Presentation laddar. Vänta.

Presentation laddar. Vänta.

ISO/IEC 38500?. Anders Carlstedt Practice Leader LIS, Ekelöw InfoSecurity AB ISO: – ISO/IEC SC 27 Editor ISO/IEC 27005 Information Security Risk Management.

Liknande presentationer


En presentation över ämnet: "ISO/IEC 38500?. Anders Carlstedt Practice Leader LIS, Ekelöw InfoSecurity AB ISO: – ISO/IEC SC 27 Editor ISO/IEC 27005 Information Security Risk Management."— Presentationens avskrift:

1 ISO/IEC 38500?

2 Anders Carlstedt Practice Leader LIS, Ekelöw InfoSecurity AB ISO: – ISO/IEC SC 27 Editor ISO/IEC Information Security Risk Management – ISO/IEC SC 27 Acting Editor NWIP 2700X Auditor Guidelines on ISMS Controls – ISO/IEC SC 27 Task Force on Governance – ISO TC176 Technical Expert re Risk Based Audit for Revision on ISO SIS: – Ordförande TK318 AG4 Risk management – Vice Ordförande AG Revision Ledningsystem 9000,14000 & etc M: E: first.last[at]ekelow.se

3 Innehåll / Agenda – Definitioner – Bakgrund, innehåll och struktur Hur? Resultat, mervärden och erfarenheter

4 Definitioner Corporate governance – The system by which organizations are directed and controlled. (Cadbury 1992 and OECD 1999) Corporate governance of IT – The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization

5 Bakgrund ISO/IEC was prepared by Standards Australia (as AS8015:2005) “fast-track procedure”, ISO/IEC JTC 1, Information technology ISO/IEC is a high level, principles based advisory standard The objective - to provide a framework of principles for Directors to use when evaluating, directing and monitoring the use of information technology (IT) in their organizations.

6 Innehåll och struktur Framework for effective governance of IT, to assist leadership to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. The framework comprises definitions, principles and a model. Aligned with OECD Principles of Corporate Governance

7 Innehåll och struktur Struktur: 1.Scope, Application & Objectives 2.Framework for Good Corporate Governance of IT 3.Guidance for the Corporate Governance of IT (22 s.)

8 “Six Principles for Good Corporate Governance of IT” ResponsibilityStrategyAquisitionPerformanceConformanceHuman Behaviour

9 ISO/IEC38500

10 Vinster… This standard establishes principles for the effective, efficient and acceptable use of IT. – Ensuring that their organizations follow these principles will assist directors in balancing risks and encouraging opportunities arising from the use of IT. This standard establishes a model for the governance of IT. – The risk of directors not fulfilling their obligations is mitigated by giving due attention to the model in properly applying the principles. The standard establishes a vocabulary for the Governance of IT.

11 Hur? Business Strategy Risk, Conformance & Compliance IT StrategyChange IT Balance Sheet Operations 38500

12 IT – Governance: Risk, Conformance & Compliance? Risk, Conformance & Compliance Enterprise Risk Management, Controls & Audit COSO, ISO31000, ISO/IEC27005, 27001/2, Cobit, PCI etc

13 Risk treatment in ISO/IEC 27005

14 Och sedan? Vision & PolicyRiskbedömning Riskbehandling Riskacceptans Riktlinjer Rutiner & Föreskrifter

15 Roller & ansvar “risk, conformance, compliance” - informationssäkerhet Organisationens ledning (jfr COO, CEO, CSO & CFO) – Strategiska beslut, koordinerar ledning/styrning CISO – Övergripande ansvar för införande av Informationssäkerhetsforum -/ kommitte – Tillsätter ledande roller i projektet Projektteam – Ansvarar för aktuella aktiviteter

16 Roller & ansvar (forts.) Experter Konsulter Internrevisionschef Processägare Områdesansvariga Andra identifierade intressenter HR

17 Och värdet av redan gjorda investeringar…

18 PDCA modellen enligt ISO/IEC 27001

19 Några exempel på resultat och mervärden Strategisk och taktisk/operativ kontroll Stöd för compliance, governance samt kvalitet Förtroende för organisationen avseende både interna och externa intressenter Förbättrad kontroll över investeringar Adekvata skyddsåtgärder Mätbara resultat

20 Våra erfarenheter Engagera ledning Säkerställ kommunikation Genomför förarbete Projektstyr Övervaka Mät Förbättra

21 Tre saker att komma ihåg! Verksamhetens behov är styrande! Tillämpa och använd PDCA-cykeln! Engagera verksamheten!

22 Tack! Mer info finner du: – – –


Ladda ner ppt "ISO/IEC 38500?. Anders Carlstedt Practice Leader LIS, Ekelöw InfoSecurity AB ISO: – ISO/IEC SC 27 Editor ISO/IEC 27005 Information Security Risk Management."

Liknande presentationer


Google-annonser