Certified ISO 27001 Lead Auditor training in Montreal on 27-31 May

You are invited to join us in Montreal, QC, Canada for the ISO 27001 ISMS Lead Auditor training and certification on 27-31 May.

ISO/IEC 27001 Lead Auditor training enables you to develop the necessary expertise to perform an Information Security Management System (ISMS) audit by applying widely recognized audit principles, procedures and techniques.

During this training course, you will acquire the necessary knowledge and skills to plan and carry out internal and external audits in compliance with ISO 19011 and ISO/IEC 17021-1 certification process.

Exam and certification fees are included in the training price.


Your team, your location, your dateContact us if you have a group of 5 participants or more to organize your in-house training session in your facilities.


Foreign Corrupt Practices Act ≠ ISO 37001. Here’s why!

This piece appeared in the FCPA blog on 13 June 2018

The conventional wisdom among many of those responsible for managing organizational FCPA risks is that the existence of a reasonably good program equates to having an ISO 37001 Anti-Bribery Management System “covered.”

The Foreign Corrupt Practices Act of 1977 (FCPA) is a United States federal law that prohibits bribery of foreign officials and addresses accounting transparency requirements under the Securities Exchange Act of 1934.

The implicit suggestion is that the requirements of the FCPA legal standard are virtually the same as the ISO 37001 business standard, or that, at a minimum, not many program changes would be required to obtain ISO 37001 certification.

I respectfully disagree; it is the rare program in my experience that requires only tweaks to bring it to ISO 37001 certification readiness.

Why are these distinctions important?

In the ISO 37001 certification audit process, a major non-conformity (e.g. a requirement is found not to exist or is totally ineffective) prevents certification until correction. Programs may have undocumented practices or “unwritten rules” that are beneficial, and that support a given Anti-Bribery Management System (ABMS) component, but these will be problematic in the certification process.

An ABMS necessarily incorporates applicable legal standards, but it also has its own unique requirements (subject always to “reasonable and proportionate” considerations (4.3)).

As an initial ABMS evaluation exercise, FCPA Risk Managers (whether in legal, compliance, internal audit and/or operations) may thus want to test their organization’s program (and its particular facts and circumstances) by asking ISO 37001-based questions in several basic areas:


If the proverbial three most important words in real estate are location, location and location, then the ISO 37001 equivalents are documentation, documentation, and documentation.

The standard requires that certain specifically identified information shall be documented (7.5.1 a), such as the Anti-Bribery policy (5.2) and training procedures, content and instances (7.3).

But does your company also document those other Management System aspects that are more conceptual, but that are nevertheless explicitly tied to documentation, for example: information necessary for the effectiveness of the Management System (7.5.1 b); the Management Systems scope — to include external and internal contextual issues, the needs and expectations of stakeholders and bribery risk assessment results (4.3); and, with respect to operational planning and control, information to the extent necessary to have confidence that the processes have been carried out as planned? (8.1 c)


ISO Management Systems standards (see also ISO 9001 Quality Management, ISO 14001 Environmental Management System, and ISO 27001 Information Security) have a process bias; the word process appears twelve times in ISO 37001’s definitions alone (3). A primary theme of the overall standard is that Anti-Bribery controls are most effective when placed within company operations – preferably embedded within the process that presents the identified bribery risk.

On this theme:

  • Does your company’s top management demonstrate leadership and commitment by ensuring the integration of ISO 37001 requirements into organizational processes? (5.1.2 b);
  • Is the bribery risk assessment reviewed (and any changes reflected in the ABMS, including its scope) when there are significant changes to the company’s structure or operations (4.5.3 b); and,
  • Per the documentation discussion above, what are the processes involved and what documentation exists to evidence their operations?


FCPA programs have historically focused on bribery risk reduction through employee training, tone at the top emphasis and hot line access.

As noted in an earlier post for the FCPA Blog, DOJ’s revised FCPA Policy is consistent with ISO 37001 in its prioritization of organizational culture, but the business standard is more granular.

In the hiring or promotion of employees to positions with more than a low bribery risk, for example, does your organization have due diligence procedures for due diligence and incentive-based compensation (to contain reasonable safeguards that do not act to encourage bribery)? ( a)

Also, as part of your organization’s ABMS planning process (6), have ABMS objectives (that are communicated, monitored and (if practicable, measured)) been set at all relevant functions and levels (including within sales, contract management and other possible more than low bribery risk situations)? (6.2)


ISO 37001 certifications are about to become more commonplace in the US. Early this summer, a premier business standards accreditation body UKAS (United Kingdom Accreditation Service) is expected to accredit certain respected global certifying bodies (CBs) to conduct ISO 37001 certifications.

Various U.S.-based Fortune 500 companies are waiting for these accreditation events to select a CB and begin the ISO 37001 certification process.

It may be an opportune time to challenge the (misplaced) conventional wisdom concerning FCPA programs “covering” ISO 37001, and dig into ABMS details – as the ISO 37001 certification becomes an accepted and widely-used bribery and Supply Chain Risk Management tool.

Security and Business Continuity top IT spending plans for 2018

Security is the top initiative companies plan to pursue in the next 24 months with investments in virus and malware protection, patch management, and intrusion detection and prevention.

Posted on BetaNews | By Ian Barker

According to a new State of Resilience report by big data company Syncsort, 49 percent plan to spend on these areas, with 47 percent planning to spend on business continuity and high availability.

The report also finds that while almost two-thirds of companies perform security audits on their systems, the most common schedule is annual (39 percent). Another 10 percent conduct audits only every two years or more, which, given an ever-changing IT environment, could mean significant exposure to risk.

Top security challenges are seen as the cloud, with 43 percent identifying it as their top security challenge for the coming year, followed by sophistication of attacks (37 percent) and ransomware (35 percent).

Top security challenges are seen as the cloud, with 43 percent identifying it as their top security challenge for the coming year, followed by sophistication of attacks (37 percent) and ransomware (35 percent).

Read entire article Security and business continuity top IT spending plans for 2018 | BetaNews

Planning for the worst: Crisis communications 101

How you plan for and respond to a crisis could make a world of difference. Are you prepared?

Every company – tech-focused or not – will eventually face a crisis. An unhappy and outspoken customer, an egregious misstep by an employee, a product malfunction. Yet, half of U.S. companies don’t have a crisis communication plan. Rather than a nice-to-have, you need to think of this as a must-have insurance policy against something that could, at best be an annoyance and at worst, sink your business.

Here, are outlined the basic elements of a solid crisis communications plan to help you get started just in case you ever need it.

What could go wrong?

Some crises can’t be predicted, but many can. Begin by doing a “vulnerability audit” on your company. Talk with everyone from your entry-level developers to your CTO, and ask them what could possibly go wrong. Once you have a list of seven to 10 potential events, think through how these scenarios could play out. Prepare general talking points around each topic that can be used regardless of the situational details.

For example, every cloud-based app company should know how to talk about their commitment to user security and privacy. This will form the building blocks for your response in the event of a data breach.

When to act?

When formulating your plan, consider a checklist-based, protocol format so your team has a clear set of steps to follow. The goal is to act quickly by following a logical order of tasks and responses during what could be a very emotional time.

The first order of business will be contacting your shareholders. Depending on how contained the crisis is, the media could be knocking at your door within a matter of minutes. However, before making any public statements, you must inform those who are most affected by the situation. In the case of a true emergency, law enforcement and regulatory bodies should be contacted immediately. Establishing a dynamic communication channel will ensure that you can route updated information to employees as it becomes available.

How you plan for and respond to a crisis could make a world of difference. Are you prepared?

Who will speak?

When a crisis hits, the last thing you want is to be scrambling over who should talk to the media. Dealing with the press and addressing the public requires skill and practice, so choose a spokesperson early and wisely.

All other staff, board and committee members should be helpful to the media by connecting them with the spokesperson for further information.

How to respond?

Once you have your spokesperson lined up, how exactly should they respond to the media?

Do’s: It all starts with messaging. Expand on your situational talking points by crafting a well-prepared elevator speech that describes what you do well, incorporating your company values, beliefs, commitments and mission.

It’s also important to remain honest and also to have a talking point or two about what the company will learn from the situation at-hand.

Don’ts: Never speculate. Stick to facts. Don’t be afraid to respectfully redirect a question. For example, if a reporter says, “I understand this may have been in inside job,” don’t fall for it. Simply restate the facts and your key messages. “We know that some 100,000 records were comprised. Our investigation is underway and we are fully cooperating with the FBI.”

“No comment” is never acceptable. It looks like you have something to hide. If the question cannot be answered due to a corporate policy (such as sharing personnel information) let the inquirer know that.

RELATED: Brand safety: how poor word choice can hurt

Why bother?

What are the consequences of a botched crisis response? I think Samsung has shown us what can be lost in the fallout of an extreme crisis situation, but the importance of positive media relations, both in crisis mode and everyday communications, cannot be overstated.

If your crisis management plan is your insurance, then consider friendly media relationships another form of reputational currency. Believe me: when all hell breaks loose, you will be thankful to have some good karma in the bank.

Source: CIO

Read entire post grey

How Coca-Cola Hellenic and Credit Suisse are optimising internal audit using data analytics

The impact of data analytics on businesses across multiple sectors continues to grow, as innovative technology and workforce skills develop to ensure organisations are making the most of the information they hold.

Internal audit is no exception, and professionals are increasingly expected to leverage the latest advanced analytics techniques to deliver greater efficiency and effectiveness at lower costs.

Data analytics and internal audit in 2017

The latest PwC State of the Internal Audit Profession report, published in March, showed that 44% of businesses in which internal audit’s role is crucial to anticipating disruption have increased investment in analytics.

Meanwhile, a new report from the Chartered Institute of Internal Auditors (IIA) has identified Coca Cola Hellenic and Credit Suisse as leading the charge in the battle to strengthen auditing performance through data analytics platforms.

Let’s take a closer look at how these industry giants are utilising advanced analytics.

Coca-Cola Hellenic reaps the benefits of ERP

Coca-Cola Hellenic is the primary bottler for the Coca-Cola brand, producing 50 billion servings across operations in 28 countries worldwide. The organisation has a sophisticated enterprise resource planning (ERP) system with massive quantities of data flowing through it.

Richard Brasher, corporate audit director at Coca-Cola Hellenic, said data analytics are incorporated from the very beginning of the auditing process, from planning through to completion. “The use of data analytics helps external auditors to rely on the work already done by internal audit and hence reduces duplication of time and effort,” he explained.

The company can now test 100% of the sample data, thus optimising the strength of its assurance processes. To ensure auditors are well versed in the technical aspects of the role, the organisation encourages staff to spend six months on secondment with the data analytics team.

Analytics team takes Credit for Suisse audit success

Global private bank Credit Suisse considers itself at the advanced end of the data analytics maturity path, with the organisation incorporating the technology organically over the years alongside other innovations.

“Data analytics is helping the organisation to identify business areas with high-control risks due to anomalous, non-conforming events, and is facilitating the continuous monitoring of the risks,” said chief auditor of regulatory and people risks Mark Starbuck.

Credit Suisse is also focusing more effort on continuous risk monitoring in 2017, with increased emphasis on planning, fieldwork and reporting.

Mr Starbuck noted that the data analytics team has been successful due to sponsorship and buy-in from internal audit leaders. There continues to be strong advocates for data-driven methodologies, with training and awareness programmes helping to deliver the necessary skills to perform analytics and use core applications.

“The ideal data analytics auditor has a blend of core analytics skillsets, business functional experience and a good understanding of risk,” he explained.


Finding the right talent

The IIA case studies show the benefits of data analytics within the internal audit function. These include:

  • Increased efficiency via the re-use of scripts for periodic audits
  • Improved effectiveness through whole-population testing
  • Enhanced assurance
  • Time and cost savings
  • Greater focus on strategic risks
  • Broadened audit coverage

Nevertheless, finding people with the right mix of skills remains a challenge for many businesses hoping to maximize data analytics use across the audit function. With organisations placing more importance on data analytics within internal audit, we expect this trend to continue for the rest of 2017 and into the years beyond.

Source: barclaysimpson

Read entire post grey

Google reiterates commitment to EU’s General Data Protection Regulation

All G Suite and Google Cloud Platform services will be in full compliance with the privacy requirements of the GDPR when it goes into effect next May, the company says.

When the European Union’s General Data Protection Regulation (GDPR) formally goes into effect next year, Google will be ready for it.

That’s according to Suzanne Frey, Google’s director of security, trust and privacy, and Marc Crandall, director of compliance at the company.

In a blog this week, the two Google executives reiterated the company’s commitment to ensuring that its services will fully comply with the privacy and security requirements of the GDPR. “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018,” Frey and Crandall said.

RELATED: One year to go: The countdown to GDPR begins

In their blog this week, Frey and Crandall noted that Google has evolved its data processing terms and conditions in recent years to more clearly articulate the company’s privacy commitments. The terms will be further updated to bring them in line with GDPR requirements, the two Google directors noted.

Google’s Cloud Platform and G Suite services have been certified under Privacy Shield, a program designed to give companies a way to show their adherence to the privacy and security controls specified in GDPR.

Google also provides several third-party audits and certifications for its cloud platform and G Suite, including ISO 27001 security audits and ISO 27017 and ISO 27018 certifications for protection of personally identifiable data in the cloud, they said.

In addition, Google’s Cloud Platform and G Suite services have been certified under Privacy Shield, a program designed to give companies a way to show their adherence to the privacy and security controls specified in GDPR. EU data protection authorities have also already signed off on the so-called model contract clauses that Google uses to cover the transfer of EU customer data to the United States, the two Google executives said. What that means is that Google’s customers in the EU already have the legal cover they need to transfer EU customer data to Google without fear of running afoul of GDPR requirements.

Other changes that Google has made to bring it privacy polices in line with the GDPR include new data portability commitments as well as updated incident and breach notification clauses.

Source: eweek

Read entire post grey  Related Training grey

Supply chain: Theft in distribution centers is a growing threat

Theft in distribution is a growing threat in the US, security expert Barry Brandman of Danbee Investigations said during a very interesting presentation last week at the annual Warehouse Education and Research Council (WERC) conference in Ft. Worth.

One recent change fueling the increase: the internet, which now provides a global marketplace where pilfered goods can be sold virtually anonymously, especially on auction sites, Brandman says, whereas in the past stolen merchandise mostly had to be sold locally.

That also means once goods make it outside the DC, the chances of recovering it – or even tracking the source – are very low, Brandman said. There are a number of different theft scenarios, Brandman said, including individual employees stealing goods on their own, the very common scenario of employees working inside a DC colluding with drivers to steal, and drivers stealing from customers during deliveries.

Brandman cited a recent survey that found 40% of delivery drivers said they had been propositioned about joining in some kind of theft activity – a high number from which certainly some said Yes.

Relative to collusion, Brandman cited a recent example in which a second shift supervisor conspired with order pickers to select extra cases that were then loaded on a truck, with a driver also part of the scheme. Text messages were sent by the DC employees relative to what extra cases were on the vehicle.


He offered other interesting examples. In one case, a driver was caught on film in a major city exchanging the stolen goods from the truck on to another vehicle right in the open, even as police drove right by. Brandman said this exchange was performed on the driver’s route, just a few blocks from his last delivery, so that nothing would look amiss from GPS tracking and so-called geo-fencing systems.

Another driver sold some $200,000 of merchandise over a period of time, at a heavy discount to their retail value, so that the value of the goods was probably around $800,000, Brandman said. That is pretty big time.

What can companies do?

There are no easy answered, Brandman said. A detailed security audit is a good place to start, and these need to involve more than the simple checklists that are often used. The audits should include a true analysis of processes, Brandman said.

RELATED: Become a certified ISO 28000 SCMS Lead Auditor

Companies should also employ unannounced audits, Brandman said, and the results should be included in the performance reviews of DC managers.

Brandman said it is critical to have some kind of hotline where employees can privately and anonymously report illegal activity. That anonymity is key to getting many employees to call about the theft. There are third-party service companies that can maintain such hot lines for a company, Brandman said, and having the service managed by an outside company might be viewed as less risky to employees, increasing the number of tips.

Source: Supply Chain Digest

Read entire post grey  Related Training grey

Taking auditing to new level with International Standard under revision

ISO’s popular standard for auditing management systems is under revision and has just reached the first voting stage, a crucial step in its development.

Organizations are increasingly turning to management systems, in a quest to be more effective and save time and money. Many companies have several different management systems, each focusing on different areas, such as IT, information security, quality and environmental management. ISO 19011, Guidelines for auditing management systems, will help with the effective audit of those management systems to ensure continuous improvement, allowing harmonization across systems and a uniform approach of the auditing process where there are multiple systems in place.

The standard is currently being revised to reflect the growing number of management system standards (MSS) and the recent revisions of some of the most widely used, such as ISO 9001 for quality and ISO 14001 for the environment. It has just reached Committee Draft (CD) stage, meaning those countries involved in its revision have an opportunity to make comments on the draft.

Denise Robitaille, Chair of ISO/PC 302, the ISO project committee responsible for the revision, said that when the standard was last published in 2011, there were 11 management system standards, but that number has since grown significantly to 39, with 12 others in development.

“As organizations see the benefit and need for management systems, there has been an increase in the number of sector-specific standards to respond to the mandate.