – ISO 31000 Lead Risk Manager – ISO 27001 Master –
ISO 22361 Senior Lead Crisis Manager
• CBCP, MBCI, ITIL Master, COBIT, ISO 27032 Fd and ISO 22316 Fd certified
• Consulted to 15 Central Banks and 100s of other Government entities,
SMEs and larger corporates in Australasia, Africa, Europe, Latin America
• Awards:
o Alumnus of the Year 2012 (Delft, the Netherlands)
o Awarded Business Woman of the Year 2010-2013 (BPW, global NGO)
o Awarded Risk Consultant of the Year 2017 (Australasia) by RMIA
o Awarded Outstanding Security Consultant of 2019 (OSPAs Finalist)
o Converged Resilience Champion / 2022 Finalist (Australian Women in
Security Awards)

4. • Secures your information in all forms
• Increase your attack resilience
• Reduce information security costs
• Respond to evolving security threats
• Improve company culture
• Offers organization-wide protection
• Provides a central framework
• Protects confidentiality of data
• Competitive advantage
Key benefits of ISO compliance

5. Background: Loris Mansiamina
• Manager and Head of Advisory Department at Ernst & Young DRC (EY DR
Congo) based in Kinshasa, specializing in technological risks and various
issues related to technological and organizational consulting.
• 10+ years of consulting experience in the region of Central Africa
• Certifications: ISO 27001 Lead Implementer, CSX-F, GRC Professional &
Auditor – ITIL – Sygma (Green Belt, Black Belt, Master Black
Belt, Champion, Deployment Leader)– Agile Coach – KANBAN (Expert
& Manager) – Scrum (Master, Product owner & scaled Scrum expert) –
Devops.
• Sectors : Banks, Telcos, mining, government, NGOs, etc.
• IT Risk management – IT strategy and Management – Governance, Risk
management and Compliance – ISO Implementation on ISO 27001, ISO
27002, ISO 27005, ISO 20000-1 – ISO internal audit aligned with ISO
19011 – Digital transformation – IT Audit – Project Management –
Product management – Business continuity – Etc.

6. 1. Social Engineering
2. Third-Party Exposure
3. Configuration Mistakes
4. Poor Cyber Hygiene
5. Cloud Vulnerabilities
6. Mobile Device Vulnerabilities
7. Internet of Things
8. Ransomware
9. Poor Data Management
10.Inadequate Post-Attack Procedures
Top 10 cybersecurity threats in 2023
Source: EMBROKER

7. Specifications and complementarity:
ISO/IEC 27001 and ISO/IEC 27035
Resilience
ISO/IEC 27001 ISO/IEC 27035

8. Process and People aspects of ISO 27001

9. ISO 27001:2022 Main clauses

10. ISO 27001:2022 Main clauses

11. ISO 27001:2022 Annex – 93 Security Controls

12. ISO 27001:2022 Annex – 93 Security Controls

13. ISO 27001:2022 Annex – 93 Security Controls

14. ISO 27001:2022 Annex – 93 Security Controls

15. ISO 27001:2022 Annex – 93 Security Controls

16. 4 Overview
4.1 Basic concepts
4.2 ​Objectives of incident management
4.3 Benefits of a structured approach
4.4 Adaptability
4.5 Capability
4.6 Communication
4.7 Documentation
5 Process
5.1 Overview
5.2 Plan and prepare
5.3 Detect and report
5.4 ​Assess and decide
5.5 Respond
5.6 Learn lessons
Process and People aspects of ISO 27035

17. Process and People aspects of ISO 27035
Source: IntegraCept (PECB partner)

18. Cultural and knowledge gap between senior
leaders and InfoSec staff

20. • Comprehensive cybersecurity policy, including regular refreshing
• Exec/Board training including use of actual case studies
• Clarity on Risk Appetite and Risk Capacity/Tolerances
• Ensuring staff understand the importance of strong passwords,
MFA and VPNs
• Develop, update, and test incident response plans
• Defined roles, responsibilities and alternates
• Vetting and monitoring of security practices of third-party vendors
and including security requirements in contracts
• Continuous monitoring for insider threat (incl use of red teaming)
• Regular security management audits
Non-technical ways to improve cyber resilience
in 2024

21. Set of some mandatory documents and records :
Technical aspects of ISO 27001
Documents
 Scope of the ISMS (Clause 4.3)
 Information security policy (Clause 5.2)
 Risk assessment and risk treatment process (Clause 6.1.2)
 Statement of Applicability (Clause 6.1.3 d)
 Risk treatment plan (Clause 6.1.3 e, 6.2, and 8.3)
 Information security objectives (Clause 6.2)
 Risk assessment and treatment report (Clauses 8.2 and 8.3 )
 Inventory of assets Control (A.5.9)
 Acceptable use of assets Control (A.5.10)
 Incident response procedure Control (A.5.26)
 Statutory, regulatory, and contractual requirements Control
(A.5.31)
 Security operating procedures for IT management Control
(A.5.37)
 Definition of security roles and responsibilities Controls (A.6.2.
and A.6.6)
 Definition of security configurations Control (A.8.9)
 Secure system engineering principles Control (A.8.27)
Records
• Training, skills, experience, and qualifications (Clause 7.2)
• Monitoring and measurement results (Clause 9.1)
• Internal audit program (Clause 9.2)
• Results of internal audits (Clause 9.2)
• Results of the management review (Clause 9.3)
• Results of corrective actions (Clause 10.2)
• Logs of user activities, exceptions, and security events
(Control A.8.15)

22. Set the relevant document and build the skilled teams:
Technical aspects of ISO 27035
Documents
 Infosec incident management – handling infosec
incidents in consistent way
 Incident handling – detecting / reporting /
assessing / responding / dealing with /
learning from infosec incidents
 Infosec investigation - examinations,
analysis and interpretation to understand of
an Infosec incident
 Incident response – mitigation / resolution
infosec incidents, including to protect and
restore
Teams
 Incident management team (IMT), lead by
Incident Manager, for all infosec incident
management activities throughout the incident
(handling?) lifecycle (-2: manager should be
close to CxOs, might handle SOC area)
 Incident response team (IRT), lead by Incident
Coordinator, for responding to and resolving
incidents in a coordinated way. Can be a few in
a big organization.

23. Technical ways to improve cyber resilience in
2024
ISMS
ISIM
Defines the
requirements
relating to
Provides
guidance that
aim to meet
Documentation (Policies,
processes, roles & responsibilities)
+ Tools & techniques
Incident Management structure

24. Case studies
Engagement Name Cybersecurity Strategy & Portfolio
Management support
Client Issues The client did not have capabilities around
the cyber portfolio, and they were looking to
have a trusted partner to execute the
assessment and development of his program
management.
Value Created  Established and refined procedures,
processes and templates related to
metrics, change management and
communications
 Supported creation of a new 3-year
Cybersecurity awareness and culture
strategy
Engagement Name Cybersecurity Roadmap Transformation -
Cybersecurity Strategy
Client Issues The client wanted to aggregate a set of
various security assessments that had been
performed within the organization (e.g., IAM
assessment, cybersecurity self-assessment,
vulnerability management results, zero trust
assessment, etc.) and then conduct targeted
interviews to help the organization develop a
roadmap to transform their cybersecurity
strategy.
Value Created The client gained a new cybersecurity
strategy that reflects the increased threats
the sector faces. The existing strategy had
not been updated in multiple years and did
not raise the organizations capabilities to the
risk appetite of the enterprise

25. Case studies (continued)
Engagement Name Cybersecurity Strategy assurance
Client Issues The client required assistance for
understanding the IT infrastructure,
governance & operations, smart city and
cybersecurity current state and
recommendations as to how they can
enhance their IT and cyber practices to this
new central business district.
Value Created Setup cutting edge security capabilities,
processes and governance structure to
secure the data of current and future
residents or tenants as well as secure the
services and infrastructure offered to
residents or tenants.
Engagement Name Change Management Cyber Program
Client Issues Establish and develop the program over three
horizons including the definition and
implementation of a target Cyber Security
operating model to establish the capabilities
and capacity to deliver the Cyber Security
vision and strategy.
Value Created Clear roadmap developed to improve the
client’s cyber security capability against
industry standards and enabled a practical,
staged approach to transitioning to the
target operating model

26. THANK YOU
Q&A
Rinske Geerlings
Loris Mansiamina
rinskeg@businessasusual.com.au
Loris.mansiamina@cd.ey.com ;
lorismayifilua@gmail.com