implementing a sustainable compliance framework
DESCRIPTION
Implementing a Sustainable Compliance Framework v01r1 draftTRANSCRIPT
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
• Agility
• Governance
• Risk Management
• Verify & Validate
• Innovation
• Conclusion
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
a) flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.
b) Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.
c) Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.
d) The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.
e) Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.
• Reduce risks and threats to the Confidentiality, Integrity and Availability of Information Assets and System Resources by providing policies, practices and standards designed to mitigate or eliminate all known risks and threat.
• Improve the effectiveness and efficiency of Security and Privacy Management by implementing a world class best practice and framework for consistent, concise security administration.
• Improve effectiveness and efficiencies of existing security and privacy mechanisms by formalizing new practices to monitor compliance and maintain sensitive data awareness.
• Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to further assure Executive Management Team that the organization’s Information Assets and System Resources are in secure.
• Reduce the likelihood that an accidental security incident or breach of personal information caused by staff could have an adverse affect on the organization’s reputation or liabilities potentially leading to financial losses, by providing an ongoing information security education and awareness program.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
a) flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compliance
Management can
be broken down
into 4 general
categories
statutes,
regulations,
internal facing and external facing.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
b). Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
c). Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Similarly, Service
Level Agreements
could be established
between the business
unit or line of
business seeking ISO
27001 Registration
/Certification and
external parties like,
Cloud Computing
Services, Vendors and
Suppliers.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
A Risk
Assessment is
necessary once all
assets have been
identified within
the scope of
service. These
assets are utilized
for the product or
service delivery
and the revenue
stream.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
strategic planning,
credit, market and
financial that are
considered open and
ongoing versus
mitigated and closed
can be added to the
Risk Registry. Within
the columns scale 1 – 5
impact a threshold can
be added for clarity.
These risk are for
internal report
purposes and probable
would not be shared or
reviewed with the
external party.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated
with compliance
to statutes,
regulations and
contractual
obligations that
are considered
open and ongoing
versus mitigated
and closed can be
added to the Risk
Registry. Within
the columns scale
1 – 5 impact a
threshold can be
added for clarity.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
operations are the
most common risks
that external parties
can positively or
negatively impact.
that are considered
open and ongoing
versus mitigated and
closed can be added
to the Risk Registry.
Within the columns
scale 1 – 5 impact a
threshold can be
added for clarity.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
d). The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.
The statement of applicability (SoA) is created following a risk assessment
against organizational assets that are in scope for protection from threats and vulnerabilities leading to loss of
confidentiality, integrity and availability. Internal and external
audits are facilitated against the SoA.
The flexibility of the ISMS allows additional security control decks to
be added such as SANS CSC 20 if they can be justified. The framework also streamlines any overlapping controls
minimizing or eliminating costly overlaps while improving the
effectiveness and efficiency of the ISMS.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Traceability Matrix
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
e). Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Co
ntro
l D
esig
n
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Sustainable compliance is achievable and within the grasp of every organization regardless of size with the integration of internationally accepted quality
management standards like ISO/IEC 27001:2013. This approach enforces governance and risk management
while establishing an agile program that seeks out innovation and quality.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard