This document discusses the development of ISO/IEC 38500, a new international standard on corporate governance of ICT. It provides definitions of ICT governance, outlines the work of the study group developing the standard including liaison with itSMF, and summarizes the interim report. The interim report recommends the standard have a scope applicable to all organizations, and include objectives, 6 principles, and a model for directors to evaluate, direct and monitor ICT use through establishing responsibilities, planning, acquiring validly, ensuring performance and conformity. Future work is needed on lifecycles and interrelations of principles.
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?
In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.
The webinar will cover:
• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices
Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Here are some small steps to achieve ISO 27001 implementation.
I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement.
As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
By embracing the importance of GDPR and leveraging ISO/IEC 27701, you can enhance your data protection practices, achieve compliance, and minimize the risk of penalties.
Amongst others, the webinar covers:
Importance of Data Protection
Understanding Data Collection and Challenges
Introduction to GDPR
Key Principles of GDPR
Who does GDPR Apply to and Its Global Implications
Introduction to ISO/IEC 27701
Implementing ISO/IEC 27701
Privacy by Design
Dealing with IT on a Daily Basis
Building Awareness and Training
Audit, Data Discovery, and Risk Assessments
Presenters:
Mike Boutwell
Mike Boutwell is a Senior Information Security Specialist with over 15 years of experience in security and 10 years of risk management experience, primarily focused on financial services. He excels in collaborating with CISOs and other executive leadership to build and implement security frameworks aligned with business objectives and developing enterprise-wide security requirements. Mike has a strong track record of securing assets worth over $1 quadrillion and delivering $100M+ projects.
Mike is a certified CISSP, CISA, CGEIT, ISO 27001 Senior Lead Implementer, ISO 27001 Senior Lead Auditor, ISO 38500 Senior Lead IT Governance Manager, ISO 27032 Senior Lead Cyber Security Manager, and Certified Non-Executive Director.
Lisa Goldsmith
Lisa Goldsmith is the founder of LJ Digital and Data Consultancy. Lisa has over 23 years’ experience of supporting leadership teams in membership, charity, and wider not-for-profit organisations to simplify their IT and digital strategy that allows them to sleep soundly at night, knowing their systems and processes are fit for purpose, GDPR compliant, secure and that they deliver value to staff, members, and stakeholders.
Prior to starting her own consultancy, Lisa gained extensive experience working for membership organisations and has knowledge and expertise at all levels of operations from working within careers and qualifications teams, as Membership Manager, as Head of Digital & IT for delivering large-scale digital, IT and GDPR compliance projects and serving on several Senior Leadership Teams. Lisa is also currently a Trustee of the BCLA and Groundwork East.
Date: June 27, 2023
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/lfJrSLaGDtc
Website: https://bit.ly/437GOnG
ISO 27001 is an international information security standard that provides specifications for implementing an effective Information Security Management System (ISMS) through risk management and compliance with regulations like GDPR. SOC 2 is an assessment for technology companies developed by AICPA to protect customer data stored in the cloud and apply to any company using cloud storage. Both standards aim to implement security controls, policies, and procedures to protect valuable assets, but ISO 27001 provides a more comprehensive framework while SOC 2 focuses on verifying data protection controls. Implementing one or both can strengthen security posture, simplify compliance, and improve customer confidence.
ISMS Awareness Taining on ISO 27001 done by Industry Experts,customized for you & connected with relevance to your Industry, products,services & Processes
Information Security between Best Practices and ISO Standards
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Trusted Integration, Inc. is an Alexandria-based cybersecurity company founded in 2001 that focuses on creating adaptive and cost-effective governance, risk, and compliance solutions. The company received Golden Bridge awards in 2013 for its government compliance and governance, risk, and compliance solutions. The document then provides an overview of the NIST Cybersecurity Framework, including its goals to improve cybersecurity risk management, be flexible and repeatable, and focus on outcomes. It describes the framework's core, profiles, and implementation tiers and maps the framework to other standards like ISO 27001. [END SUMMARY]
As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
This document discusses Cobit 2019 and typical pain points organizations experience with enterprise governance of IT. It outlines 11 design factors to consider when implementing Cobit 2019, such as understanding the enterprise goals, risk profile, current IT issues, threat landscape, compliance requirements, role of IT, sourcing model for IT, and technology adoption strategy. The document provides comparisons between Cobit 5 and Cobit 2019 and lists various Cobit 2019 focus areas.
, hosted by Alan Calder CEO and founder of Vigilant Software and acknowledged information security risk assessment and management thought leader, explains and discusses what is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
This document provides an overview of ISO 27001, which is an international standard for information security management systems (ISMS). It discusses why information security is important for businesses, as information is a valuable asset. ISO 27001 provides a framework to establish, implement, maintain and improve an ISMS. The standard contains 11 control areas, 39 control objectives and 134 controls to help organizations manage information security risks. Implementing ISO 27001 can provide benefits like increased profits, more reliable systems, cost savings, and compliance with legal requirements.
ISO 38500 provides guidance on IT governance for organizations. Effective IT governance can increase profits by 20% compared to competitors. The standard outlines 6 principles for IT governance: responsibility, strategy, acquisition, performance, conformance, and human behavior. It is intended to help boards of directors ensure proper governance of IT and provide auditors a basis for evaluating an organization's IT governance.
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
This document discusses how COBIT 5 and ISO 38500 can be aligned for effective IT governance. It provides an overview of COBIT 5 including its product family, principles, processes, and implementation guidance. It also summarizes ISO 38500 and its six principles for corporate governance of IT. The document emphasizes that both frameworks take a holistic approach to IT governance covering the entire enterprise and can be used together to establish effective IT governance.
Re-Architect Your Legacy Environment To Enable An Agile, Future-Ready Enterprise
It’s time to re-architect your legacy environment in order to lay the foundation for an adaptive enterprise. In this session, you'll learn how to increase your business and technical agility using a fit-to-purpose .NET or Java architecture, while deploying your apps intelligently in the cloud and integrating with your complex IT environment, customers and partners.
The document discusses IT governance and provides an overview of key frameworks for IT governance, including ISO 38500 and COBIT. It begins by defining governance and describing how governance applies to IT. It then discusses why IT governance is important for organizations, noting benefits like ensuring strategic alignment between IT and business goals. The document also provides a detailed overview of the ISO 38500 standard for IT governance, describing its scope, framework and principles. It explains the standard's six principles of IT governance and provides examples. Overall, the document serves to introduce the topic of IT governance and some of the most relevant frameworks.
One of the most challenging assignments within an organization is establishing of a maturity
model structure in order to optimize enterprise effectiveness. The contents of this paper
concern such an assignment. The objective of this mission entailed the establishment of an
application governance model and the corresponding documentation therein.
This document provides a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013. It includes tables that map the ISMS requirements and Annex A controls between the two versions, noting new, unchanged, deleted and reverse requirements. The purpose is to provide guidance on the changes between the standards.
An approach to cloud adoption is a secure way. As security is a major concern for many organisations adopting cloud services, this is a way of starting the cloud adoption security strategy in a cost effective way. Basically leveraging existing standards and approaches.
Este documento presenta una guía sobre la implementación de gobierno corporativo de tecnologías de la información (TI) en una organización. Introduce varios marcos y estándares relacionados como COSO, Balanced Scorecard, ISO 38500 e ISO 27000, y describe su objetivo y alcance. También explica la metodología propuesta, que incluye fases para el desarrollo del proyecto de gobierno corporativo de TI de acuerdo a estos marcos.
Pivotal Digital Transformation Forum: Requirements to Become a Data-Driven En...
To become a data-driven enterprise, companies must move from inflexible legacy data infrastructure that cannot scale to agile data architectures based on scaled-up, open-source systems that can handle any type or source of data. This involves storing both structured and unstructured high-volume, high-velocity data and then analyzing it through machine learning, predictive analytics, and real-time analytics to develop advanced analytical applications and globally scaled, data-driven applications. Achieving this requires expertise in agile development, DevOps, hybrid cloud, and continuous delivery to innovate with closed-loop applications.
This document discusses aligning an organization's risk appetite and risk exposure through strategic execution. It argues that successful strategy execution in the post-credit crisis world requires balancing risk appetite and exposure within the context of clear strategic objectives. The document provides a roadmap for organizations to determine strategic objectives, define risk appetite, identify key risks, review risk appetite in light of key risks, conduct risk assessments, and map risk exposure to risk appetite using a risk appetite and exposure matrix. Following this process allows organizations to integrate risk management into strategic decision making.
This document provides information about an ISO 27001 awareness training course held by K2A Training Academy. The one-day course aims to help participants understand how to safeguard organizational data and information from both external and internal threats. It covers topics such as information security background, risks and controls, and the ISO 27001 certification process. Breaks are scheduled during the day for tea and lunch. Attendees are not permitted to smoke or use their mobile devices during the sessions.
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.
For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification
Presenter:
Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.
Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
This document is a presentation on information security and business continuity. It covers topics such as ISO 27001 on information security, risk management, laws relating to information security in Qatar, and examples of product recalls due to incidents. The presentation provides an overview of ISO 27001, including its structure following the PDCA model and the roles of internal and external interested parties. It also discusses why information needs protection due to threats and vulnerabilities, and the principles of information security management systems.
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?
In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.
The webinar will cover:
• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices
Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Here are some small steps to achieve ISO 27001 implementation.
I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement.
As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
By embracing the importance of GDPR and leveraging ISO/IEC 27701, you can enhance your data protection practices, achieve compliance, and minimize the risk of penalties.
Amongst others, the webinar covers:
Importance of Data Protection
Understanding Data Collection and Challenges
Introduction to GDPR
Key Principles of GDPR
Who does GDPR Apply to and Its Global Implications
Introduction to ISO/IEC 27701
Implementing ISO/IEC 27701
Privacy by Design
Dealing with IT on a Daily Basis
Building Awareness and Training
Audit, Data Discovery, and Risk Assessments
Presenters:
Mike Boutwell
Mike Boutwell is a Senior Information Security Specialist with over 15 years of experience in security and 10 years of risk management experience, primarily focused on financial services. He excels in collaborating with CISOs and other executive leadership to build and implement security frameworks aligned with business objectives and developing enterprise-wide security requirements. Mike has a strong track record of securing assets worth over $1 quadrillion and delivering $100M+ projects.
Mike is a certified CISSP, CISA, CGEIT, ISO 27001 Senior Lead Implementer, ISO 27001 Senior Lead Auditor, ISO 38500 Senior Lead IT Governance Manager, ISO 27032 Senior Lead Cyber Security Manager, and Certified Non-Executive Director.
Lisa Goldsmith
Lisa Goldsmith is the founder of LJ Digital and Data Consultancy. Lisa has over 23 years’ experience of supporting leadership teams in membership, charity, and wider not-for-profit organisations to simplify their IT and digital strategy that allows them to sleep soundly at night, knowing their systems and processes are fit for purpose, GDPR compliant, secure and that they deliver value to staff, members, and stakeholders.
Prior to starting her own consultancy, Lisa gained extensive experience working for membership organisations and has knowledge and expertise at all levels of operations from working within careers and qualifications teams, as Membership Manager, as Head of Digital & IT for delivering large-scale digital, IT and GDPR compliance projects and serving on several Senior Leadership Teams. Lisa is also currently a Trustee of the BCLA and Groundwork East.
Date: June 27, 2023
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/lfJrSLaGDtc
Website: https://bit.ly/437GOnG
ISO 27001 is an international information security standard that provides specifications for implementing an effective Information Security Management System (ISMS) through risk management and compliance with regulations like GDPR. SOC 2 is an assessment for technology companies developed by AICPA to protect customer data stored in the cloud and apply to any company using cloud storage. Both standards aim to implement security controls, policies, and procedures to protect valuable assets, but ISO 27001 provides a more comprehensive framework while SOC 2 focuses on verifying data protection controls. Implementing one or both can strengthen security posture, simplify compliance, and improve customer confidence.
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
ISMS Awareness Taining on ISO 27001 done by Industry Experts,customized for you & connected with relevance to your Industry, products,services & Processes
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
Trusted Integration, Inc. is an Alexandria-based cybersecurity company founded in 2001 that focuses on creating adaptive and cost-effective governance, risk, and compliance solutions. The company received Golden Bridge awards in 2013 for its government compliance and governance, risk, and compliance solutions. The document then provides an overview of the NIST Cybersecurity Framework, including its goals to improve cybersecurity risk management, be flexible and repeatable, and focus on outcomes. It describes the framework's core, profiles, and implementation tiers and maps the framework to other standards like ISO 27001. [END SUMMARY]
As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
This document discusses Cobit 2019 and typical pain points organizations experience with enterprise governance of IT. It outlines 11 design factors to consider when implementing Cobit 2019, such as understanding the enterprise goals, risk profile, current IT issues, threat landscape, compliance requirements, role of IT, sourcing model for IT, and technology adoption strategy. The document provides comparisons between Cobit 5 and Cobit 2019 and lists various Cobit 2019 focus areas.
, hosted by Alan Calder CEO and founder of Vigilant Software and acknowledged information security risk assessment and management thought leader, explains and discusses what is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?
ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity and availability of information as well as legal compliance.
ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating and maintaining your ISMS.
This implementation guide will help you run through the benefits, PDCA Cycle and Annex SL structure in detail for implementing ISO 27001.
Find out more or get a quote for certification here – https://www.nqa.com/en-gb/certification/standards/iso-27001
This document provides an overview of ISO 27001, which is an international standard for information security management systems (ISMS). It discusses why information security is important for businesses, as information is a valuable asset. ISO 27001 provides a framework to establish, implement, maintain and improve an ISMS. The standard contains 11 control areas, 39 control objectives and 134 controls to help organizations manage information security risks. Implementing ISO 27001 can provide benefits like increased profits, more reliable systems, cost savings, and compliance with legal requirements.
ISO 38500 provides guidance on IT governance for organizations. Effective IT governance can increase profits by 20% compared to competitors. The standard outlines 6 principles for IT governance: responsibility, strategy, acquisition, performance, conformance, and human behavior. It is intended to help boards of directors ensure proper governance of IT and provide auditors a basis for evaluating an organization's IT governance.
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
This document discusses how COBIT 5 and ISO 38500 can be aligned for effective IT governance. It provides an overview of COBIT 5 including its product family, principles, processes, and implementation guidance. It also summarizes ISO 38500 and its six principles for corporate governance of IT. The document emphasizes that both frameworks take a holistic approach to IT governance covering the entire enterprise and can be used together to establish effective IT governance.
Re-Architect Your Legacy Environment To Enable An Agile, Future-Ready EnterpriseDell World
It’s time to re-architect your legacy environment in order to lay the foundation for an adaptive enterprise. In this session, you'll learn how to increase your business and technical agility using a fit-to-purpose .NET or Java architecture, while deploying your apps intelligently in the cloud and integrating with your complex IT environment, customers and partners.
The document discusses IT governance and provides an overview of key frameworks for IT governance, including ISO 38500 and COBIT. It begins by defining governance and describing how governance applies to IT. It then discusses why IT governance is important for organizations, noting benefits like ensuring strategic alignment between IT and business goals. The document also provides a detailed overview of the ISO 38500 standard for IT governance, describing its scope, framework and principles. It explains the standard's six principles of IT governance and provides examples. Overall, the document serves to introduce the topic of IT governance and some of the most relevant frameworks.
One of the most challenging assignments within an organization is establishing of a maturity
model structure in order to optimize enterprise effectiveness. The contents of this paper
concern such an assignment. The objective of this mission entailed the establishment of an
application governance model and the corresponding documentation therein.
This document provides a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013. It includes tables that map the ISMS requirements and Annex A controls between the two versions, noting new, unchanged, deleted and reverse requirements. The purpose is to provide guidance on the changes between the standards.
An approach to cloud adoption is a secure way. As security is a major concern for many organisations adopting cloud services, this is a way of starting the cloud adoption security strategy in a cost effective way. Basically leveraging existing standards and approaches.
Este documento presenta una guía sobre la implementación de gobierno corporativo de tecnologías de la información (TI) en una organización. Introduce varios marcos y estándares relacionados como COSO, Balanced Scorecard, ISO 38500 e ISO 27000, y describe su objetivo y alcance. También explica la metodología propuesta, que incluye fases para el desarrollo del proyecto de gobierno corporativo de TI de acuerdo a estos marcos.
Pivotal Digital Transformation Forum: Requirements to Become a Data-Driven En...VMware Tanzu
To become a data-driven enterprise, companies must move from inflexible legacy data infrastructure that cannot scale to agile data architectures based on scaled-up, open-source systems that can handle any type or source of data. This involves storing both structured and unstructured high-volume, high-velocity data and then analyzing it through machine learning, predictive analytics, and real-time analytics to develop advanced analytical applications and globally scaled, data-driven applications. Achieving this requires expertise in agile development, DevOps, hybrid cloud, and continuous delivery to innovate with closed-loop applications.
Manigent Aligning Risk Appetite And ExposureAndrew Smart
This document discusses aligning an organization's risk appetite and risk exposure through strategic execution. It argues that successful strategy execution in the post-credit crisis world requires balancing risk appetite and exposure within the context of clear strategic objectives. The document provides a roadmap for organizations to determine strategic objectives, define risk appetite, identify key risks, review risk appetite in light of key risks, conduct risk assessments, and map risk exposure to risk appetite using a risk appetite and exposure matrix. Following this process allows organizations to integrate risk management into strategic decision making.
Shaping Your Culture via Risk Appetite Andrew Smart
This document discusses the importance of risk appetite and embedding risk culture at organizations. It begins by defining risk appetite as the amount and type of risk an entity is willing to accept over a set period of time to achieve its objectives. The document then notes that weaknesses in risk appetite governance contributed to the financial crisis and that properly establishing and monitoring risk appetite is a board responsibility. It stresses that risk appetite should be integrated into strategic planning and outlines how organizations can set, execute, and monitor their risk appetite.
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
Governance, Culture & Incentives. -Fundamentals of Operational Risk. This presentation provides some practical tools to answer three key questions and create alignment.
This document discusses roles and responsibilities (RACI) matrices for service management. It defines key service management roles like service manager, service team, and product owner. It explains that a RACI matrix maps roles to tasks to indicate who is responsible, accountable, consulted, and informed for each task. The document provides examples of RACI matrices and recommends that every task have a responsible and accountable party, and that stakeholders are involved in discussing and agreeing to the matrix. It includes an exercise for workshop participants to create their own RACI matrix.
Initiating IT Governance Strategy to Identify Business NeedsPECB
Implementation of IT Governance, or indeed any IT best practice, should be consistent with organization’s management style and the way organization deals with risk management and delivery of IT value. The biggest risk and concern to top management today is failing to align IT to real business needs, therefore implementing IT Governance based on best practices is needed.
Main points that have been covered are:
• Introducing IT Governance
• Business needs for Governance of IT
• Identifying the business performance and conformance needs
Presenter:
Rohit Banerjee has 14+ years overall, with 10+ years in IT hands-on progressive experience across programme, project & team management leading full SDLC life cycle for complex, cross-functional, multi-site initiatives. He is ISO/IEC 38500 Lead IT Governance Manager.
Link of the recorded session published on YouTube: https://youtu.be/rB_BP-9ns4A
This whitepaper provides some meaningful examples on metrics along with purposes of metrics (targets).
The whitepaper focuses on metrics in relation to the status of the ISMS and its output. These are also the outputs, which feeds into the management reporting.
Strategic Planning Society Webinar- Integrating Strategy and Risk ManagementAndrew Smart
• The credit crunch and its subsequent fall-out has rewritten the rules on strategy execution and risk management.
• The balanced scorecard and risk management approaches have evolved as silo processes over approximately 20 years – an approach that integrates both is a natural evolution.
• To effectively streamline management and regulatory reporting, organisations need to adopt an integrated framework, which covers strategy execution, risk management & compliance.
A world without standards is road to chaos and IT processes are no exception. This presentation talks nicely in more friendly manner about IT Standards of ISO 27001, ISO 20000, CobiT, ISO 38500
Integrating Enterprise Risk Management (ERM) with Organizational Strategyhenrytk2
An ERM program must be integrated with an organization's overall strategy to provide a complete approach to risk management. The key is to align ERM with strategic objectives in each of the four perspectives of the balanced scorecard - financial, customer, internal processes, and learning and growth. This ensures ERM considers risks that could impact any part of the organization and guides efforts to achieve goals. By including ERM-related objectives in the strategy map, individuals understand how risk management relates to their roles in executing strategy. Properly integrating ERM allows an organization to manage risks and seize opportunities to improve performance, customer satisfaction, and shareholder value.
This document provides an overview of COBIT 5 for Information Security from ISACA. It begins with background on Robert Stroud, the author and Vice President of Strategy & Innovation at ISACA. It then discusses key industry trends related to information security. The document provides an overview of COBIT 5 and its product family as it relates to information security. It explains the components and contents of COBIT 5 for Information Security, including drivers, benefits, definitions, and guidance on using the enablers to implement information security. Appendices provide more detailed guidance on specific COBIT 5 processes from an information security perspective, including EDM03 Ensure Risk Optimization, APO13 Manage Security, and BAI06 Manage Change
The document discusses a presentation given at the itSMF-NL Spring 2008 Conference on ISO/IEC 29382, the new international standard for ICT Governance. The presentation covered definitions of ICT Governance, the involvement of the itSMF in the ISO study group developing the standard, and key topics addressed in the interim report and future scope beyond the initial standard. It provided an overview of the work underway to develop a comprehensive international standard on ICT Governance.
ISO/IEC 38500 provides a framework of principles for corporate governance of information technology, while ISO/IEC 27000 standards address information security management. ISO/IEC 38500 covers responsibilities, planning, acquisition, performance, conformity, and human factors of IT use. ISO/IEC 27000 overlaps with areas like risk management, legal compliance, performance, and management responsibility. A new IT governance standard should account for similarities to prevent inconsistencies, especially for combined auditing against governance and information security standards.
This document discusses IT governance and provides an overview of key concepts. It defines IT governance as consisting of leadership, structures, and processes to ensure IT supports business strategies and objectives. The document outlines five areas of focus for IT governance: strategic alignment, value delivery, resource management, risk management, and performance measurement. It also discusses why IT governance is important, who benefits, common frameworks that can be used, as well as advantages and disadvantages.
The document discusses IT governance challenges at Chisholm Institute and strategies for improvement. It summarizes frameworks like COBIT, ITIL and PRINCE2 that can help with governance. It then details how Chisholm restructured its IT department and implemented an ICT Governance Committee aligned with the AS8015 standard to better link IT with organizational strategy and priorities.
Directors are responsible for governing the use of information and communication technology (ICT) in organizations according to the Australian Standard AS-8015. The standard provides 6 principles for ICT governance: 1) establish responsibilities for ICT, 2) plan ICT to support organizational objectives, 3) acquire ICT validly, 4) ensure ICT performs as needed, 5) ensure ICT complies with rules, and 6) ensure ICT respects human factors. Directors evaluate ICT, direct ICT plans and policies, and monitor ICT performance to implement these principles. The standard provides a framework to help directors effectively oversee and get value from an organization's ICT.
This document discusses security models, frameworks, standards, and methodologies. It defines models as abstract conceptual constructs, while frameworks are more directly linked to implementation and set assumptions and practices. Standards are published documents containing technical specifications or criteria, and help make processes more reliable and effective. Methodologies are codified sets of recommended practices and procedures. The document then outlines some specific topics that will be covered, including ISO 27001, COBIT, SSE-CMM, and security assessment and evaluation methodologies.
The document provides an overview of integrated management systems (IMS) and their benefits for controlling organizational objectives. Key points include:
- An IMS combines all internal management practices into a single, coherent system rather than separate components. Linkages between processes allow for seamless integration.
- Common standards that can be integrated include ISO 9001 (quality), ISO 22301 (business continuity), ISO 14001 (environment), OHSAS 18001 (health and safety), ISO/IEC 27001 (information security), and others.
- Benefits of an IMS include consistency, improved communication, reduced duplication and costs, lower risk, and identification of conflicting objectives. Considerations for successful integration include organizational culture, competence levels
IT Governance Vs IT Management Presentation V0.1Richard Willis
IT governance involves establishing responsibility and accountability for major IT decisions and ensuring IT strategy alignment with business strategy. Effective IT governance increases profitability and shareholder returns. Frameworks like COBIT, ITIL, and ISO/IEC 38500 provide best practices for IT governance and management. IT governance is concerned with strategic decision making while IT management focuses on operational excellence. Organizations can assess their IT governance maturity to continually improve practices over time.
The document provides an overview of the ISO 30401 standard for knowledge management systems. Some key points:
- ISO 30401 is intended to provide requirements for establishing, implementing, maintaining and improving a knowledge management system.
- It follows the standard format for ISO management system standards, covering topics like leadership, planning, support, operations, evaluation and improvement.
- The standard is still in development. It defines terms, outlines the components of a KM system, and provides requirements for various aspects of managing knowledge in an organization.
- While not prescribing how organizations must implement KM, the standard is meant to bring more consistency and help avoid past issues, and can be used for self-assessment or showing
Info-Tech Research Group provides a 4-day workshop to help organizations optimize their IT governance structure and processes. The workshop guides participants through activities to assess their current IT governance, design an improved future state, develop governance processes, and create an implementation plan. The primary deliverables include an IT Governance Reference Book, Structure Selection Tool, Communication Plan Template, and Action Plan.
Info-Tech Research Group provides IT research and advice to organizations. It offers workshops to help optimize IT governance structures and processes. The four-day IT Governance workshop guides participants through assessing their current IT governance, designing an improved structure with effective committees and decision-making processes, and developing a communication plan to implement the changes. The primary deliverables are objectives and metrics, governance roles and responsibilities, decision-making processes, and an implementation plan.
This document provides terminology definitions and overviews of models, frameworks, methodologies, standards, and security concepts. It defines the differences between models and frameworks. It also describes methodology components like the PDCA approach and COBIT principles. Security standards, policies, and models like ISO 27001, SSE-CMM, and IAM/IEM are summarized. The document is intended to provide a comprehensive reference of key information security terms and concepts.
Harley Davidson recognized the need to align IT with its business strategy for continued growth. It implemented an IT governance framework to unite management, IT, and audit functions while preserving company culture. The framework aligned IT decision making with business objectives, managed risks, and ensured IT resources supported business goals. This allowed Harley Davidson to sustain record growth for 20 consecutive years while effectively governing its increasing IT usage and investments.
COBIT 5 is a framework for governance and management of enterprise IT that incorporates current techniques. It provides principles, practices, tools and models to increase trust and value from information systems. The framework has two domains - Governance and Management. It describes seven enablers including principles, processes, organizational structures, culture and people. COBIT 5 training from Syzygal helps professionals implement the framework and become certified assessors to improve IT governance.
I HOPE IT IS HELPFUL FOR YOU> BUT PLS IWANT CREDITS> OR ADD ME AND MESSAGE ME THANKS
THERE IS A NOTE FOR PRESENTERS VIEW
HAVE A GOOD DAY
KEEP CALM AND DRINK ON
NAME: Ellen Magalona
GNDR: FML
BRTHDY: FEB. 1998
@ellenmaaee
IT Governance or Corporate governance of information technology is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk management.
The interest in IT Governance is due to the ongoing need within organizations to focus value creation efforts
on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders.
This document provides an overview of COBIT 5, a framework for the governance and management of enterprise IT. COBIT 5 helps enterprises create optimal value from IT by balancing benefits realization with risk optimization and resource use. The framework is designed to be a single integrated governance framework that covers the entire enterprise from end to end. It separates governance, which evaluates options and sets direction, from management, which implements activities. COBIT 5 aims to help enterprises maintain high quality information, generate value from IT, achieve operational excellence, manage IT risks, optimize costs, and ensure compliance.
This document provides an overview of a presentation on building an internal control framework for IT governance. It discusses key benefits to the audience, the current state of IT governance standards and challenges, areas not adequately covered by existing standards, and recommendations for the framework.
The presentation will compare leading IT governance standards, highlight similarities and differences, and gaps not addressed. It will also recommend internal controls focusing on strategic alignment, financial performance, risk management, growth, and service delivery. An internal control framework is proposed that takes a holistic view encompassing governance, management, use of IT, and the relationship between corporate strategy, digital business models, and organization structures.
Similar to Christophe feltus introduction to iso 38500 v1 0 (20)
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. It analyzes concepts of responsibility from literature and frameworks like COBIT. The researchers developed a responsibility model with key concepts like obligation, accountability, right, and commitment. They then compare this model to COBIT's representation of responsibility to identify areas for potential enhancement, like adding concepts that COBIT lacks. The document illustrates how the responsibility model could be used to refine COBIT's process for identifying system owners and their responsibilities.
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to make access management policies closer aligned with business objectives. It does this in two ways:
1) By focusing the policy engineering process on business goals and responsibilities defined in processes, using concepts from the ISO/IEC 15504 standard. This links capabilities and accountabilities to process outcomes and work products.
2) By defining a multi-agent system architecture to automate the deployment of policies across heterogeneous IT components and devices. The agents provide autonomy and ability to adapt rapidly according to context.
The approach was prototyped using open source components and aims to improve how access rights are defined according to business needs and deployed across an organization
This document proposes a methodological approach for specifying services and analyzing service compliance considering the responsibility dimension of stakeholders. The approach includes a product model and process model. The product model has three layers: an informational layer describing service context and concepts, an organizational layer describing business rules and roles, and a responsibility dimension layer linking the two. The process model outlines steps for service architects to identify context, define concepts and rules, specify services, and analyze compliance. The approach is illustrated with an example of managing access rights for sensitive healthcare data exchange between organizations.
This document discusses integrating responsibility aspects into service engineering for e-government. It proposes a multi-layered approach including an ontological layer defining legal concepts, an organizational layer describing roles and stakeholders, an informational layer representing data structures and integrity constraints, and a technical layer representing IT components. A responsibility meta-model is also introduced to align responsibilities across these layers and facilitate interoperability between services that share data. The approach aims to ensure service compliance and manage risks associated with e-government services.
1) The document proposes a dynamic approach for assigning functions and responsibilities to agents in a multi-agent system for critical infrastructure management.
2) The approach uses an agent's reputation, which is based on past performance, to determine which agents receive which responsibilities as crisis situations change over time.
3) Assigning responsibilities dynamically based on reputation allows the system to continue operating effectively if an agent becomes isolated or has reduced capabilities during a crisis.
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates concepts from the business and technical layers, with the concept of employee responsibility bridging the two. It incorporates four types of obligations from the COBIT framework to refine employee responsibilities and better assign access rights. ReMoLa maps responsibilities to roles in the RBAC model to leverage its advantages for access right management while ensuring responsibilities align with business tasks and employee commitment.
The document describes the NOEMI assessment methodology, which was developed as part of a research project to help very small enterprises (VSEs) improve their IT practices. The methodology aims to assess VSEs' IT capabilities in order to facilitate collaborative IT management across organizations. It was designed to be aligned with common IT standards like ISO/IEC 15504 and ITIL, but adapted specifically for VSEs. The methodology has been tested through several case studies with VSEs in Luxembourg, with promising results.
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It summarizes key access control models and discusses how they address concepts like capability, accountability, and commitment. The document also reviews engineering methods and how they incorporate responsibility considerations. The overall goal is to orient further research towards a new policy model and engineering method that more fully addresses stakeholder responsibility.
This document proposes an extension of the ArchiMate enterprise architecture framework to model multi-agent systems for critical infrastructure governance. The authors develop a responsibility-driven policy concept and metamodel layers to represent agent behavior and organizational policies across technical, application, and organizational layers. The approach is illustrated through a case study of a financial transaction processing system.
This document summarizes an experimental prototype of the OpenSST protocol for secured electronic transactions. OpenSST was developed to achieve high security, simplicity in software engineering, and compatibility with existing standards. The prototype uses OpenSST for the authorization portion of electronic payments in an e-business clearing solution. It describes the OpenSST message format and types, and discusses how OpenSST is implemented in the prototype's three-element architecture of an OpenSST proxy, reverse proxy, and server.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
More from Luxembourg Institute of Science and Technology (20)
On designing automatic reaction strategy for critical infrastructure scada sy...
Christophe feltus introduction to iso 38500 v1 0
1. Introducing ISO/IEC 38500:
Corporate Governance in ICT
Christophe Feltus
Member of the ISO JTC1/SC7/WG1A on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
christophe.feltus@tudor.lu
2. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
3. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
4. Some definitions
• AS 8015 – Australian National Standards
Corporate Governance of ICT is the system by which the current and future use
of ICT is directed and controlled. It involves evaluating and directing the plans for
the use of ICT to support the organization and monitoring this use to achieve
plans. It includes the strategy and policies for using ICT within an organization.
(Corporate Governance of Information and Communication Technology; January
2005).
• OECD Corporate Governance
Corporate governance involves a set of relationships between a company’s
management, its board, its shareholders and other stakeholders. Corporate
governance also provides the structure through which the objectives of the
company are set, and the means of attaining those objectives and monitoring
performance are determined. Good corporate governance should provide proper
incentives for the board and management to pursue objectives that are in the
interests of the company and its shareholders and should facilitate effective
monitoring. (OECD Code on Corporate Governance)
5. Some definitions
• ITGI (IT Governance Institute)
IT Governance is the responsibility of the board of directors and executive
management. It is an integral part of enterprise governance and consists of the
leadership and organisational structures and processes that ensure that the
organisation’s IT sustains and extends the organisation’s strategies and
objectives. (Board Briefing, 2nd edition; 2003).
• World Bank Definition of Corporate Governance
Corporate governance refers to the structures and processes for the direction
and control of companies. Corporate governance concerns the relationships
among the management, the Board of Directors, the controlling shareholders
and other stakeholders. Good corporate governance contributes to sustainable
economic development by enhancing the performance of companies and
increasing their access to outside capital.
6. Some definitions
• MIT Sloan Center for Information Systems Research :
IT Governance is specifying the decision rights and accountability framework to
encourage desirable behaviour in the use of IT. (MIT CISR Working Paper No. 326;
April 2002).
• University of Tasmania
The survey of the literature by academics from the University of Tasmania
(Webb, Phyl, Pollard, Carol, and Ridley, Gail (2006), Attempting to Define IT
Governance: Wisdom or Folly?, Proceedings of the 39th Hawaii International
Conference on Systems Sciences) brings out the ‘elements’ that are common to a
range of suggested definitions. The elements are: strategic alignment, delivery
of business values, performance management, risk management, policies and
procedures, and control and accountability. Their resultant definition is : IT
Governance is the strategic alignment of IT with the business such that
maximum business value is achieved through the development and
maintenance of effective IT control and accountability, performance
management and risk management.
7. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvment
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
8. Study Group in ISO
• JTC1 : Information Technology Standards
• JTC1 / SC7 : Software and System Engineering
• JTC1 / SC7 / WG25 : IT Operations (service management)
• Basically : Study Group in WG25
Study Group Chair : Alison Holt (New Zeland)
Co-Chair : Ed Lewis (Australia)
Members : Alwyn Smit, South Africa Yoshiyuki Hirano, Japan
Melanie Cheong, South Africa K.T. Hwang, Korea
Jyrki Lahnalahti, Finland Bill Powell, United States
Craig Pattison, itSMFI/New Zealand Dennis Ravenelle, itSMFI
Darcie Destito, United States Hella Shrader, United Kingdom
Gargi Keeni, India Mark Toomey, Australia
Sushil Chatterji, ISACA/ITGI Mikhail Pototsky, Russian Federation/itSMFI
Brian Cusack, New Zealand Max Shanahan, ISACA/ITGI
Christophe Feltus, Luxembourg Luis Rosa, Spain
Jenny Dugmore, UK.
9. Study Group in ISO
• In Seoul (2006) :
Reduce – if not remove – the confusion in the professional and the
academic literature about the topic
Resolutions :
- New SG
- 1st report
- Fast Track
• In Moscow (May 2007) :
Preparation of 1st report
Definition of ICT Governance
What is ICT Governance ?
10. Study Group in ISO
• Montreal (November 2007)
Fast Track on Australian Standard on ICT Governance
– Accepted in July
– Resolution of comments on Fast Track : 149
– Canada : 2
– Spain : 1
– France : 5
– Italy : 10
– Japan : 10
– Korea : 1
– Luxembourg : 46
– New Zealand : 6
– UK : 4
– Sweden : 9
– USA : 15
– South Africa : 40
– 1st report
– NWI
11. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
14. Advisory Board Paper
The formal description it offers is:
“Governance is the collective set of procedures, policies, roles and
responsibilities, and organizational structures required to support an
effective decision-making process”.
15. Advisory Board Paper
Benefits of Governance : (Key words)
– Achieving business objectives by ensuring that each element of the mission and strategy are
assigned and managed with a clearly understood and transparent decisions rights and
accountability framework.
– Defining and encouraging desirable behavior in the use of IT and in the execution of IT
outsourcing arrangements.
– Implementing and integrating the desired business processes into the organization.
– Providing stability and overcoming the limitations of organizational structure.
– Improving customer, business and internal relationships and satisfaction, and reducing internal
territorial strife by formally integrating the customers, business units, and external IT providers
into a holistic IT governance framework.
– Enabling effective and strategically aligned decision making for the IT Principles that define the
role of IT, IT Architecture, IT Infrastructure, Application Portfolio and Frameworks, Service
Portfolio, Information and Competency Portfolios and IT Investment & Prioritization.
16. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
17. Interim Report
• A review of national governance activities
• The identification of a set of guiding principles for the development of an ICT
Governance standard to meet market requirements
• The identification of the ICT governance needs to be addressed in the standard
• An assessment of where ICT governance sits within JTC1
• A review of elements of ICT governance in existing SC7 standards
• Analysis to determine the level of standard required to sit above existing
frameworks and methodologies without replacing or displacing existing material.
Identification of the sort of “standard” required - TR, code of practice or guidelines
• Analysis of what would need to be added to AS 8015 to meet these needs
• Analysis of whether a maturity framework could be included from the outset
• Liaison Relationships: Contributions requested from existing bodies of knowledge
• Call to action dependent on AS 8015 fast tack result (which is now known)
18. Governance
around the world
Written and oral reports were presented to the ICT Study Group reviewing
the state of different ICT Standards environments within the different
jurisdictions.
A general movement towards compliance frameworks was reported in
terms of legislation, Standards adoption and control framework adoption
(eg. CobiT, ITIL, and so on).
Several reports noted that regulatory requirements were pending and that
there is considerable momentum gathering for comprehensive directives
(both explicit and implicit). The importance of ICT Governance and the
current opportune moment in time for ICT Governance advancement was
reported in each case.
19. What is ICT Governance ?
• The Working Group should establish a Glossary of governance terms. The Glossary
especially should include definitions that help to establish the difference between
Governance and Management. The definitions must be compatible with those in existing
ISO Standards
Director
Member of the most senior governing body of an organization. Includes owners, board
members, partners, senior executives or similar, and officers authorized by legislation or
regulation.
Management
Management is the process of controlling the activities required to achieve the strategic
objectives set by the organisation's governing body. Management is subject to the policy
guidance and monitoring set through corporate governance.
20. What is ICT Governance ?
• The objective of governance is to determine and cause the desired behavior and
results to achieve the strategic impact of IT.
– The system in which directors monitor, evaluate and direct IT management to ensure
effectiveness, accountability and compliance of IT
• The active distribution of decision-making rights and accountabilities among
different stakeholders in an organization and the rules and procedures for
making and monitoring those decisions to determine and achieve desired
behaviors and results .
– who makes directing, controlling and executing decisions
– how the decisions will be made
– what information is required to make the decisions
– what decision-making mechanisms should be required
– how exceptions will be handled
– how the governance results should be reviewed and improved
21. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
22. Scope
The objective of this Standard is to provide a framework of principles for Directors
to use when evaluating, directing and monitoring the use of information
technology (IT) in their organizations.
23. Scope
Governance is distinct from management, and for the avoidance of confusion, the two
concepts are clearly defined in the standard.
…the members of the governing body may also occupy the key roles in management.
It provides guidance to those advising, informing, or assisting directors. They include:
• Senior managers.
• Members of groups monitoring the resources within the organization.
• External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
• Vendors of hardware, software, communications and other IT products.
• Internal and external service providers (including consultants).
• IT auditors.
The standard is applicable for all organizations, from the smallest, to the largest, regardless of purpose,
design and ownership structure.
24. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
• Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
25. Application
This standard is applicable to all organizations, including public and private
companies, government entities, and not-for-profit organizations.
The standard is applicable to organizations of all sizes from the smallest to the
largest, regardless of the extent of their use of IT.
26. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
27. Objectives
The purpose of this Standard is to promote effective, efficient, and acceptable use of
IT in all organizations by:
• assuring stakeholders (including consumers, shareholders, and employees) that,
if the standard is followed, they can have confidence in the organization’s
corporate governance of IT;
• informing and guiding directors in governing the use of IT in their organization;
and
• providing a basis for objective evaluation of the corporate governance of IT.
28. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
29. 6 principles
Principle 1: Establish clearly understood responsibilities for IT
Principle 2: Plan IT to best support the organization
Principle 3: Acquire IT validly
Principle 4: Ensure that IT performs well, whenever required
Principle 5: Ensure IT conforms with formal rules
Principle 6: Ensure IT use respects human factors
30. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
31. Model for Corporate Governance
of ICT
Directors should govern ICT through three main tasks:
(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.
32. Evaluate
• Directors should examine and make judgement on the current and future use of IT,
including strategies, proposals and supply arrangements (whether internal,
external, or both).
• In evaluating the use of IT, directors should consider the pressures acting upon the
business, such as technological change, economic and social trends, and political
influences.
• Directors should also take account of both current and future business needs —
the current and future organizational objectives that they must achieve, such as
maintaining competitive advantage, as well as the specific objectives of the
strategies and proposals they are evaluating.
33. Direct
• Directors should assign responsibility for, and direct preparation and
implementation of plans and policies. Plans should set the direction for
investments in IT projects and IT operations. Policies should establish sound
behaviour in the use of IT.
• Directors should ensure that the transition of projects to operational status is
properly planned and managed, taking into account impacts on business and
operational practices and existing IT systems and infrastructure.
• Directors should encourage a culture of good governance of IT in their organization
by requiring managers to provide timely information, to comply with direction and
to conform with the six principles of good governance.
34. Monitor
• To complete the cycle, directors should monitor, through appropriate
measurement systems, the performance of IT use. They should reassure
themselves that performance is in accordance with plans, particularly with regard
to business objectives.
• They should also make sure that the use of IT conforms with external obligations
(regulatory, legislation, common law, contractual) and internal work practices. If
necessary, directors should direct the submission of proposals for approval to
address identified needs.
35. Outline
• ICT Governance definitions
• SG on ICT Governance
– itSMF involvement
– Interim Report
– Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
36. Conclusions and Future Works
Review the use of the Plan, Do, Check Act (PDCA) lifecycle versus Evaluate, Direct Monitor
(EDM). Show mapping of EDM versus PDCA.
Incorporate human behavioural aspects to the chosen lifecycle.
Produce a diagram demonstrating the inter-relation of principles.
Develop derivative material to cover:
· Clarification on the risks of poor governance and decision making;
· Analysis on the benefits of Governance across the IT lifecycle; and
· The explanation of each principle.
Development of a TR2 for CIOs and executives to assist them in explaining the rationale
and implications (risks and benefits) of the principles.
Development of a TR2 for guidelines for the use of the standard by Public Sector
organizations
37. Conclusions and Future Works
Determine market requirements and then determine the coverage of future
standards for example IT Projects, IT Operations, IT Use or some other frameworks :
3 SGs
Digital Forensics,
Governance of IT operations,
Schedule of Products.
Schedule
3 NWIs
Guides for the Implementation of 38500
Standard for the Governance of Business Change involving IT investment
Standard for the Corporate Governance of business projects involving IT
investment