implementing a sustainable compliance framework

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

• Agility

• Governance

• Risk Management

• Verify & Validate

• Innovation

• Conclusion

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

a) flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.

b) Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.

c) Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.

d) The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.

e) Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.

• Reduce risks and threats to the Confidentiality, Integrity and Availability of Information Assets and System Resources by providing policies, practices and standards designed to mitigate or eliminate all known risks and threat.

• Improve the effectiveness and efficiency of Security and Privacy Management by implementing a world class best practice and framework for consistent, concise security administration.

• Improve effectiveness and efficiencies of existing security and privacy mechanisms by formalizing new practices to monitor compliance and maintain sensitive data awareness.

• Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to further assure Executive Management Team that the organization’s Information Assets and System Resources are in secure.

• Reduce the likelihood that an accidental security incident or breach of personal information caused by staff could have an adverse affect on the organization’s reputation or liabilities potentially leading to financial losses, by providing an ongoing information security education and awareness program.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

a) flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compliance

Management can

be broken down

into 4 general

categories

statutes,

regulations,

internal facing and external facing.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

b). Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

c). Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Similarly, Service

Level Agreements

could be established

between the business

unit or line of

business seeking ISO

27001 Registration

/Certification and

external parties like,

Cloud Computing

Services, Vendors and

Suppliers.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

A Risk

Assessment is

necessary once all

assets have been

identified within

the scope of

service. These

assets are utilized

for the product or

service delivery

and the revenue

stream.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Risks associated with

strategic planning,

credit, market and

financial that are

considered open and

ongoing versus

mitigated and closed

can be added to the

Risk Registry. Within

the columns scale 1 – 5

impact a threshold can

be added for clarity.

These risk are for

internal report

purposes and probable

would not be shared or

reviewed with the

external party.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Risks associated

with compliance

to statutes,

regulations and

contractual

obligations that

are considered

open and ongoing

versus mitigated

and closed can be

added to the Risk

Registry. Within

the columns scale

1 – 5 impact a

threshold can be

added for clarity.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Risks associated with

operations are the

most common risks

that external parties

can positively or

negatively impact.

that are considered

open and ongoing

versus mitigated and

closed can be added

to the Risk Registry.

Within the columns

scale 1 – 5 impact a

threshold can be

added for clarity.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

d). The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.

The statement of applicability (SoA) is created following a risk assessment

against organizational assets that are in scope for protection from threats and vulnerabilities leading to loss of

confidentiality, integrity and availability. Internal and external

audits are facilitated against the SoA.

The flexibility of the ISMS allows additional security control decks to

be added such as SANS CSC 20 if they can be justified. The framework also streamlines any overlapping controls

minimizing or eliminating costly overlaps while improving the

effectiveness and efficiency of the ISMS.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Traceability Matrix

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

e). Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Co

ntro

l D

esig

n

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Sustainable compliance is achievable and within the grasp of every organization regardless of size with the integration of internationally accepted quality

management standards like ISO/IEC 27001:2013. This approach enforces governance and risk management

while establishing an agile program that seeks out innovation and quality.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard