SlideShare uma empresa Scribd logo
1 de 42
Service Management
and Infosec
How do they work together?
Agenda
What is this all about?
Who am I?
Align what?
Now what?
Why?
Can service management and infosec live
happily ever after?
And why bother in the first place?
Who am I?
Interested in info sec, technology and
organisation
Trainer for PECB (ISO27001, 27005, 31000)
Convinced that Infosec is a means to an end, not
a purpose in itself
arthur@itsx.com
And please …
Don’t call Information Security cyber …
Managing expectations
This webinar contains some opinions and
personal views that are meant to trigger your
own questions and considerations.
Service management, infosec and other
domains used to be islands. If you want to serve
your customer by providing best of breed, you
need to build bridges.
ITIL
ITIL (Information Technology Service Library):
a set of practices for IT Service Management
aligns IT services and business needs
Focus on delivering what the business needs
the ‘what’ …
ITIL is copyright of Axelos
ITIL ‘loop’
ISO20000-1
SMS (Service Management System) standard
requirements for a service provider to plan,
establish, implement, operate, monitor, review,
maintain and improve an SMS
Focus on managing service delivery
the ‘how’
Service Management System
Quality
A key factor for proper service delivery is the
quality of the service delivered.
According to ISO 8402-1986 standard, quality is
defined as:
"the totality of features and characteristics of a
product or service that bears its ability to satisfy
stated or implied needs."
Quality
Stated needs are clearly described, i.e. the
things the customers wants.
Implied needs are inferred, often the non-
functional requirements, or requirements that
are taken for granted.
Is infosec stated or implied?
This depends on the scope of the service and
customer!
A managed firewall service has stated security
requirements.
A cloud based service often has implied security
requirements.
Make all infosec requirements clear
First thing that needs to be done is to make all
infosec requirements clear and stated.
Business needs and drivers are leading!
• Business Impact analysis
• Data classification
• Risk assessments
RA and BIA
Infosec requirements
How do you make sure your requirements are
complete?
Use an information security framework!
• COBIT
• ISO27001
• PCI/DSS
• HIPAA
COBIT process model
ISO27001 ISMS
Aligning ISO27001
ISO 27001:2013 consists of two parts:
ISMS requirements (mandatory for certification)
Chapters 4 to 10 from the standard
Control framework, Annex A ( ‘the list’)
14 domains with security controls
Annex A is also available as ISO27002 guideline
http://www.iso27001security.com/ is a good source of information
ISO27001, context
This requires you to understand the context,
environment, needs and expectations of
interested parties and stakeholders.
Infosec must support the business goals and
assure proper service delivery by understanding
needs and expectations.
(Chapter 4)
ISO27001, context
Make sure you understand the context of the
service, the related business goals and
associated security requirements!
Make sure the security requirements are
traceable in the service delivery.
ISO27001, leadership
Top management must demonstrate leadership
and commitment and provide resources.
Organisation must support proper service
delivery on all levels, including fulfilling the
security requirements, and make sufficient
resources available.
(Chapter 5)
ISO27001, leadership
Clear and visible commitment is key for succes.
Information security should be an integral part
and not an add-on or bandaid. This must be
clear throughout the organisation.
ISO27001, planning
Use a process based approach to managing risks
and clarify infosec objectives.
Objective of security requirements must be clear
from service management point of view and
risks must be identified, analyzed and treated in
a planned and organized way.
(Chapter 6)
ISO27001, planning
It is necessary to think and plan ahead. Include
information security from the start in your
service delivery.
Retrofitting security is difficult, ineffective,
costly, will delay your project and does not serve
the customer at the end of the day.
ISO27001, support
Adequate and competent resources must be
used, documentation must be maintained.
Use skilled professionals and tools to fulfill the
security requirements, document the way things
should work.
(Chapter 7)
ISO27001, support
Information security is a specialized field which
requires skills, experience and proper tools. Use
them!
If you only have a hammer, all your problems
look like a nail… (Maslov)
ISO27001, operation
Daily management of risk, changes and
documentation, to maintain and assure required
security levels.
Part of the service operation is assuring its
required security levels.
(Chapter 8)
ISO27001, operation
Security should be part of your service level and
daily operations must be geared towards
maintaining the expected security level.
Most security frameworks provide controls for
security operations (ISO27002)
ISO27001, performance evaluation
Monitor, measure, analyze and evaluate the
performance of the ISMS and controls.
Measure the effectiveness of security in the
service and improve where necessary. KPI and
KRI reports.
(Chapter 9)
ISO27001, performance evaluation
You need to make sure you can ‘measure’ the
security levels in your service. Define KPI’s and
KRI’s (Key Risk Indicators) that can be used in
reports. Define desired security levels in SLA’s.
This gives you a means to improve on security
and increase effectiveness and efficiency.
ISO27001, improvement
Use findings from audits, problem management
and reviews to continuously improve security.
Aim for improving the effectiveness and
efficiency of security within the service, as part
of the whole improvement process.
(Chapter 10)
ISO27001, improvement
ISO27001, summary
These areas are part of the mandatory ISO27001
standard. Their goal is to get in control of
information security, using a plan-do-check-act
approach.
IMHO: this is easy to align with service delivery,
as most of these models are based on PDCA as
well, infosec is ‘just’ an additional quality
aspect.
ISO27002, control domains
To support implementing information security,
the Annex A (or ISO27002) is available.
It is not mandatory but it is a good checklist to
make sure you don’t forget important controls.
14 domains, more than just IT!
ISO27002, control domains
ISO27002, highlights
Chapter 5: policies
Sets the standards, principles and goals
Chapter 6: organisation of information security
Who is responsible, roles and decisionmaking
Chapter 8: Asset management
What do we need to protect
ISO27002, highlights
Chapter 12: operations security
Security in your daily systems management
Chapter 13: communications security
Security in your daily network management
Chapter 14: Systems acquisition
Security requirements in outsourcing and
development
ISO27002, highlights
Chapter 15: supplier relationships
Addressing security requirements with your
suppliers
Chapter 16: incident management
What to do when something goes wrong
Chapter 17: Business continuity
How to guarantee delivery of service
ISO27002, highlights
Chapter 18: compliance
Make sure all laws, regulations and standards are
abided by and adhered to.
Critical successfactors
Delivering quality to customer is central
Work from the business goals and drivers
Commitment across the whole organisation
Finally…
In the end, it is all about people and
communication

Mais conteúdo relacionado

Mais procurados

Cloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudCloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudSourabh Saxena
 
Migrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with ConfidenceMigrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with ConfidenceDavid J Rosenthal
 
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValueThe Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValueRapidValue
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
 
RightScale Webinar: Key Considerations For Cloud Migration and Portability
RightScale Webinar:  Key Considerations For Cloud Migration and PortabilityRightScale Webinar:  Key Considerations For Cloud Migration and Portability
RightScale Webinar: Key Considerations For Cloud Migration and PortabilityRightScale
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Cloud Migration Strategy
Cloud Migration StrategyCloud Migration Strategy
Cloud Migration StrategyCipherSpace
 
How to Get Cloud Architecture and Design Right the First Time
How to Get Cloud Architecture and Design Right the First TimeHow to Get Cloud Architecture and Design Right the First Time
How to Get Cloud Architecture and Design Right the First TimeDavid Linthicum
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing StrategyRex Wang
 
Cloud Computing Design Considerations
Cloud Computing Design ConsiderationsCloud Computing Design Considerations
Cloud Computing Design ConsiderationsMike Kavis
 
(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...
(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...
(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...Amazon Web Services
 
Innovating with AWS: How Microservices on AWS Can Transform Your Business
Innovating with AWS: How Microservices on AWS Can Transform Your BusinessInnovating with AWS: How Microservices on AWS Can Transform Your Business
Innovating with AWS: How Microservices on AWS Can Transform Your BusinessAmazon Web Services
 
Cloud security design considerations
Cloud security design considerationsCloud security design considerations
Cloud security design considerationsMike Kavis
 

Mais procurados (20)

Multi Cloud Architecture Approach
Multi Cloud Architecture ApproachMulti Cloud Architecture Approach
Multi Cloud Architecture Approach
 
Cloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudCloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloud
 
Migrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with ConfidenceMigrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with Confidence
 
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValueThe Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
 
Cloud Oracle
Cloud Oracle Cloud Oracle
Cloud Oracle
 
RightScale Webinar: Key Considerations For Cloud Migration and Portability
RightScale Webinar:  Key Considerations For Cloud Migration and PortabilityRightScale Webinar:  Key Considerations For Cloud Migration and Portability
RightScale Webinar: Key Considerations For Cloud Migration and Portability
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Cloud Migration Strategy
Cloud Migration StrategyCloud Migration Strategy
Cloud Migration Strategy
 
How to Get Cloud Architecture and Design Right the First Time
How to Get Cloud Architecture and Design Right the First TimeHow to Get Cloud Architecture and Design Right the First Time
How to Get Cloud Architecture and Design Right the First Time
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing Strategy
 
Cloud Computing Design Considerations
Cloud Computing Design ConsiderationsCloud Computing Design Considerations
Cloud Computing Design Considerations
 
(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...
(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...
(BAC302) Using AWS to Create a Low Cost, Secure Backup Environment for Your O...
 
Innovating with AWS: How Microservices on AWS Can Transform Your Business
Innovating with AWS: How Microservices on AWS Can Transform Your BusinessInnovating with AWS: How Microservices on AWS Can Transform Your Business
Innovating with AWS: How Microservices on AWS Can Transform Your Business
 
Cloud security design considerations
Cloud security design considerationsCloud security design considerations
Cloud security design considerations
 
Seven Seas Technology
Seven Seas TechnologySeven Seas Technology
Seven Seas Technology
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Destaque

Royal Cyber Inc. IBM DevOps® Expertise
Royal Cyber Inc. IBM DevOps® ExpertiseRoyal Cyber Inc. IBM DevOps® Expertise
Royal Cyber Inc. IBM DevOps® ExpertiseNoman Butt
 
Data Breach: Hot Topics in Information Security Trends Webinar Recording
Data Breach: Hot Topics in Information Security Trends Webinar RecordingData Breach: Hot Topics in Information Security Trends Webinar Recording
Data Breach: Hot Topics in Information Security Trends Webinar RecordingBradley Arant Boult Cummings LLP
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...
Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...
Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...CA Technologies
 
Evolution of the DevOps Quality Management Office
Evolution of the DevOps Quality Management OfficeEvolution of the DevOps Quality Management Office
Evolution of the DevOps Quality Management OfficeCapgemini
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013Ramiro Cid
 
What and why of process excellence models
What and why of process  excellence modelsWhat and why of process  excellence models
What and why of process excellence modelsLN Mishra CBAP
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
DevOps Patterns - Team Topologies
DevOps Patterns -  Team TopologiesDevOps Patterns -  Team Topologies
DevOps Patterns - Team TopologiesMatthew Skelton
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 

Destaque (14)

Word formation
Word formationWord formation
Word formation
 
Royal Cyber Inc. IBM DevOps® Expertise
Royal Cyber Inc. IBM DevOps® ExpertiseRoyal Cyber Inc. IBM DevOps® Expertise
Royal Cyber Inc. IBM DevOps® Expertise
 
Data Breach: Hot Topics in Information Security Trends Webinar Recording
Data Breach: Hot Topics in Information Security Trends Webinar RecordingData Breach: Hot Topics in Information Security Trends Webinar Recording
Data Breach: Hot Topics in Information Security Trends Webinar Recording
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
 
Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...
Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...
Case Study: GM Financial Builds a Sustainable, Holistic, Continuous Delivery ...
 
Evolution of the DevOps Quality Management Office
Evolution of the DevOps Quality Management OfficeEvolution of the DevOps Quality Management Office
Evolution of the DevOps Quality Management Office
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
 
What and why of process excellence models
What and why of process  excellence modelsWhat and why of process  excellence models
What and why of process excellence models
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
NTC ISO/IEC 27001
NTC ISO/IEC 27001 NTC ISO/IEC 27001
NTC ISO/IEC 27001
 
DevOps Patterns - Team Topologies
DevOps Patterns -  Team TopologiesDevOps Patterns -  Team Topologies
DevOps Patterns - Team Topologies
 
Word formation FCE
Word formation FCEWord formation FCE
Word formation FCE
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than Technology
 

Semelhante a PECB Webinar: The alignment of Information Security in Service Management

Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaFahmi Albaheth
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...ITIL Indonesia
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT FrameworksFrancisco Calzado
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...acinfotec
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001  Isaca Seminar (23 May 08)Iso27001  Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001  Isaca Seminar (23 May 08)Iso27001  Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018Wervyan Shalannanda
 

Semelhante a PECB Webinar: The alignment of Information Security in Service Management (20)

Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
 
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001  Isaca Seminar (23 May 08)Iso27001  Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001  Isaca Seminar (23 May 08)Iso27001  Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
 

Mais de PECB

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?PECB
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 

Mais de PECB (20)

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 

Último

How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 

Último (20)

How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 

PECB Webinar: The alignment of Information Security in Service Management

  • 1. Service Management and Infosec How do they work together?
  • 2. Agenda What is this all about? Who am I? Align what? Now what?
  • 3. Why? Can service management and infosec live happily ever after? And why bother in the first place?
  • 4. Who am I? Interested in info sec, technology and organisation Trainer for PECB (ISO27001, 27005, 31000) Convinced that Infosec is a means to an end, not a purpose in itself arthur@itsx.com
  • 5. And please … Don’t call Information Security cyber …
  • 6. Managing expectations This webinar contains some opinions and personal views that are meant to trigger your own questions and considerations. Service management, infosec and other domains used to be islands. If you want to serve your customer by providing best of breed, you need to build bridges.
  • 7. ITIL ITIL (Information Technology Service Library): a set of practices for IT Service Management aligns IT services and business needs Focus on delivering what the business needs the ‘what’ … ITIL is copyright of Axelos
  • 9. ISO20000-1 SMS (Service Management System) standard requirements for a service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS Focus on managing service delivery the ‘how’
  • 11. Quality A key factor for proper service delivery is the quality of the service delivered. According to ISO 8402-1986 standard, quality is defined as: "the totality of features and characteristics of a product or service that bears its ability to satisfy stated or implied needs."
  • 12. Quality Stated needs are clearly described, i.e. the things the customers wants. Implied needs are inferred, often the non- functional requirements, or requirements that are taken for granted.
  • 13. Is infosec stated or implied? This depends on the scope of the service and customer! A managed firewall service has stated security requirements. A cloud based service often has implied security requirements.
  • 14. Make all infosec requirements clear First thing that needs to be done is to make all infosec requirements clear and stated. Business needs and drivers are leading! • Business Impact analysis • Data classification • Risk assessments
  • 16. Infosec requirements How do you make sure your requirements are complete? Use an information security framework! • COBIT • ISO27001 • PCI/DSS • HIPAA
  • 19. Aligning ISO27001 ISO 27001:2013 consists of two parts: ISMS requirements (mandatory for certification) Chapters 4 to 10 from the standard Control framework, Annex A ( ‘the list’) 14 domains with security controls Annex A is also available as ISO27002 guideline http://www.iso27001security.com/ is a good source of information
  • 20. ISO27001, context This requires you to understand the context, environment, needs and expectations of interested parties and stakeholders. Infosec must support the business goals and assure proper service delivery by understanding needs and expectations. (Chapter 4)
  • 21. ISO27001, context Make sure you understand the context of the service, the related business goals and associated security requirements! Make sure the security requirements are traceable in the service delivery.
  • 22. ISO27001, leadership Top management must demonstrate leadership and commitment and provide resources. Organisation must support proper service delivery on all levels, including fulfilling the security requirements, and make sufficient resources available. (Chapter 5)
  • 23. ISO27001, leadership Clear and visible commitment is key for succes. Information security should be an integral part and not an add-on or bandaid. This must be clear throughout the organisation.
  • 24. ISO27001, planning Use a process based approach to managing risks and clarify infosec objectives. Objective of security requirements must be clear from service management point of view and risks must be identified, analyzed and treated in a planned and organized way. (Chapter 6)
  • 25. ISO27001, planning It is necessary to think and plan ahead. Include information security from the start in your service delivery. Retrofitting security is difficult, ineffective, costly, will delay your project and does not serve the customer at the end of the day.
  • 26. ISO27001, support Adequate and competent resources must be used, documentation must be maintained. Use skilled professionals and tools to fulfill the security requirements, document the way things should work. (Chapter 7)
  • 27. ISO27001, support Information security is a specialized field which requires skills, experience and proper tools. Use them! If you only have a hammer, all your problems look like a nail… (Maslov)
  • 28. ISO27001, operation Daily management of risk, changes and documentation, to maintain and assure required security levels. Part of the service operation is assuring its required security levels. (Chapter 8)
  • 29. ISO27001, operation Security should be part of your service level and daily operations must be geared towards maintaining the expected security level. Most security frameworks provide controls for security operations (ISO27002)
  • 30. ISO27001, performance evaluation Monitor, measure, analyze and evaluate the performance of the ISMS and controls. Measure the effectiveness of security in the service and improve where necessary. KPI and KRI reports. (Chapter 9)
  • 31. ISO27001, performance evaluation You need to make sure you can ‘measure’ the security levels in your service. Define KPI’s and KRI’s (Key Risk Indicators) that can be used in reports. Define desired security levels in SLA’s. This gives you a means to improve on security and increase effectiveness and efficiency.
  • 32. ISO27001, improvement Use findings from audits, problem management and reviews to continuously improve security. Aim for improving the effectiveness and efficiency of security within the service, as part of the whole improvement process. (Chapter 10)
  • 34. ISO27001, summary These areas are part of the mandatory ISO27001 standard. Their goal is to get in control of information security, using a plan-do-check-act approach. IMHO: this is easy to align with service delivery, as most of these models are based on PDCA as well, infosec is ‘just’ an additional quality aspect.
  • 35. ISO27002, control domains To support implementing information security, the Annex A (or ISO27002) is available. It is not mandatory but it is a good checklist to make sure you don’t forget important controls. 14 domains, more than just IT!
  • 37. ISO27002, highlights Chapter 5: policies Sets the standards, principles and goals Chapter 6: organisation of information security Who is responsible, roles and decisionmaking Chapter 8: Asset management What do we need to protect
  • 38. ISO27002, highlights Chapter 12: operations security Security in your daily systems management Chapter 13: communications security Security in your daily network management Chapter 14: Systems acquisition Security requirements in outsourcing and development
  • 39. ISO27002, highlights Chapter 15: supplier relationships Addressing security requirements with your suppliers Chapter 16: incident management What to do when something goes wrong Chapter 17: Business continuity How to guarantee delivery of service
  • 40. ISO27002, highlights Chapter 18: compliance Make sure all laws, regulations and standards are abided by and adhered to.
  • 41. Critical successfactors Delivering quality to customer is central Work from the business goals and drivers Commitment across the whole organisation
  • 42. Finally… In the end, it is all about people and communication