SlideShare une entreprise Scribd logo

ISO/IEC 27001 as a Starting Point for GRC

PECB
PECB

Learn more about the importance of ISO 27001 and its role on GRC, what the advantages of starting with ISO 27001 are and the importance of its structure. Main points covered: • Definition and goals of GRC (Governance, Risk and Compliance) • How the structure of ISO/IEC 27001 implements GRC • Advantages of starting with ISO/IEC 27001 Presenter: This webinar was presented by Jorge Lozano. He is a senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17 years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI certifications. He is an instructor of PECB for the ISO27001 Introduction, Foundation and Lead Implementer courses. Link of the recorded session published on YouTube: https://youtu.be/sLfAarQ8cf0

Formation
1  sur  19
ISO/IEC 27001 as a starting point for GRC APRIL 2016
Jorge Lozano Senior Manager Jorge Lozano is senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17 years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI certifications. He is instructor of PECB for the ISO27001 introduction, foundation and lead implementer courses. +52 (55) 5018 1084 jlozano@jeracum.com.mx linkedin.com/name.surname
Agenda What is GRC? The structure of ISO27001 Using ISO27001 for GRC
What is GRC? • These three elements are the enablers for an organization to assure it meets its objectives. Risk Management Compliance Governance Objectives
What is GRC? Governance • The overall management approach employed by senior executives to direct and control the whole organization. Risk Management Compliance Governance Objectives
What is GRC? Risk Management • The mechanisms to effectively and cost- efficiently give treatment to risks that can hinder an organization's operations or ability to remain competitive in its market. Risk Management Compliance Governance Objectives
What is GRC? Compliance • The management processes to achieve conformance with stated requirements. Risk Management Compliance Governance Objectives
What is GRC? Goals Provide relevant, reliable, and timely information to appropriate stakeholders. Achieve objectives while optimizing risk profile and protecting value. Understand and prioritize stakeholder expectations. Set business objectives that are congruent with values and risks. Operate within legal, contractual, internal, social, and ethical boundaries. Enable the measurement of performance and effectiveness. Source: OCEG (Open Compliance & Ethics Group) – GRC Capability Model, Red Book, 2.0
The structure of ISO27001 Goals • The ISO27001 “provides the requirements to establish, implement, maintain and continually improve an Information Security Management System (ISMS).” • “The ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.” • “It is important that the ISMS is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls.”
The structure of ISO27001 Clauses
Using ISO27001 for GRC GRC goals Clause 4.2 Understanding the needs and expectations of interested parties “The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security.” Understand and prioritize stakeholder expectations.
Using ISO27001 for GRC GRC goals Clause 6.1.1 General “When planning for the information security management system, the organization shall consider the issues referred in 4.1 (Understanding the organization and its context) and the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed.” Set business objectives that are congruent with values and risks.
Using ISO27001 for GRC GRC goals Clause 8.1 Operational planning and control “The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1 (Actions to address risks and opportunities). The organization shall also implement plans to achieve information security objectives determined in 6.2 (Information security objectives and planning to achieve them).” Achieve objectives while optimizing risk profile and protecting value.
Using ISO27001 for GRC GRC goals Clause 4.2 Understanding the needs and expectations of interested parties “The organization shall determine: … … b) the requirements of these interested parties relevant to information security. NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.” Clause A.18.1 Compliance with legal and contractual requirements “Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.” Operate within legal, contractual, internal, social, and ethical boundaries.
Using ISO27001 for GRC GRC goals Clause 9.3 Management review “Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: … d) feedback from interested parties; … … The organization shall retain documented information as evidence of the results of management reviews.” Provide relevant, reliable, and timely information to appropriate stakeholders.
Using ISO27001 for GRC GRC goals Clause 9.1 Monitoring, measurement, analysis and evaluation “The organization shall evaluate the information security performance and the effectiveness of the information security management system. … … The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.” Enable the measurement of performance and effectiveness.
Using ISO27001 for GRC Projecting from ISO27001 • The adopted information security management practices can facilitate the implementation of other risk and compliance cases such as: Business Continuity Health & Safety Supply Chain Environmental Sustainability Quality Management IT Governance & Assurance Operational Risk Project and Programme Risk Corporate Social Responsibility
Conclusions • The structure of ISO27001 aligns to GRC practices: • Establishes an information security governance aligned with the enterprise governance. • Preserves the security of information by applying a risk management process. • Establishes a set of controls that enables the organization to comply with the requirements to protect its information. • The clauses in the ISO27001 guarantee that the establishment, implementation, maintenance and continual improvement of information security management is achieved. • The ISMS makes more natural the implementation of other risk and compliance cases.
? QUESTIONS THANK YOU +52 (55) 5018 1084 jlozano@jeracum.com.mx linkedin.com/name.surname

Recommandé

ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 

Recommandé

ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
Eryk Budi Pratama
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptx
ArianeSpano
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
ControlCase
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
Luigi Buglione
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
Fuangwith Sopharath
 

Contenu connexe

Tendances

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptx
ArianeSpano
 

Tendances (20)

ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptx
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 

En vedette

An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
Luigi Buglione
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!
PECB
 
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 Foundation
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 FoundationISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 Foundation
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 Foundation
CompanyWeb
 
ISO/IEC 17025
ISO/IEC 17025 ISO/IEC 17025
ISO/IEC 17025
Akma Ija
 

En vedette (13)

An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 
Iso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesIso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processes
 
ISO/IEC 24570:2016 - What's new?
ISO/IEC 24570:2016 - What's new?ISO/IEC 24570:2016 - What's new?
ISO/IEC 24570:2016 - What's new?
 
ISO IEC 27001 Lead Auditor
ISO IEC 27001 Lead AuditorISO IEC 27001 Lead Auditor
ISO IEC 27001 Lead Auditor
 
Project revisie ISO27001 - ISO 27001
Project revisie ISO27001 - ISO 27001Project revisie ISO27001 - ISO 27001
Project revisie ISO27001 - ISO 27001
 
Digitaal handboek voor ISO, HKZ, PREZO, VCA, BRZO, HACCP en NEN
Digitaal handboek voor ISO, HKZ, PREZO, VCA, BRZO, HACCP en NENDigitaal handboek voor ISO, HKZ, PREZO, VCA, BRZO, HACCP en NEN
Digitaal handboek voor ISO, HKZ, PREZO, VCA, BRZO, HACCP en NEN
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!
 
Transitieplan ISO 9001:2015, transitie plan - implementatie ISO9001 - implem...
Transitieplan ISO 9001:2015, transitie plan - implementatie ISO9001 - implem...Transitieplan ISO 9001:2015, transitie plan - implementatie ISO9001 - implem...
Transitieplan ISO 9001:2015, transitie plan - implementatie ISO9001 - implem...
 
Risico management ISO 9001:2015, een voorbeeld - Project revisie ISO9001 - r...
Risico management ISO 9001:2015, een voorbeeld - Project revisie ISO9001 - r...Risico management ISO 9001:2015, een voorbeeld - Project revisie ISO9001 - r...
Risico management ISO 9001:2015, een voorbeeld - Project revisie ISO9001 - r...
 
ISO / IEC 17025
ISO / IEC 17025ISO / IEC 17025
ISO / IEC 17025
 
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 Foundation
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 FoundationISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 Foundation
ISO/IEC 27002 Foundation - Preparatório para Certificação ISO 27002 Foundation
 
ISO/IEC 17025
ISO/IEC 17025 ISO/IEC 17025
ISO/IEC 17025
 

Similaire à ISO/IEC 27001 as a Starting Point for GRC

20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
Suman Garai
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000
PECB
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
HyTrust
 

Similaire à ISO/IEC 27001 as a Starting Point for GRC (20)

Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000Achieving integrated mandatory compliance with ISO 31000
Achieving integrated mandatory compliance with ISO 31000
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 

Plus de PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 

Plus de PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Dernier

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Dernier (20)

Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 

ISO/IEC 27001 as a Starting Point for GRC

  • 1. ISO/IEC 27001 as a starting point for GRC APRIL 2016
  • 2. Jorge Lozano Senior Manager Jorge Lozano is senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17 years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI certifications. He is instructor of PECB for the ISO27001 introduction, foundation and lead implementer courses. +52 (55) 5018 1084 jlozano@jeracum.com.mx linkedin.com/name.surname
  • 3. Agenda What is GRC? The structure of ISO27001 Using ISO27001 for GRC
  • 4. What is GRC? • These three elements are the enablers for an organization to assure it meets its objectives. Risk Management Compliance Governance Objectives
  • 5. What is GRC? Governance • The overall management approach employed by senior executives to direct and control the whole organization. Risk Management Compliance Governance Objectives
  • 6. What is GRC? Risk Management • The mechanisms to effectively and cost- efficiently give treatment to risks that can hinder an organization's operations or ability to remain competitive in its market. Risk Management Compliance Governance Objectives
  • 7. What is GRC? Compliance • The management processes to achieve conformance with stated requirements. Risk Management Compliance Governance Objectives
  • 8. What is GRC? Goals Provide relevant, reliable, and timely information to appropriate stakeholders. Achieve objectives while optimizing risk profile and protecting value. Understand and prioritize stakeholder expectations. Set business objectives that are congruent with values and risks. Operate within legal, contractual, internal, social, and ethical boundaries. Enable the measurement of performance and effectiveness. Source: OCEG (Open Compliance & Ethics Group) – GRC Capability Model, Red Book, 2.0
  • 9. The structure of ISO27001 Goals • The ISO27001 “provides the requirements to establish, implement, maintain and continually improve an Information Security Management System (ISMS).” • “The ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.” • “It is important that the ISMS is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls.”
  • 10. The structure of ISO27001 Clauses
  • 11. Using ISO27001 for GRC GRC goals Clause 4.2 Understanding the needs and expectations of interested parties “The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security.” Understand and prioritize stakeholder expectations.
  • 12. Using ISO27001 for GRC GRC goals Clause 6.1.1 General “When planning for the information security management system, the organization shall consider the issues referred in 4.1 (Understanding the organization and its context) and the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed.” Set business objectives that are congruent with values and risks.
  • 13. Using ISO27001 for GRC GRC goals Clause 8.1 Operational planning and control “The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1 (Actions to address risks and opportunities). The organization shall also implement plans to achieve information security objectives determined in 6.2 (Information security objectives and planning to achieve them).” Achieve objectives while optimizing risk profile and protecting value.
  • 14. Using ISO27001 for GRC GRC goals Clause 4.2 Understanding the needs and expectations of interested parties “The organization shall determine: … … b) the requirements of these interested parties relevant to information security. NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.” Clause A.18.1 Compliance with legal and contractual requirements “Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.” Operate within legal, contractual, internal, social, and ethical boundaries.
  • 15. Using ISO27001 for GRC GRC goals Clause 9.3 Management review “Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: … d) feedback from interested parties; … … The organization shall retain documented information as evidence of the results of management reviews.” Provide relevant, reliable, and timely information to appropriate stakeholders.
  • 16. Using ISO27001 for GRC GRC goals Clause 9.1 Monitoring, measurement, analysis and evaluation “The organization shall evaluate the information security performance and the effectiveness of the information security management system. … … The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.” Enable the measurement of performance and effectiveness.
  • 17. Using ISO27001 for GRC Projecting from ISO27001 • The adopted information security management practices can facilitate the implementation of other risk and compliance cases such as: Business Continuity Health & Safety Supply Chain Environmental Sustainability Quality Management IT Governance & Assurance Operational Risk Project and Programme Risk Corporate Social Responsibility
  • 18. Conclusions • The structure of ISO27001 aligns to GRC practices: • Establishes an information security governance aligned with the enterprise governance. • Preserves the security of information by applying a risk management process. • Establishes a set of controls that enables the organization to comply with the requirements to protect its information. • The clauses in the ISO27001 guarantee that the establishment, implementation, maintenance and continual improvement of information security management is achieved. • The ISMS makes more natural the implementation of other risk and compliance cases.
  • 19. ? QUESTIONS THANK YOU +52 (55) 5018 1084 jlozano@jeracum.com.mx linkedin.com/name.surname