Using ISO 27001 to Create Actionable TPRM KPIs & KRIs

Ash: Uh let’s get everyone a minute to get situated with their drinks and their snacks. And uh in the meantime, I’m going to go ahead and launch our first poll. Uh we’re just curious to see what’s bringing you to today’s webinar. Is it educational? Are you in the beginning stages of your TPRM journey? Do you love hearing British accents? Uh either way, no judgment from me here. I love them, too. Um with that said, uh let’s go ahead and get some introductions rolling. Uh my name is Ash. I work in business development over here at Prevalent and we are joined with some very special affformentioned guests. Uh first up our project manager Thomas Humphre. How’s it going Thomas?

Thomas: Yep. Good. All good here.

Ash: Uh our solutions engineer Sophie Apothecary. How’s it going Sophie?

Sophie: I’m all good, thank you Ashby. Hope you are too.

Ash: Thanks. And last but certainly not least in my book, our very own VP of product marketing, Scott Lang. How’s it going, Scott?

Scott: Great, Ashley. Hope everybody doing well today.

Ash: Uh just a quick reminder, this webinar is being recorded and we will be sending out a copy along with the presentation slides shortly after the webinar. Uh I have you all muted, but I love questions. Sophie loves questions. Thomas loves questions. So please, please, please drop them in the Q&A box and they’ll go over them at the end of the webinar. Uh today Thomas and Sophie will be discussing how to use the ISO framework to measure your TPR and program success. us. So, I’ll go ahead and pitch things over to you.

Thomas: Fantastic. Thank you very much, Ashley. And yes, good morning, good afternoon, good evening, uh, ladies and gentlemen. Uh, my name is Thomas Humphre and welcome to this webinar where we’re focusing on ISO 27,01. Um, and it’s linked with TPRM um, with a special focus on how can we draw out the controls and requirements when looking at KPIs, KIS, um, and other measurements to to ensure a successful outcome. I’m joined with uh I’m joined by Sophie. Um Sophie, if you’d like to introduce yourself.

Sophie: Yes, thank you very much, Thomas. Um happy to be here today. Um good morning, good afternoon, and good evening. Um so I’m one of the solutions engineers here at Prevalent, uh working closely with Thomas and the wider team, um to further develop TPRM programs and success across kind of ISO 27,0001 and others. Thanks, Thomas.

Thomas: Thank you very much. And myself to someies. I’ve been with PEN for 5 years. Um I was previously an ISO auditor for the best part of 10 years working across many standards not least around 27,01 um on a local and uh global level um both in in certification bodies in the UK and in Singapore. Um just a very brief bit of housekeeping. Um as Ashley’s mentioned uh as usual um with these webinars we like to save some time at at the end for for a Q&A, but obviously throughout um today where where appropriate, we’ll answer some questions as well. So, any questions that come to mind, please um uh post them into the there should be a Q&A uh chat box or or window. Um and then as as as we go through um we’ll try and answer as many as we can. So, let’s kick off looking at what we’re going to be covering today. I’ll give an overview of 27,01, paying particular attention to to some of the newer elements um since the standard was re-released for looking at how we can map standard TPRM practices um across to 27,000 and an information security management system. I’ll take a look at some of the key controls and how we can derive and identify key controls particularly if if you’re just starting out on that journey um of using 27 for the first time. I’ll then touch on um performance and risk indicators and what that can look like for your TPRM journey as well as um uh around the 27,000 standard itself. Uh before finishing with some next steps and where we can we can go from here and where how how you can take some of this and some of this information forward um when you’re either beginning your journey or if you’re already partly through um or or ongoing on a on a TPM process. So started an introduction to ISO 27. So for anyone who’s who’s unfamiliar um Um 27 is ISO’s principal standard on information security. It’s one of their older standards and also it’s most widely adopted standards. Um the the overall structure and approach of 27,0001 is to is to provide a a a framework a structured framework for an organization to identify and set some governance in place in terms of identifying risk in in terms of information security. risk and then managing that risk through a series of activities, controls, policies and processes as well. So, it’s built around a very strong core of of governance in terms of how you manage um the life cycle of information security management as well as risk and good uh risk practices and risk best practices as well. Um as say it’s internationally recognized, it’s one of the most widely adopted frameworks um and uh not too dissimilar to many of the other ISO standards. Uh one of the reasons it’s it’s so widely adopted is its universal approach. So regardless of size and complexity of organizations, regardless of industries, sectors and even geographies, um there there’s always a use case to be had for how you can build best practice around 27,000 whether it’s from a certification standpoint or purely using the standard to drive that best practice um and understanding of of a good security posture. Uh just briefly to note that there are um many other standards. We’ll be briefly touching on 27,0002 because there’s a close relationship between 27,0001 which is the certifiable standard and 27,0002 which provides those implementation guidelines on how we can apply and develop and build upon those security controls and what those controls look like um uh in practice. Um it’s always important to note that um although we’re focusing on 27,01 and2 Specifically um as is common with ISO they build what they call a family of wider standards which can sometimes be used to address sector or technology specific applications on how trend 70001 could be best used. So for example how it can be used for cloud environment and cloud provider or how secure how trend 70001 could be applied say in the healthcare sector or in the legal sector for example and so there’s quite a wider uh variety um of of of uh frameworks out there but nevertheless we’ll be dealing um very much with uh 2701 and two. So a very brief background so in 2022 uh the standard was re-released um roughly every 5 years ISO make the decision to formally review all their standards and the decision was made um that 20 uh 27,0001 was needed to be updated um and they seek to make uh updates based on new and emerging technologies where there are changes in um uh the way standards are used, the way standards are are are managed as well. And two of the biggest um outputs of this was a restructuring of the clauses. Um so for those who are perhaps less familiar, 27,000 split across two two main sections. One is the governance leadership management section of of what they call ISMS and then the second part is what they used to call annexa which is where all the technical controls organizational controls um are identified and the selection of which controls to meet the organization’s um use case and business cases. So there’s a restructuring of these clauses and they split them across what they’re called four control areas organizational people physical and technological based controls. So from an organizational con uh perspective areas in terms of uh access business continuity um uh and uh incident management and response, people in terms of background checks, uh personnel training um and on boarding. Obviously, physical controls in terms of physical protection of information systems um and then technological controls um particularly around from a data security perspective. So backup and encryption um addressing malware, addressing vulnerability and threat management. Secondly, and perhaps more interesting uh it developed these three areas it calls operational capability control types and cyber security con concepts and these are areas that I think are quite relevant particularly with regards to some of the areas we’re covering today around identifying key controls and identifying or how we can how we can use the standard from a a KPI ki perspective but broadly speaking these have been identified and are are useful in helping an organization plan for and implement the controls to address the security risks that they’ve identified through the riskmanagement process. Um, and these are attributes uh that have been developed throughout um the framework and are are are developed in more depth around 27,0002. But as we’ll see as we go along um later today um they can provide some useful indicators of trending and trend analysis and where critical controls can be identified and derived as well.

Sophie: And Thomas, that’s really interesting in terms of that re structure. Um would you say that that kind of split across the four control areas as opposed to the two does that make it more applicable to some of these organizations? You said you know it’s widely adopted. Does that make it easier for an organization to kind of adhere to these standards with that that split now being across control?

Thomas: Um it it can do in many ways. Yes. I mean as as as I said um yes um you know regardless of whether you’re a large say software house or you’re a small advertising agency or you’re in the manufacturing industry or for completely different industry. Um the fact that there’s now a re uh structuring, it’s important to note that roughly 90 to 95% of the controls have still remained from the older 27,000 framework. But yes, the fact that they’ve now been reorganized and particularly with use of things like these operational capabilities, it can make it easier um for companies to say, well, what’s what’s important to us? And when we’re thinking about the risks you’ve identified, how can we we look at the most appropriate set of controls whether it’s from an organizational governance perspective or technical perspective for example.

Sophie: Yeah, absolutely. Thank you.

Thomas: Just want to touch on this section. Um this is now that that that has increased uh slightly particularly from a 27,0002 perspective. Um so there’s always been a a case in in in previous iterations of 27,01 and it’s and it’s um uh even the original standards as well around managing third party managing suppliers and supply chain and and it’s worth noting that even now it provides those those same requirements for managing information security across the supply chain whether it’s um dealing with how we identify information security risks across our third party base. How we address those security risks through the application of controls particularly in terms of uh supplier agreements and supplier contracts and what we want to capture in terms of what our third parties are delivering to us. Thinking about the wider supply chain. Um so where there are say fourth, fifth or even even further on um um down the supply chain and there are series of organizations the consideration that goes into how through our third party agreements for example we can enforce or at least inquire about pertinent security controls are important to us. And then of course monitoring, reviewing and change management when there’s changed supplier activities and services on monitoring the performance through performance reviews, audits, on-site and remote audits um and and so forth as well. What’s quite interesting here is and one of the changes when you’re looking at particularly numbers uh one and two is the expansion of the description through 27,0002 not too dissimilar for other standards such as NIST 800161 for anyone who knows about that framework. So the cyber security supply chain risk management framework that touches on the wider a to zed of how you manage um your supply chain and your third party base. So from identification of third parties all the way through to exit agreements and establishing um um uh supplier agreements and contracts. And this is quite um um this can be quite key particular when looking back at some of those uh operational capabilities, control types and cyber security concepts as well because when we’re thinking about as well how can we apply 27,0001 when we’re building that third party um those third party relationships and those third party uh life cycle model. Um this provides a core drive in in thinking well how do we get from the risks that we’ve identified through to what do we need to consider from an agreement perspective whether it’s um uh data breach notification and instant response and continuity or more technical applications around access control for example based on how third party may handle and access data or information or related systems as well. This is very much staying in place from the previous version. Um but there’s there’s a lot more um emphasis um sort of placed on the application of of um supply chain and this has extended to new controls around consideration for cloud services given cloud is becoming so much more uh common place amongst uh many organizations and entities. Thomas, just a quick one as we kind of progress into this slide and that it touches on a question in um in the Q&A which I think is quite relevant to what you were just talking about there.

Sophie: It’s more prominent in cloud and we’ve got more remote workers. We’ve got a lot more control in terms of or control requirements in terms of access management. One of the questions that’s been raised is um how applicable is the physical controls in this era of remote working? How much control does an organization really have when a staff is working remotely. It’s

Thomas: very good, very very timely question and yes, you’re absolutely right. You have to look at the last what two to three years in terms of this explosion of of remote working even to the level of um companies still debating um the the the relevance of a physical office space. So what’s interesting about the new standard is they have and even even down to the level of terminology um they have expanded on on on some of the terms and use cases of enduser devices and end user device management for example. It’s a greater consideration about um using controls to protect um organizational assets but as well as um BYOD based devices as well as the concept of the remote working and work from home um it’s always important to note that particularly with ISO uh standards um they’ll never get to a stage where they specifically mention um uh technologies or applications because it is universal regardless of let’s say geography, country and and and and industry. Um but there is a wider acceptance in the framework around how you manage from a staffing perspective, how you manage from mobile device perspective particularly as you say given that there’s so much more remote working and we have got our own um sort of systems and assets as well. There still is physical security within the within the assessment um that touches on some of the common areas. How do you protect sensitive assets? How do you protect um uh if you have sensitive working areas. Um I guess what’s then more pertinent here is how can you take some of those existing controls and put them in a home environment. So though maybe traditionally it’ll be it’ll be talking about um server rooms in an office space not so applicable obviously if you’re working from home. So it’s looking at how can we apply the same concepts from a work from home solution. So are there controls um that organizations can ask employees to to put in place around how they secure their assets. Um, you know, are they working from um, uh, areas where there may be exposure from a public perspective? Um, are they working in areas that have locked doors, locked areas? Um, um, as well as the technological aspects of the laptops and and and phones and tablets that they’re working through as well.

Sophie: Yeah.

Thomas: Okay.

Sophie: Thank you.

Thomas: Um, let’s move on to some mapping those TPR practices to an ISMS. Now, I think quite a broad sense, you know, we’ve got a few different areas to consider. Um um so obviously thinking right from the top in terms of how do you identify our third parties? How do we identify from a profiling and tiering? How do we sort them into relevant buckets from high, medium, low or criticality or tier one, tier 2, tier three and understanding what are the risks when we’re dealing with our third parties and this is where different aspects of 27,000 come in quite nicely. So we can see clause 5.1, 6.1 and 6 2 and 6.3 and this is what ISO deems the high level structure of of its ISMS and these are areas that focus around top management for an organization planning and identifying resource and resource allocation roles and responsibilities as well as a very well- definfined risk approach in terms of the identification um and and and management of risk in terms of um uh reviews, assessments, documentation, ownership all the way through to the treatment of risk. And on top of that clause 5.19 which is one of the security controls uh we briefly touched on earlier information security and supply relationship combined these areas can help that process of saying how do you identify what our third parties are doing? Do we have the necessary resource in the organization to help engage with third parties and to start identifying um uh the level of service they’re providing to us. But then down to applying that IS- 27,0001 uh interpretation of risk management to start thinking about if we already know what third parties are are providing to us in terms of product and service level of sensitive data on information systems can we start to work out from clause 61 612 and 613 um the level of uh impact a loss of confidentiality integrity and availability so a loss of those areas of information um could pro apply to us or or could cause us sewing. Um so there’s a blend of high level structure requirements as well as um uh let’s call them annex a controls um that can already help to start mapping those activities of identifying third parties and understanding what our risk is.

Thomas: Then we think about well how do you then address the sec security in those third party agreements again paying attention to the supply chain and again 519 20 and 21 um as we looked at um in the previous slide are all focused around those considerations in supplier agreements and what 27,02 does quite nicely is it already starts to offer suggestions in terms of areas you should consider. So do we need to think about um uh data management, data breach notification? Do we need to think about instant and business continuity control? Do we need to think about areas around uh access and acceptable use of of of of assets for example, as well as physical security where appropriate. And so again, through these three technical controls, we can already start to build a picture of what we might want to look at when we’re building a third party agreement or or or contract. Then we’ve got to the stage where we’ve we’ve put the third parties into say multiple tiers. We know the type of risks that we need to focus on or that the business is concerned about or the industry is concerned about. I’m thinking about the wider um sort of industry take on um on third party and third party risk. They need to think about how are we now going to assess these third parties. And this is where these annexa controls from organizational through to technical can come in. Um um whether it’s all-encompassing or whether it’s only a subset of controls based on those risks based on what the third party agreements and what we’re trying to aim for. So you can take uh the 27,0001 regardless of whether you’re you’re being certified or just using as a best practice framework to then build an assessment with which to assess um or or audit um or review your suppliers against. And obviously the aim here is through that risk management approach that should help in that identification of which controls are most critical to us. And again that’s an area we’ll come on to in terms of how can we identify key controls? What’s perhaps some of the more impactful key controls that we should be considering generally or more if you’re looking more specifically about uh what third parties are providing to us.

Thomas: And then finally, we’ve got to the stage where we’ve identified our third parties. We’ve we’ve we’ve we’ve got formal agreements. We’ve assessed them. We’re going through assessments on a six monthly, quarterly, annual um basis. That final stage of how do you then look at that continual monitoring, continual review of those third parties. Um and then again, section 522 or control 522 goes through the specifics around well, how can we and how should we be monitoring our our third parties and our wider supply chain as well. So we can see a blend of both high level structure controls in 27,01 as well as the more annexa technical controls around uh third party and supply chain management or supply chain risk management as well. Just briefly um touching on uh these three areas in a bit more depth particularly around um these new uh uh concepts Um so when we’re looking at the leadership aspect of the highle structure um generally speaking it asks organizations to define security policies set objectives and particularly ensuring resource is managed is planned and roles are clearly established both in terms of managing uh activities security activities but also a reporting line back to top management senior management and any other critical interested party. Um using that governance approach of in this case course 5.1 of the standard. Um and again looking at that 519 control uh these two combined can start to help build that supply chain process and that case study in terms of how we going to monitor and manage our our our suppliers and thinking about although it’s focusing on security policy the wider supply chain risk policy and using core 61 to build that risk management a life cycle um can then help to establish um um um you know how can we understand and identify what those third party risks are whether they’re technical risks whe they’re risks based on as say industry and sector concerns or other areas as well and as mentioned um one of the the strengths of 2701 is the fact that it does go into a lot of detail around uh thinking about setting that risk criteria and those processes for identifying analyzing evaluating and treating security risks.

Thomas: Um particularly using um very well well-known approaches such as likelihood and impact to give some level of risk scoring and risk rating. Um but as well as thinking the detail around how do we treat those risks and and and based on those those overall risk scores and and the most critical risks, what do we want to mitigate versus avoiding accepting um or or or going through another avenue of of um risk treatment and risk remediation as well. addressing security in third party agreements. As we’ve mentioned, 27,000 goes into quite a lot of depth in terms of considerations, what we need to think about in terms of third party agreements. Um, so once risks have been identified, those third parties and services are known, we can now start to think about what’s giving us the most cause for concern. It could be based on what the third parties are doing type of data that’s being accessed are the levels of classification or sensitivity of that data that they’re using are they holding our own or are we are procuring some sort of IC ICT uh information systems and information uh infrastructure um that may be holding that type of sensitive data um and if so is this a critical risk to us personnel requirements based on uh how many or how many people and the and what people and particularly if there are um uh contractors as well as full-time employees. Are there any requirements we need to consider and incorporating into contracts around screening and background checks of of staff levels of training and types of training that’s being delivered? Is there more be it around um more common uh threats that we’re seeing over the last two to three years around fishing and ransomware based uh attacks and how how employees can respond to that for example as well as acceptable use and acceptable use of of of of data assets and and and information assets as well. And so by identifying those those those bigger concerns, we can then start to piece together based on those four control areas of organizational people, physical and technological, what’s more important to us and how can we uh distill from the 90 93 94 controls that are captured in those four control areas.

Thomas: Do we want to cover everything which in some cases maybe relevant particularly given the more complex organizations and more complex third parties maybe based on the taring and based on the nature of what they’re providing. There may be a genuine need to look at an all-encompassing view of information security capturing those four uh control areas. It may be based on the level of taring that’s been applied to the third party or nature of what they’re providing as a product or service that they’re areas that are less critical. Physical control for example based on Um If an organization doesn’t have access to sensitive information and data, are we so concerned about some of the physical controls that organization may have? Um particularly if they still have a level of office space or if they’re renting office space, for example, how important are those physical controls in in getting us to understand a good security posture for that organization? Um it may be that there are some controls that will always be mandatory given the nature of what that third party is providing to us as well. So starting to join the pieces of what those risks are. Um the level of uh uh visibility of what the third parties are providing to us and the type of services they’re providing and then starting to piece together. How many of those controls are we really concerned about and do we want to uh assess our third parties against?

Sophie: Thomas just in terms of that kind of assessing the third party piece you just talked about and obviously we can uh det dependent on you know the criticality and types of services etc would naturally determine the level of assessment or types of assessment. One question that’s been asked um which is quite interesting here what what’s the approach of the ISO restructuring towards business continuity and disaster recovery what key controls are mapped to TPRM

Thomas: yes that’s an interesting yeah so so um so continuity still exists in the framework and around the organizational controls um I believe I’ve touched on I think one later in the rating assessments. We’ll we’ll have a look at that one in in in in more depth. Um but yes um when we look at particularly 27,02 um there is more of a push to say uh particularly in terms of uh recovery activities there needs there does need to be a link between um uh uh obviously based on supplier activities um and and and obviously services they’re providing. But there needs to be consideration around um what level of continuity effort and relationship you have with your supplier particularly in terms of those agreements and and sort of mandating some of those control areas. So there are topics around consideration for um uh information security considerations and business continuity developing continuity and disaster recovery uh programs and testing those programs as well. And again it’s the testing where again there is a bit more emphasis on when you’re testing you don’t just test in isolation but you’re testing with your suppliers if necessary you know where where appropriate and where necessary. So bringing in critical suppliers to make sure that if your systems fail over or if there’s an issue um there’s a level of interlink between what suppliers need to be doing for yourself as well. Um so it comes in two areas. One from your own organizational aspect of of managing continuity but also ask supplies specifically, what are your recovery efforts as well?

Sophie: Yeah.

Thomas: And how can you demonstrate that to us as well? So through testing programs, through uh key communication points, for example, key key um uh roles and responsibilities. Um I mean one of the interesting areas that again is is becoming more common is um I may have mentioned earlier uh when it comes to the to the to the contracts um uh breach and breach notification isn’t there. The 27th 02 lists quite prominently and that’s a good example so that if we have that unfortunate scenario where a vendor does suffer a data breach have we captured from the agreement and through the way we assess our vendor how they’re responding to us about the nature of the breach and what they’ve done to recover and get back to BAU. Um because obviously if that’s not captured in there and if I’m missing that link then as we know that risk can can increase greatly particularly when it starts to involve regulators and and and and and um uh law enforcement as well.

Sophie: Of course.

Thomas: Finally, monitoring, review, and reevaluate. So, sending out the third party assessment of course is only the beginning. What should we be doing? Um obviously, when the results come back and this is worth touching on these three c these three aspects of operational capabilities, control types and cyber security concepts um for anyone who’s um familiar with NIST particularly um the the cyber security concepts or yeah the concepts will be um uh very familiar because these follow on um uh based on NIST and NIST CSF cyber security framework. So these five areas around identifi identify protect detect respond and recover based controls basically controls that can help organize your cyber security activities. We’re thinking out OC operational capabilities. These are attributes and this is where we find a greater volume um of of of attributes is around operational capability and one of the key purposes here is to help assessors practitioners of the framework when planning and delivering a management system and then control types. So how controls can help modify risks particularly where information security incidents occur uh and these split across preventative, detective and corrective based controls. So that is to say controls that should be in place to help prevent the occurrence of a security incident. Controls that are used to help detect vulnerabilities and weaknesses and when a security incident may occur. And then there’s corrective controls, what what is being put in place and what controls do we need to put in place post incident to to get back to usual. So again, and thinking about some of the um uh uh uh uh controls from a from a continuity perspective. Um and so we can see on the screen three examples. So from an operational capability perspective, let’s look at information protection. And so looking at the 9394 controls set out across the standard, uh there are several that are labeled with this concept of information protection. And we can see a few examples here from protection against malware, classifying information labeling information, protecting records, privacy and protection of of personal information and endpoint devices. And so because this is is is meant to be an aid to help assessor and practitioners where it can be most useful is certainly at that um at that end of the process where we’re receiving risks back from our third parties. Um and let’s say we’re receiving 30 40 50 60 risks back and we’re now at the stage of saying well how do we What do we do with these? What do we man? How do we manage these? We may have our risk scores of critical high, medium, and low or or another similar process. But if we’re already identifying capabilities that are relevant to us, for example, data security, information protection, we can then obviously group risks as well to say, well, how many risks are associated with information protection and protection based controls? Can we start to see some trending here based on the type of controls that third parties um that that we’re receiving from third parties based on their 27,000 to1 assessment or or the way they’ve carried out the assessment. Um in a similar vein um by by categorizing controls based on say preventive, detective or corrective controls and as you can see here corrective controls, instant management planning, instant response, readiness for continuity, disciplinary process where there’s been a breach of of of corporate policy and security policy um and information back up. And again, if we can start to see there’s a larger volume of risks around um um these particular controls, that may help to shape our view of how do we approach these um not necessarily in isolation, but together particularly if you’re seeing there’s there’s there’s a trend between um multiple organizations or third parties um and risks in similar similar areas. And then in terms of cyber security concepts, so controls uh used in identifying um um good practice identifying security requirements for the supplier based uh aspects threat intelligence and engaging with um um um threat intelligence based organizations and how we invent inventory our information and other assets. So it can be used at the tail end in terms of how do we manage and and and bucket our risks if you will. It’s also worth thinking about when we’re looking at identifying key controls as well. If we know that there are capabil that we’re quite concerned about. They’re important to us based on our risks based whether it may be um uh sort of threat and vulnerability management or data security or the protection of information um or other areas. This can then help make it easier to say which controls are important to us and thinking about those 94 um which ones uh can we already do we already know uh are applicable to these type of third parties. And this can then make it so much easier when we’re starting to plan Do we need to give all 94 controls to this third party, this tier one or tier 2 organization, or can we give a subset based on capabilities important to us as a business and based on some of the security concepts um that maybe over time we’re seeing are more of a concern. Um if we feel for example that there are third parties we’re concerned more about the recovery and recovery efforts, let’s look at those controls under the banner of recovery and recover in terms of cyber concepts and perhaps we can use them as focused assessments and focused audits when engaging with our third parties. So it gives a lot more capability and really opens up the framework um um to give a lot more thought around which are the controls that are right for us at this time and then when risks occur and when risks are apparent to us through the assessment and assessment results. Uh how can we categorize these um and I say are there any trends um that are coming up that perhaps for a lot of have not been aware of um that are new to us that we can pay attention to particularly when engaging with the third parties or at least explaining from an executive and top management perspective as well. So impactful key controls. So as indicated with 94 controls there are many controls that will see multiple risk scenarios and considerations for risk treatment. Um and so thinking about those um uh uh uh uh cyber security concepts, if we can start to align the risks to controls that will help protect those assets, detect threats and vulnerabilities or provide a level of response and recovery. All this can help determine what for us is key particular when we’re looking at um how we monitor and analyze um the effectiveness of control requirements. Now generally speaking um as as as stated from the beginning. You know, this is a standard that’s open to any organization in the world regardless of industry and sector. So, it can be sometimes can be quite difficult to work out are there always controls that any organization regardless of size and complexity will will will need to adhere to or are recommended. Um, in general, yes, there always can be some controls that we find um almost all organizations or 99% of organizations should have in their back pocket. So, whether it’s areas concerning good access management and access controls. Um anything to do with managing a critical information system or critical data. Naturally, you want to be concerned about are they good practices in how they manage privileged access rights and access reviews and assigning and revoking access. Data backup and data recovery. Again, anything to do with proprietary information, intellectual property, personal information, uh having clear processes to to back up and recover. Um should the un unfortunate happen. Um again, these are also controls um that we’d find most companies um will be dealing with. And of course, we’ve briefly touched on it today around continuity as well. Um regardless of whether you are um a oneperson band, a mom and pop shop um um or whether you’re a a 10,000 employee multinational organization, there will always be a need to having a level of continuity um of covery and incident response as well. Obviously, will look very different depending on the type of organization but gives you a idea that there will always be some controls um in in standards like 27,01 that we can apply across the board.

Thomas: Having said that, it’s still important to recognize the fact that uh a lot of this comes down to how we develop and understand our risk um uh and and the risk of our third parties and our vendors um and and understanding particularly through those operational capabilities, for example, what are theirs that are most important to us? And obviously, the tighter we can get that and the more depth that we can bring to to to risk management activities and really working out um um what’s concerning for us, what keeps us awake at night can really help to start to tighten what controls do we need to focus on um whether it’s in the short term over the next 12 months or in the long term because we know these are long-term risks and risks that may never go away um rather than some that perhaps are more reactionary as well. Okay, so in terms of what are the most impactful key controls, key controls to think about in terms of um are our third parties delivering best practice um double-edged swords it’s there are some um but it very much depends on um um on what the third parties are doing for you. Um but as I say general areas around around um um uh access management, access control, data backup, data security, continuity and incident response and recovery um and of course supply chain as well. So those four controls you covered from 519 to 5 uh 20 to 22 around um managing supply chain and supply chain security. Um uh I would always recommend that those are are good controls to always start with particularly with as stated with the supply chain control. part. It helps set the scene in in really getting to grips with what are we asking third parties to do for us? Um, you know, what do we need them to satisfy and to demonstrate to us it satisfies they’ve got good practice in place um based on the product and service they’re supplying.

Scott: Um, go ahead.

Thomas: I think are relevant in terms of and I know you’re looking at those kind of key controls and I guess how that applies in terms of what deems critical depending on the service but u and I think a lot of our listeners in on the calls today will uh probably resonate with this in terms of some of those larger organizations that the Googles the Microsofts the AWS’s of the world um typically could have kind of readiness evidence to support those key control mappings and monitoring is there an expectation that those major suppliers uh provide readiness evidence um so that each of their customers do not have to test continuously. Um or is that a case of the standard is not necessarily directed at some of those specific organizations and it’s a standard for for any organization to adopt.

Thomas: Um so firstly um is yeah a standard for anyone to adopt. Interestingly when you look at areas like uh I mean let’s take Amazon and Microsoft for example um particularly around their their data centers and their cloud operations. Um they particularly Microsoft is a good example um you know they they’ve been certified for multiple ISO certifications for years and I believe Microsoft even is part of the the some of the committees in developing the frameworks as well. Um so there is a lot of um recognition from those very large organizations um of the importance of these standards and you are quite right um um when we see these companies often have you know four five six they’ll have ISO frameworks they’ll have sock 2 assessments they’ll have PCIDSS you know they may have other other different frameworks debate based on the nature of what the organization is doing um and so it is very common for them to to um push out you know this is our default pack of cyber security controls and data privacy controls as well that’s very common one of the reasons for that I think is because um they have so many audits globally anyway through regulators through through through customers through um uh other agencies um that to respond to every individual business would be um they’ll just say no we can’t do that. Um so that is common practice. Um there are certain things you can always do to make sure that you know um are they applying some good practices anyway. Certainly having visibility of the most upto-ate um certifications is is one level of comfort. Um the difficulty I think with certifications sometimes and and and and standards. Yeah, you you can receive a copy of of an ISO certificate, for example, um and other certificates and that will tell you locations of where and and the scope of what they’s what’s being applied. And so you can have a level of comfort knowing that if they’ve been certified with an independent organization, there’ll always be some controls I mentioned um earlier around uh sort of access, data security, uh continuity for example that should be in place because these are controls not times out of 10 will never be excluded from any business. And so that if a major incident were to occur in a Amazon data center for example um as part of it his cloud setup um you would fully expect them to have a very well executed uh continuity and recovery activity or transfer between systems. So yes in large organizations it can be a challenge sometimes particularly ex um obtaining information particular if you’re trying to do an assessment on them. Um but it is common that yes many of them will have have have default statements around around security concepts and privacy concepts as well. Um both publicly available as well as as as request but yes um again it sort of represents that you know how universal particularly ISO standards are in in complexity of organization using them.

Scott: Yeah absolutely. Um one quick question in terms of does ISO 27k facilitate in any way a riskmanagement integration with other risk families. So you know financial reputational etc.

Thomas: Um so outside of 27 there are other um frameworks the most the most perhaps recognized as a standard called ISO 31000 which is a riskmanagement standard not too dissimilar to NIST risk management framework as well. Um it’s universal in the sense that it doesn’t focus on privacy or security and um or or other other particular you know business and strategic risks as well. And so they do have standards that can be used across the board particularly if you’re trying to integrate as well which is important. Um and and when you look at some of the some of the the language used say in 27,0001 versus ISO 31,000 there’s a lot of similarity there. Um and in fact 27 makes reference to 31K um um in in that regard. So they do have some universal risk management frameworks that you can apply from a say business strategic perspective or financial or environmental or or or or or um other other avenue of of of risk as well.

Scott: Perfect. Thank you.

Thomas: So with the volume of controls available throughout the 27,000 standard, which ones are more critical? So as I say, it’s it’s it’s can be difficult to put a finger on them. We’ve got a few examples here. So if we’re thinking about sensitivity um or sensitive critical data is being accessed and handled. This is where we can think about well what protective protection and protect based controls can we leverage from the framework. So controls around access and authentication data protection it touches on encryption and DLP um methods for remote working and securing remote working environments and and endpoint devices and protection against malware. So 27,0001 has a few technical controls that touch in all of these concepts where If we know that we’re concerned about sensitive and critical data a third parties accessing, we can already start to build the program based on how protect based controls are are grouped together in the framework. And that can help make it easier in terming where we need visibility and validation that these type of controls are in place. Similar if you’re looking at security of critical information systems um and and the nature of what’s on these systems, we want some protection based controls. You also want the level of recovery based controls as as well. So, how is this equipment being cited and protected? Um, again, even more pertinent now as we discussed earlier in terms of this concept of more work from home, remote working um uh uh uh working lifestyle. Um how are those systems that may be accessing highly sensitive information, how are they protected um um from physical um uh space? Uh capacity management of those systems and how capacity management forecasting and planning and thresholds are being established backup of information and redundancy in if those systems if those critical information systems fall over what level of redundancy is in place. Um are we looking at perhaps more traditional areas where there might be still uh server rooms and data centers and backup data centers or is this something else in terms of level of redundancy?

Thomas: Um naturally there will always be crossover between different controls and there be controls when we’re thinking about critical information system that we could take from uh concerns around uh sensitive or critical data and data management as well. But it starts to give you an indication of where we could start to draw on um these concepts, these topics. So identify protect based controls, information protection based controls that can start to form what we want to drive as key controls, mandatory controls that we expect third parties to implement. So then we move on to well, we’ve got a program got an an established criteria of of of of assessments. We’re launching assessments to our third parties. So, what else do we need to think about? Obviously, when thinking about KISS, K risk indicators, we need to think about our wider risk landscape. So, in this case, it may be concerning third party management and the level of risk that that carries. Um it’s important to make sure we’re developing indicators based on obviously those type of risk and risk areas the organization um has decided is important and imperative to monitor whether that’s areas around say malware detection data breach data data breach and breach response supply chain threats ransomware fishing um and other critical areas as well. So those critical areas around concerning say data loss wider supply chain susceptibility to ransomware other targeted targets um uh of course developing an assessment using a standard like 27,000 one can help frame those best practice controls to get that level of assurance that third parties are maintaining that good security posture um that for example handling of sensitive critical data and information system requires. Um so when thinking about um uh what risks are critical to us and what we deem are the highest um or or most concerning risks thinking about how we apply different ISO controls to help um gain that valid ity and and validation and and visibility from third parties that they’re applying best practice um is is obviously one step to being able to have that statement and start to make those decision points.

Thomas: So thinking about uh event logging, protection against malware, security awareness and awareness training, security during disruptions and information incidents, levels of cryptography applied supply chain information security control points and there’s many other controls that could help treat and respond to those risks and address those potential risks. Obviously, managing vendor risks over 6, 12, 18 months or or longer time frames. Um key risks that we’ve identified obviously may change whether it’s both new risks, new and emerging risks or uh where there’s trends amongst vendors in ter particularly in terms of failing to adopt a good security practice or good security hygiene. So viewing those ongoing improvements of how risks are reducing or in some cases not going away with third parties on a yearon-year basis can help to provide that assurance or visibility particularly to senior management to make sure those risks are being managed in a timely manner. So starting to look at well how do we apply indicators based on what are our biggest risks and our biggest risk areas and how those risks are either increasing over time or through the application of of assessments of assurance of audit and security controls. Are we demonstrating that those risk areas are starting to reduce or we’ve got more confidence that should a risk occur, there’s sufficient control to protect, to detect, to respond and recover for example. Secondly, obviously when thinking about key performance indicators and use of that 27,0001 standard to drive down vendor risk, um starting to identify those key controls that will best address those third party risks. And so maybe looking at at a higher level overall vendor security ratings. So we we’ve identified and and put them in various tiers and buckets the vendors and we know that where our most critical risks are. So which ones can we get to a stage where we can identify our highest risk vendors um monitoring those overall vendor risk ratings over time and the level of time it’s taking to respond and resolve risks.

Thomas: So that if we can see those security ratings starting to come down, um security is starting to mature in the organization um that can be a good indication again back up to senior management and executives um that those higher risk vendors are are are are being managed correctly, being managed efficiently um and where risk is being presented is being resolved um uh in a suitable fashion. But also thinking about other areas. So once you’ve identified the high risk vendors, what is a level of security preparedness? Um, so can we can we look at or or engage in visibility of what’s the percentages of completed awareness and training? What levels of threat detection and response to vulnerabilities um and and um um uh is being captured by the third parties based on what product or service that’s playing to us. Quality of testing for continuity and instant response. You know, we’re asking through the uh contracts and agreements. Um how um that the third parties tell us where there’s a data breach and data breach notification. Um do we have visibility that they have continuity plans that are managed and reviewed every 6 months, every 12 months that they’re tested regularly so that should the worst case scenario happen a ransomware or or similar um targeted attack for example um do they have processes already in place um um and have prepared and have identified what the most appropriate controls are um to help secure those services and secure those products and systems um and operations. So thinking about that and thinking about some of the key targets we might we we might need to consider how we identify and apply key controls all the way tied back to information security risk management. So what can we do now? So on the one side is obviously we need to start thinking about how we can use 27,0001 particularly the governance the high level structure and those risk framework to enhance or develop that third party process.

Thomas: So using that structure process so we can work out what are the most critical risks that we need to be concerned about when engaging with our third parties identifying those risk and control requirements and obviously using those operational capabilities those cyber security concepts to help frame the assessment content that we need to engage our third parties on and they’ll help determine the level and the complexity of those assessments um again using that ISO 27,0001 control annex as the driver um and obviously once completing that section um then publishing those those those security assessments and then going through that continual process of monitoring reviewing are the targets we’re identifying are they improving are we getting to a stage where um security preparedness across our third parties or vendors is improving. Um are those risk ratings being driven down? So those perhaps traditionally very high risk or high concern vendors actually they’re maturing their security posture and it’s giving us um a great more deal of comfort in terms of good best practice from security perspective. Okay. Um before we end I’ll briefly hand it over to Scott.

Scott: Hey, thanks so much, Thomas. I appreciate that. Uh if you could stop sharing your screen so I could share mine, that would be good. I just have one slide to share with everyone uh before we open it up to Q&A. I don’t want to keep anybody too long today. All right. So, terrific. All right. So, real quick, you know, I’m not going to, you know, go into the overview of prevalent today because we just don’t have the time for that after that that really rich webinar. are. But I do want to remind everybody that we have resources available at your disposal to help you maximize the use of the ISO framework in your organizations as it applies to thirdparty risk. We’ve developed a very comprehensive guide that maps common ISO controls to certain KPIs and KIS and metrics in the organization that you’re going to want to apply and then help to demystify some of the complexities in ISO and and and cl clarify some of this risk mappings as well. So, if you’re looking for a quick guide and yes, 30 pages as a quick guide.

Scott: If you’re looking for a quick guide to apply ISO to your TPRM program, we’ve developed a checklist for you to to enable that. So, no cap. That’s all I wanted to share with you guys today. Uh I’m going to pass it back to Ashley and she’ll open up for questions.

Ash: Yes. Thanks, Scott. Uh and please go check out the ISO checklist. We have a ton of phenomenal resources on our website. Uh we just have one in the chat and it’s actually for you, Scott. It says, “How does the prevalent platform support the roll out of these TPRM practices and or NIST sorry linkage to ISO or NIST frameworks.”

Scott: Yeah, great question. So, we have a series of questionnaires that Thomas and his team have built and have uploaded into the prevalent platform. We’ve got more than 600 questionnaire templates in the platform. Uh and several of those are dedicated to the individual sections within ISO. So, we have specific risks based on answers and thresholds that are applied and then evidence that’s uploaded to, you know, address those particular controls and questions. And then with the risk mappings, you get in effect a risk score that tells you kind of the areas that you need to really focus on with that vendor or supplier as per those controls. So, it’s all kind of a framework in the system and then the reporting helps to define what to do next with it.

Ash: Excellent. Well, thank you so much Thomas, Sophie, and Scott and everyone for all of your questions. Uh they all gave us some fantastic information to take in today. So, hope to see all of you either in your inbox or at a future prevalent webinar. Cheers everyone and have a great rest of your week.

Scott: Bye everyone.