Learn more about the importance of ISO 27001 and its role on GRC, what the advantages of starting with ISO 27001 are and the importance of its structure.
Main points covered:
• Definition and goals of GRC (Governance, Risk and Compliance)
• How the structure of ISO/IEC 27001 implements GRC
• Advantages of starting with ISO/IEC 27001
Presenter:
This webinar was presented by Jorge Lozano. He is a senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17 years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI certifications. He is an instructor of PECB for the ISO27001 Introduction, Foundation and Lead Implementer courses.
Link of the recorded session published on YouTube: https://youtu.be/sLfAarQ8cf0
2. Jorge Lozano
Senior Manager
Jorge Lozano is senior manager at the Cybersecurity & Privacy practice of PwC Mexico. He has over 17
years of experience in information security and holds the CISSP, CISM, CEH, and ISO27001LI
certifications. He is instructor of PECB for the ISO27001 introduction, foundation and lead
implementer courses.
+52 (55) 5018 1084 jlozano@jeracum.com.mx
linkedin.com/name.surname
4. What is GRC?
• These three elements are
the enablers for an
organization to assure it
meets its objectives.
Risk
Management
Compliance
Governance
Objectives
5. What is GRC?
Governance
• The overall management
approach employed by
senior executives to direct
and control the whole
organization.
Risk
Management
Compliance
Governance
Objectives
6. What is GRC?
Risk Management
• The mechanisms to
effectively and cost-
efficiently give treatment
to risks that can hinder an
organization's operations
or ability to remain
competitive in its market.
Risk
Management
Compliance
Governance
Objectives
7. What is GRC?
Compliance
• The management
processes to achieve
conformance with stated
requirements.
Risk
Management
Compliance
Governance
Objectives
8. What is GRC?
Goals
Provide relevant, reliable, and timely information to appropriate stakeholders.
Achieve objectives while optimizing risk profile and protecting value.
Understand and prioritize stakeholder expectations.
Set business objectives that are congruent with values and risks.
Operate within legal, contractual, internal, social, and ethical boundaries.
Enable the measurement of performance and effectiveness.
Source: OCEG (Open Compliance & Ethics Group) – GRC Capability Model, Red Book, 2.0
9. The structure of ISO27001
Goals
• The ISO27001 “provides the requirements to establish, implement,
maintain and continually improve an Information Security Management
System (ISMS).”
• “The ISMS preserves the confidentiality, integrity and availability of
information by applying a risk management process and gives confidence
to interested parties that risks are adequately managed.”
• “It is important that the ISMS is part of and integrated with the
organization’s processes and overall management structure and that
information security is considered in the design of processes, information
systems, and controls.”
11. Using ISO27001 for GRC
GRC goals
Clause 4.2 Understanding the needs and expectations of interested parties
“The organization shall determine:
a) interested parties that are relevant to the information security
management system; and
b) the requirements of these interested parties relevant to information
security.”
Understand and prioritize stakeholder expectations.
12. Using ISO27001 for GRC
GRC goals
Clause 6.1.1 General
“When planning for the information security management system, the
organization shall consider the issues referred in 4.1 (Understanding the
organization and its context) and the requirements referred to in 4.2
(Understanding the needs and expectations of interested parties) and
determine the risks and opportunities that need to be addressed.”
Set business objectives that are congruent with values and risks.
13. Using ISO27001 for GRC
GRC goals
Clause 8.1 Operational planning and control
“The organization shall plan, implement and control the processes needed to
meet information security requirements, and to implement the actions
determined in 6.1 (Actions to address risks and opportunities). The
organization shall also implement plans to achieve information security
objectives determined in 6.2 (Information security objectives and planning to
achieve them).”
Achieve objectives while optimizing risk profile and protecting value.
14. Using ISO27001 for GRC
GRC goals
Clause 4.2 Understanding the needs and expectations of interested parties
“The organization shall determine: …
… b) the requirements of these interested parties relevant to information
security.
NOTE The requirements of interested parties may include legal and
regulatory requirements and contractual obligations.”
Clause A.18.1 Compliance with legal and contractual requirements
“Objective: To avoid breaches of legal, statutory, regulatory or contractual
obligations related to information security and of any security requirements.”
Operate within legal, contractual, internal, social, and ethical boundaries.
15. Using ISO27001 for GRC
GRC goals
Clause 9.3 Management review
“Top management shall review the organization’s information security
management system at planned intervals to ensure its continuing suitability,
adequacy and effectiveness.
The management review shall include consideration of:
… d) feedback from interested parties; …
… The organization shall retain documented information as evidence of the
results of management reviews.”
Provide relevant, reliable, and timely information to appropriate stakeholders.
16. Using ISO27001 for GRC
GRC goals
Clause 9.1 Monitoring, measurement, analysis and evaluation
“The organization shall evaluate the information security performance and
the effectiveness of the information security management system. …
… The organization shall retain appropriate documented information as
evidence of the monitoring and measurement results.”
Enable the measurement of performance and effectiveness.
17. Using ISO27001 for GRC
Projecting from ISO27001
• The adopted information security management practices can facilitate the
implementation of other risk and compliance cases such as:
Business
Continuity
Health &
Safety
Supply Chain
Environmental
Sustainability
Quality
Management
IT Governance
& Assurance
Operational
Risk
Project and
Programme
Risk
Corporate
Social
Responsibility
18. Conclusions
• The structure of ISO27001 aligns to GRC practices:
• Establishes an information security governance aligned with the enterprise
governance.
• Preserves the security of information by applying a risk management process.
• Establishes a set of controls that enables the organization to comply with the
requirements to protect its information.
• The clauses in the ISO27001 guarantee that the establishment,
implementation, maintenance and continual improvement of information
security management is achieved.
• The ISMS makes more natural the implementation of other risk and
compliance cases.