1. 10/20/2015 1 The ISMS Compliance in 2009 GRC-ISMS Module for ISO 27001 Certification

2. 10/20/2015 2 ISMS in 2009 Up to now (2009) there are 5314 certified businesses The information security management system (ISMS) certification process involves the accreditation of certification bodies. Such accreditation is granted to organisations who have demonstrated that they fully meet the requirements of the international standards ISO/IEC 17021 Conformity Assessment Requirements for bodies providing audit and certification of management systems and ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems. The International Registrar of ISMS Certificate

3. 10/20/2015 3 The ISMS Compliance Implementation Program GRC-ISMS-P3M Module for ISO 27001 Certification

4. 10/20/2015 4

5. 5 Activities 1. Scope 2. Assessment 3. Asset Management 4. Risk Assessment and Management 5. Policies and Procedures Development 6. ISMS Lifecycle Implementation and Auditing 7. Certificate Process

6. 10/20/2015 6 The 4 Program Phases 1. Security Program Assessment 2. ISMS Framework Development 3. ISMS Implementation 4. ISMS Certification Preparation

7. 10/20/2015 7 Security Program Assessment (Phase I) Profile Evaluate current information security program for conformance to ISO 27001 strategic, tactical, and operational requirements. We assess your current infrastructure for "re- usability", in order to not "re-invent the wheel". This assessment serves as a foundation for enhancing corporate governance and establishing a formal Information Security Management System (ISMS). Deliverables 1. ISO 27001 Assessment 2. Written Gap Analysis Report

8. 10/20/2015 8 ISMS Framework Development (Phase II) Profile Establish a defensible, comprehensive framework for the development of repeatable, auditable, and measurable information security practices as well as a governance model. Deliverables 1. ISMS Implementation Workshop 2. Master Glossary - Definition of Terms and Information Security Policy Statement 3. Statement of Applicability and Catalog of Controls 4. Defined and documented Program Level Roles and Responsibilities 5. Documented Responsibility Agreements between appropriate risk management functions 6. Information Security Office Mission and Charter 7. Completed ISMS Framework as a Framework Schema reflective of your organization Developed, documented and adopted risk assessment methodology 8. Templates and tools to align the risk assessment with controls implementation 9. Analysis, interpretation and documentation of laws and regulations impacting your security program 10. Defined and documented Program Goals which are mapped to risk management strategies of your business 11. Conformance index for other regulations if any 12. Re-alignment or development of security standards that address directive, preventive, detective and/or reactive controls 13. Developed or realigned and documented security processes that meet ISO 27001 conformance including the identification of roles and responsibilities and relevant operational deliverables 14. ISMS Administration and Evaluation Plans

9. 10/20/2015 9 ISMS Implementation (Phase III) Profile Understanding the business processes, where information is processed and stored, data types and flows, and span of control is essential to accomplishing a successful implementation. Documenting these specifics is the goal of the Security Domain Definition Process. This will set the stage for implementation of the security processes on a domain level. An operational level assessment of the selected Security Domain is then performed in a similar fashion to Phase 1. The focus of this assessment is to determine the current state of Information Security Service maturity within the selected Security Domain. Deliverables 1. Domain Definition Template 2. Gap Analysis against requirements developed in Phase II 3. Gap Analysis 4. Written Gap Analysis Summary 5. Domain Risk Treatment and Corrective Action Plans

10. 10/20/2015 10 ISMS Certification Preparation (Phase IV) Internal-Audit The internal audit will look and feel like an ISMS certification audit and will help prepare you for the actual certification/registration audit. It is important to understand that the closed loop system for continual improvement, by definition, means that there are always improvement activities being conducted and tracked. All controls. Evidence of conformance to corporate Policy, Standards and Program Strategy must exist, but 100% implementation is not the criteria that a certification is awarded upon. Option 1: Oversight of an existing Internal Audit capability For those organizations with an existing internal audit program, our IRCA registered ISO 27001 auditors will act in a Lead Auditor capacity to establish a long term ISO 27001 conformant audit plan, as well as lead and mentor client auditors in the execution of an internal audit in preparation for certification. Option 2: Contract Internal Audit For those organizations without an existing internal audit program, our IRCA registered ISO 27001 auditors will establish a long term ISO 27001 conformant audit plan, as well as execute the internal audit in preparation for certification. This audit plan may serve as the basis for future contract audit RFP's Certification Advisory Services Our Staff may be present during the certification audit; however, it is your staff that must be the primary participants. Advisory services provide onsite expertise from consultants that have been through the certification audit process and can ensure a successful audit experience. Deliverables Audit report with findings such as, potentially Major/Minor Non-Conformities, observations and areas for improvement in preparation for the certification audit

11. 10/20/2015 11 Questions? I hope not … !!! ??? But please let me know when to sign a contract !!! That will be quicker reply …