SlideShare une entreprise Scribd logo

G12: Implementation to Business Value

H
HyTrust
Technologie
1  sur  38
Télécharger pour lire hors ligne
G12: Implementation to Business Value An ISO 27001 Journey at McKesson
Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 2
Who is McKesson? ►Largest healthcare services company in the world – Fortune 15 – $112 billion in revenues (FY11) – More than 36,000 employees dedicated to healthcare ▼ ►Oldest U.S. healthcare company – Established 1833 – 178 years driving innovation in healthcare ►Only company offering solutions at every point of care ►Deep clinical, IT and process expertise 3
Who is McKesson? A Diverse Business • Creating Value at Every Point of Care Manufacturers 400 Pharmaceutical Healthcare Providers 2,000 Medical-Surgical 200,000 Physicians 950 Consumer Product 10,000 Long-Term Care Facilities 5,000 Hospitals (including VA and DoD) 750 Home Care Agencies Health Plans Consumers 600 Payor Organizations (Public and Private) 25 Million Covered Lives 4
Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 5
Building the Business Case External ISO Drivers 6
Building the Business Case Internal ISO Drivers This profession is about more than technology solutions (widgets) for security ‘problems’… …it is about is understanding technology risks in business context. Certifications should be chosen to manage business risk. 7
Building the Business Case Describing What is ISO/IEC 27001? • International Standardization Organization (ISO)/ International Electro technical Commission (IEC) – Created ISO 9000 standard : quality manufacturing • ISO 27001 standard: Minimum baseline for an Information Security Program and supporting Controls 8
Building the Business Case Articulating Benefits Benefits Challenges ► Market differentiator ► Formalizes processes, documentation and external audit ► Supports ongoing customer audit activities requests ► Demonstrates information security ► Requires investments discipline ► Maintain and improve continuously ► Is a risk-based approach to … ongoing compliance ► Matures security programs Once you have it – you need to keep it! Certified Once … Accepted Globally 9
Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 10
Strategy and Framework Scoping – the Key to Success SECURE BUSINESS UNIT Business Unit Governance:  Application Management  BU Specific Change Management  Software Development Life Cycle  Operating Systems Management  Back Up and Recovery  Disaster Recovery and Business Continuity Planning  Asset Management FOUNDATION ESTABLISHED ACROSS THE COMPANY  Database Management Corporate Governance: BSI ISO 27001 Certification  Human Resources  Legal  Security Policies FOUNDATION ESTABLISHED ACROSS THE COMPANY  IT Risk Management Program IT Services: BSI ISO 27001 Certification  Security Incident Management and Response Vulnerability Management Security Operations  Physical Security / Environmental Controls 11
Strategy and Framework ISMS - Documented Components Key documents of an Information Security Management System (ISMS) include the following: ISMS Policy ISMS Manual ISMS Scope Statement ISMS Leadership ISMS Terms and Conditions Statement of Applicability (SOA) Risk Assessment Methodology Risk Assessment Report Internal Audit Report 12
Strategy and Framework ISMS - Documented Components ISMS Policy • Summarizes the overall goals and objectives of the ISMS and it’s purpose within the organization ISMS Manual • Refers to or consists of organizational policies, procedures, standards, and guidelines, which at minimum, include the following: • Document and records control • Management responsibility • Internal Audit • Management review of the ISMS • Metrics and success criteria • ISMS Improvement • Identification of Legislation 13
Strategy and Framework ISMS - Documented Components ISMS Scope Statement • Details the scope of the ISMS or in other words, “What is being certified” • Collaborate with senior leadership and applicable system, data, and process owners • Specify out of scope areas • If applicable, point to other ISO 27001 certifications • Length of the overall readiness process depends on the size of the scope ISMS Leadership • Defines the roles and responsibilities of the leadership team that will own and manage the ISMS ISMS Terms and Definitions • Provides definitions on Company or ISMS specific terminology or acronyms 14
Strategy and Framework ISMS - Documented Components Risk Assessment Methodology • Structured approach to risk management. Key areas should include the following: • Risk assessment planning and scoping • Threat and vulnerability assessment • Evaluating business risk (impact, likelihood, residual risk, etc.) • Risk prioritization • Risk mitigation Statement of Applicability (SOA) • The SOA lists the 133 ISO 27001 control standards • These should be reviewed by appropriate parties to determine applicability • Control activities/references should be documented for all “included” standards • The control owner and areas affected should be documented for each control 15
Strategy and Framework ISMS - Documented Components Risk Assessment Report • Based on the guidelines and procedures specified within the methodology document • Scope based on what was stated in the ISMS Scope Statement document • Residual risk calculation: • Note any gaps identified and the associated risk treatment plan Internal Audit • Performed by independent body (internal or external) • Perform test of design procedures • Leverage work performed by other risk management or compliance initiatives • Final product includes an audit report with associated gaps and risk treatment plans • Testing results and evidence inputted in a GRC tool 16
Strategy and Framework Communication • Send communication to provide awareness and understanding of the ISMS components Communication • ISMS should be managed over time through steering committee meetings or equivalent 17
Strategy and Framework Stage 1 Expectations Stage 1 Audit • High-level in nature • Focus is to ensure that there are no glaring gaps in the ISMS • ISO 27001 auditor primarily focuses on the ISMS documents • Operational areas may be sampled and reviewed at a high level • Ensure version control and dates are documented • Management review should be performed prior to the audit • Internal audit review should be performed prior to the audit • Identified gaps will not appear on the final report if managed 18
Strategy and Framework Stage 2 Expectations Stage 2 Audit • Verifies that all ISMS requirements have been satisfied • Detailed review of the ISMS documentation • Interviews are conducted with system, data, and/or process owners • Test evidence will be requested for a sample of controls • May include a sample of 1 control instance or multiple instances • Status meeting is held at the end of each day to discuss findings • Major non-conformities require a re-audit prior to certification • Ensure that all participants and related teams are aware of the ISMS 19
Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 20
Tools and Maintenance GRC Tool Benefits • Improve transparency and consistency – Effective management and reporting on IT risk management and compliance efforts • Streamline our work – Leverage integrated content including PCI DSS, ISO 27001, HIPAA, NIST, SOX etc. – Identify processes across multiple business units – Test centrally to satisfy many regulatory requirements – Automation – improved workflow, task management & reporting 21
Tools and Maintenance GRC Tool Benefits (Contd.) • Maintain a centralized repository of controls – Test controls and upload evidence • Process for tracking findings and remediation efforts • Report compliance at the process as well as policy level • Sample GRC Vendors - Archer, SAP, Trustwave, Control Path, Compliance 360, Symantec 22
Tools and Maintenance Overview of Compliance Management Assets Applications and Products and Systems Services Business Processes Control Control Standards Activities (Policies) Design Test Authoritative Sources (ISO 27001) Findings Remediation Plans 23
Tools and Maintenance ISO Controls Testing  Work with  Link controls to  Validate findings resource(s) to ISO authoritative with process owners, create processes source senior management and controls in  Link controls to  Track Remediation Archer policies Plans to completion Create Finalize Identify Processes Link to Auth. Findings Rationalize Perform Resource(s) and Controls Source and and Controls Testing in BU in Archer Policies Remediation Plans  Identify  Rationalize ISO dedicated  Test controls and controls with resource(s) in BU attach evidence existing controls  Train resource(s) (PCI, SOX, etc) in Archer 24 24
Tools and Maintenance Demo – Control Activity 25
Tools and Maintenance Demo – Control Standard 26
Tools and Maintenance Demo - Finding 27
Tools and Maintenance Demo – Remediation Plan 28
Tools and Maintenance Are we ready??? • Control activities (CAs) created • CAs linked to ISO reqs • Test results and evidence • Report of all open findings with expected remediation date • SOA updated with Archer CA number 29
Tools and Maintenance Obtain Certification CONGRATULATIONS!!! You are now ISO 27001 certified 30
Tools and Maintenance ISO Certification Continuous Maintenance • Automated custom-built notifications for maintenance activities • Determine the testing period in a fiscal year – test all applicable controls in this period – Leverage controls tested for other regulatory requirements (SOX, HIPAA, PCI, etc) – Ensure that all the processes specified in the audit schedule are tested • Track Senior Leadership meetings and maintain minutes in SharePoint/Archer • Findings- Work with dedicated resource(s) in the BU to track open findings 31
Tools and Maintenance Surveillance/Re-Audit Checklist Schedule audit with external auditors – Schedule meetings with process owners Update program level documentation – ISMS Audit Report – ISMS Manual – ISMS Policy – ISMS Scope – Risk Assessment Report – Senior leadership Team – Statement of Applicability – Report of controls testing results 32
Tools and Maintenance Surveillance/Re-Audit Checklist (contd.) Internal Assessment – Test Results – Audit Report Management Approval – Get all the program level documentation including the internal audit results approved by a third party 33
Tools and Maintenance Surveillance/Re-Audit Checklist (contd.)  Schedule post-certification party  Design gifts for teammates 34
Tools and Maintenance Big Wins • A single portal for compliance management – Integration of disparate processes – Compliance of multiple regulations satisfied by single control – Real-time status and results dashboards – Ease of Maintenance – Automated notifications, workflow • Allows for management of multiple certifications in a centralized repository with a repeatable process 35
Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 36
Awareness Campaign Promote the Achievement! • Do a road show!!! – Get statements from sponsors – Identify your business supporters – Present at sponsorship meetings – Get an article on the internal wire – Present at conferences  • No one will promote what you do for you - learn to do it yourself • Be educated in your approach - leverage internal teams like Toastmasters and mentors in the business for feedback on how to present at different levels in order to be the most effective 37
Questions? 38

Recommandé

Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 

Recommandé

Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changesn|u - The Open Security Community
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms ComplianceRamkumar Ramachandran
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideVerde Ventures Pvt. Ltd.
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergKinverg
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 

Contenu connexe

Tendances

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergKinverg
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 

Tendances (20)

ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An Overview
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 

Similaire à G12: Implementation to Business Value

english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Andrea Porter
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxSIS Certifications Pvt Ltd
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...Tromenz Learning
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lanka8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lankaAnoosha Factocert
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy
 

Similaire à G12: Implementation to Business Value (20)

Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys Profile
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lanka8 requirements to get iso 27001 certification in sri lanka
8 requirements to get iso 27001 certification in sri lanka
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 

Plus de HyTrust

Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:HyTrust
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veS24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veHyTrust
 
IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011HyTrust
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...HyTrust
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies HyTrust
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 

Plus de HyTrust (12)

Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veS24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.ve
 
IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
 

Dernier

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Dernier (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

G12: Implementation to Business Value

  • 1. G12: Implementation to Business Value An ISO 27001 Journey at McKesson
  • 2. Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 2
  • 3. Who is McKesson? ►Largest healthcare services company in the world – Fortune 15 – $112 billion in revenues (FY11) – More than 36,000 employees dedicated to healthcare ▼ ►Oldest U.S. healthcare company – Established 1833 – 178 years driving innovation in healthcare ►Only company offering solutions at every point of care ►Deep clinical, IT and process expertise 3
  • 4. Who is McKesson? A Diverse Business • Creating Value at Every Point of Care Manufacturers 400 Pharmaceutical Healthcare Providers 2,000 Medical-Surgical 200,000 Physicians 950 Consumer Product 10,000 Long-Term Care Facilities 5,000 Hospitals (including VA and DoD) 750 Home Care Agencies Health Plans Consumers 600 Payor Organizations (Public and Private) 25 Million Covered Lives 4
  • 5. Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 5
  • 6. Building the Business Case External ISO Drivers 6
  • 7. Building the Business Case Internal ISO Drivers This profession is about more than technology solutions (widgets) for security ‘problems’… …it is about is understanding technology risks in business context. Certifications should be chosen to manage business risk. 7
  • 8. Building the Business Case Describing What is ISO/IEC 27001? • International Standardization Organization (ISO)/ International Electro technical Commission (IEC) – Created ISO 9000 standard : quality manufacturing • ISO 27001 standard: Minimum baseline for an Information Security Program and supporting Controls 8
  • 9. Building the Business Case Articulating Benefits Benefits Challenges ► Market differentiator ► Formalizes processes, documentation and external audit ► Supports ongoing customer audit activities requests ► Demonstrates information security ► Requires investments discipline ► Maintain and improve continuously ► Is a risk-based approach to … ongoing compliance ► Matures security programs Once you have it – you need to keep it! Certified Once … Accepted Globally 9
  • 10. Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 10
  • 11. Strategy and Framework Scoping – the Key to Success SECURE BUSINESS UNIT Business Unit Governance:  Application Management  BU Specific Change Management  Software Development Life Cycle  Operating Systems Management  Back Up and Recovery  Disaster Recovery and Business Continuity Planning  Asset Management FOUNDATION ESTABLISHED ACROSS THE COMPANY  Database Management Corporate Governance: BSI ISO 27001 Certification  Human Resources  Legal  Security Policies FOUNDATION ESTABLISHED ACROSS THE COMPANY  IT Risk Management Program IT Services: BSI ISO 27001 Certification  Security Incident Management and Response Vulnerability Management Security Operations  Physical Security / Environmental Controls 11
  • 12. Strategy and Framework ISMS - Documented Components Key documents of an Information Security Management System (ISMS) include the following: ISMS Policy ISMS Manual ISMS Scope Statement ISMS Leadership ISMS Terms and Conditions Statement of Applicability (SOA) Risk Assessment Methodology Risk Assessment Report Internal Audit Report 12
  • 13. Strategy and Framework ISMS - Documented Components ISMS Policy • Summarizes the overall goals and objectives of the ISMS and it’s purpose within the organization ISMS Manual • Refers to or consists of organizational policies, procedures, standards, and guidelines, which at minimum, include the following: • Document and records control • Management responsibility • Internal Audit • Management review of the ISMS • Metrics and success criteria • ISMS Improvement • Identification of Legislation 13
  • 14. Strategy and Framework ISMS - Documented Components ISMS Scope Statement • Details the scope of the ISMS or in other words, “What is being certified” • Collaborate with senior leadership and applicable system, data, and process owners • Specify out of scope areas • If applicable, point to other ISO 27001 certifications • Length of the overall readiness process depends on the size of the scope ISMS Leadership • Defines the roles and responsibilities of the leadership team that will own and manage the ISMS ISMS Terms and Definitions • Provides definitions on Company or ISMS specific terminology or acronyms 14
  • 15. Strategy and Framework ISMS - Documented Components Risk Assessment Methodology • Structured approach to risk management. Key areas should include the following: • Risk assessment planning and scoping • Threat and vulnerability assessment • Evaluating business risk (impact, likelihood, residual risk, etc.) • Risk prioritization • Risk mitigation Statement of Applicability (SOA) • The SOA lists the 133 ISO 27001 control standards • These should be reviewed by appropriate parties to determine applicability • Control activities/references should be documented for all “included” standards • The control owner and areas affected should be documented for each control 15
  • 16. Strategy and Framework ISMS - Documented Components Risk Assessment Report • Based on the guidelines and procedures specified within the methodology document • Scope based on what was stated in the ISMS Scope Statement document • Residual risk calculation: • Note any gaps identified and the associated risk treatment plan Internal Audit • Performed by independent body (internal or external) • Perform test of design procedures • Leverage work performed by other risk management or compliance initiatives • Final product includes an audit report with associated gaps and risk treatment plans • Testing results and evidence inputted in a GRC tool 16
  • 17. Strategy and Framework Communication • Send communication to provide awareness and understanding of the ISMS components Communication • ISMS should be managed over time through steering committee meetings or equivalent 17
  • 18. Strategy and Framework Stage 1 Expectations Stage 1 Audit • High-level in nature • Focus is to ensure that there are no glaring gaps in the ISMS • ISO 27001 auditor primarily focuses on the ISMS documents • Operational areas may be sampled and reviewed at a high level • Ensure version control and dates are documented • Management review should be performed prior to the audit • Internal audit review should be performed prior to the audit • Identified gaps will not appear on the final report if managed 18
  • 19. Strategy and Framework Stage 2 Expectations Stage 2 Audit • Verifies that all ISMS requirements have been satisfied • Detailed review of the ISMS documentation • Interviews are conducted with system, data, and/or process owners • Test evidence will be requested for a sample of controls • May include a sample of 1 control instance or multiple instances • Status meeting is held at the end of each day to discuss findings • Major non-conformities require a re-audit prior to certification • Ensure that all participants and related teams are aware of the ISMS 19
  • 20. Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 20
  • 21. Tools and Maintenance GRC Tool Benefits • Improve transparency and consistency – Effective management and reporting on IT risk management and compliance efforts • Streamline our work – Leverage integrated content including PCI DSS, ISO 27001, HIPAA, NIST, SOX etc. – Identify processes across multiple business units – Test centrally to satisfy many regulatory requirements – Automation – improved workflow, task management & reporting 21
  • 22. Tools and Maintenance GRC Tool Benefits (Contd.) • Maintain a centralized repository of controls – Test controls and upload evidence • Process for tracking findings and remediation efforts • Report compliance at the process as well as policy level • Sample GRC Vendors - Archer, SAP, Trustwave, Control Path, Compliance 360, Symantec 22
  • 23. Tools and Maintenance Overview of Compliance Management Assets Applications and Products and Systems Services Business Processes Control Control Standards Activities (Policies) Design Test Authoritative Sources (ISO 27001) Findings Remediation Plans 23
  • 24. Tools and Maintenance ISO Controls Testing  Work with  Link controls to  Validate findings resource(s) to ISO authoritative with process owners, create processes source senior management and controls in  Link controls to  Track Remediation Archer policies Plans to completion Create Finalize Identify Processes Link to Auth. Findings Rationalize Perform Resource(s) and Controls Source and and Controls Testing in BU in Archer Policies Remediation Plans  Identify  Rationalize ISO dedicated  Test controls and controls with resource(s) in BU attach evidence existing controls  Train resource(s) (PCI, SOX, etc) in Archer 24 24
  • 25. Tools and Maintenance Demo – Control Activity 25
  • 26. Tools and Maintenance Demo – Control Standard 26
  • 28. Tools and Maintenance Demo – Remediation Plan 28
  • 29. Tools and Maintenance Are we ready??? • Control activities (CAs) created • CAs linked to ISO reqs • Test results and evidence • Report of all open findings with expected remediation date • SOA updated with Archer CA number 29
  • 30. Tools and Maintenance Obtain Certification CONGRATULATIONS!!! You are now ISO 27001 certified 30
  • 31. Tools and Maintenance ISO Certification Continuous Maintenance • Automated custom-built notifications for maintenance activities • Determine the testing period in a fiscal year – test all applicable controls in this period – Leverage controls tested for other regulatory requirements (SOX, HIPAA, PCI, etc) – Ensure that all the processes specified in the audit schedule are tested • Track Senior Leadership meetings and maintain minutes in SharePoint/Archer • Findings- Work with dedicated resource(s) in the BU to track open findings 31
  • 32. Tools and Maintenance Surveillance/Re-Audit Checklist Schedule audit with external auditors – Schedule meetings with process owners Update program level documentation – ISMS Audit Report – ISMS Manual – ISMS Policy – ISMS Scope – Risk Assessment Report – Senior leadership Team – Statement of Applicability – Report of controls testing results 32
  • 33. Tools and Maintenance Surveillance/Re-Audit Checklist (contd.) Internal Assessment – Test Results – Audit Report Management Approval – Get all the program level documentation including the internal audit results approved by a third party 33
  • 34. Tools and Maintenance Surveillance/Re-Audit Checklist (contd.)  Schedule post-certification party  Design gifts for teammates 34
  • 35. Tools and Maintenance Big Wins • A single portal for compliance management – Integration of disparate processes – Compliance of multiple regulations satisfied by single control – Real-time status and results dashboards – Ease of Maintenance – Automated notifications, workflow • Allows for management of multiple certifications in a centralized repository with a repeatable process 35
  • 36. Agenda Who is McKesson? Building the Business Case Strategy and Framework Tools and Maintenance Awareness Campaign Questions 36
  • 37. Awareness Campaign Promote the Achievement! • Do a road show!!! – Get statements from sponsors – Identify your business supporters – Present at sponsorship meetings – Get an article on the internal wire – Present at conferences  • No one will promote what you do for you - learn to do it yourself • Be educated in your approach - leverage internal teams like Toastmasters and mentors in the business for feedback on how to present at different levels in order to be the most effective 37