Differentiate Your RFP from the Competition with ISO...
Transcript of Differentiate Your RFP from the Competition with ISO...
![Page 1: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/1.jpg)
Differentiate Your RFP from the Competition with ISO Certification
Tom Morrissey – Sr. Director, IT Litigation – Purdue Pharma LPPaul McKay – Information Security Officer – Bond Pearce LLP
Session # RRMPG1
“The opinions expressed or presented during this session are those of the individual speakers and do not necessarily reflect the official policy or position of any of their respective employers.”
![Page 2: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/2.jpg)
RFP’s from the client perspective..
![Page 3: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/3.jpg)
About me
• Married for 20 years• 3…no 4…kids• Been at Purdue Pharma for 8 years• In the legal field since 1981…OMG or OLD• I’ve seen every mistake…at least twice• Made a few of those myself….
![Page 4: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/4.jpg)
Why do RFPs?– Good Business Practice– Allows us (client) to articulate our requirements
and allows you (firm/vendor) to understand our basic needs or objectives.
– Can shorten contract timeframe with contractual terms used in RFP and response.
– Devil is in the details (Capabilities, financials)– Competition is good!– We can quickly learn who is and is not a ‘player’
![Page 5: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/5.jpg)
What can be expected from a good RFP.
– Remember the interview where the person asked you to “Tell me about yourself”?...
• You should have walked out….Bad Interview AHEAD!!
– Same with the RFP…• Expectations should be set from the start• Specific questions about assets and capabilities
speak volumes about how serious the potential client is..
– Allows for feedback and questions
![Page 6: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/6.jpg)
Types of Requests regarding security/controls• Completion of the request in an honest and accurate manner is more
important than any single control, precaution, or procedure being in place. Not all controls are required; merely the knowledge of what is in place is required
• Security Policies
– Please provide copies of Corporate Security Policy and any other policies relating to information security:
Acceptable Use Policy, Encryption Policy, Data Retention, Data Classification Policy, Certificate Policy, Audit Policy, Remote Access, etc
• Security Organization – Please provide a general outline of your security organization: number of dedicated full-time security
professionals, number of shared resources, and reporting structure.
• Procedures– Please provide a list of any documented procedures such as Certification Practice Statement,
Standard Operating Procedures, Build Procedures, Incident Response Plan, Disaster Recovery Plan, etc.
![Page 7: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/7.jpg)
Types of Requests regarding security/controls• Access Control
– Access Control List– Firewall Technology and Rules– Authentication Mechanisms– Encryption: VPN, SSL, S/MIME
• Physical and Environmental Security– How is physical security controlled at your facility? Is this done with a third party, is so
which one?– Please list environmental controls including: Air handlers, Fire Suppression and
detection systems, and Environmental Alerting systems.
• Asset Classification and Control – Data Classifications and handling– Data Storage and Co-location– Privacy Related Data management– Asset Tracking
![Page 8: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/8.jpg)
Types of Requests regarding security/controls• Business Continuity Management
– Availability– Disaster Recovery– Data Retention
• Incident Response and Management– Incident response plan– Intrusion Detection – Alerts, Monitoring, Configuration, Location– Service Level Agreements
• Antivirus– Procedures– Locations
• General Technology – Database – Server OS– Server Hardware– Network Hardware
![Page 9: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/9.jpg)
Types of Requests regarding security/controls
• Compliance, Law, and Investigation
• Do you maintain compliance with any of the above? How do you maintain compliance with the standard? Please provide the results of the last audit for this standard?
• Audit and Assessment– Please provide any policies or methodologies used in the following audits?– Please provide the interval in which you audit the following areas?– Please provide the results of your last audits of these types?– Do you use an independent 3rd party auditor if, so who?
– Privacy– Information Security– Physical Security– BCDR Audit– Software Compliance
ISO Compliance HIPAA
CFR 21 part 11 Sarbanes-Oxley
GLB SB1316
![Page 10: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/10.jpg)
Why Certify Against ISO?
What does this do for the RFP process
![Page 11: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/11.jpg)
About me
• Married for 3 years• Son "Olly" 13 months old• Been at Bond Pearce for 13 years• Information Security Officer, looking after ISO 27001• Information Security 8 years• CISSP since August 2010• RFP / tender responses where Information Security and Business
Continuity questions are asked.
![Page 12: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/12.jpg)
Introduction
• What is ISO?• Some Standards• Benefits• Certificate Lifecycle• What this means for RFP• Q&A
![Page 13: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/13.jpg)
What is ISO?
• ISO (International Organization for Standardization) is the world’s largest developer of voluntary International Standards. International Standards give state of the art specifications for products, services and good practice, helping to make industry more efficient and effective. Developed through global consensus, they help to break down barriers to international trade.
![Page 14: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/14.jpg)
Standards
There are several popular standards which organisations adopt
![Page 15: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/15.jpg)
ISO 9001
• Most established framework – over 1,000,000 organizations in 178 countries worldwide
• Demonstrates consistent high quality work to clients
• Last revised in 2008
![Page 16: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/16.jpg)
ISO 27001
• BS 7799 (1995)• ISO 17799 – Part 1 (2000 – 2005) then in 2007
became ISO 27002• Became Internationalised to ISO 27001 in 2005
which was BS 7799 Part 2• 135 Controls, not all have to be applicable• Risk based framework
![Page 17: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/17.jpg)
ISO 14001
• Effectively reduce, re-use and recycle waste• ISO 14001 certification is also a proven business
winner with most certified organisations qualifying for more tenders and winning more orders!
• Demonstration of legal and regulatory compliance• Compatible with ISO 9001, and ISO 27001
• Source: http://www.british-assessment.co.uk/iso-14001-certification-services.htm?gclid=CN2C-pvTybECFSsntAodbxsAOw
![Page 18: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/18.jpg)
ISO 22301
• Formerly BS 25999• Became ISO in May 2012• Ensures best practice for business continuity
planning• Preventative measures against common disasters,
risk based framework• Testing of plans is key!
![Page 19: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/19.jpg)
Benefits
• Ensure products and services are;– Safe– Reliable– Good quality
• Strategic tools for;– Reducing costs– Increasing productivity
![Page 20: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/20.jpg)
Benefits
• Allow organisations to;– Gain new business– Standardise policy– Raise awareness internally
![Page 21: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/21.jpg)
Certificate Lifecycle
• Pre-certification– Information gathering– Working group– Scope definition– Analyse what is required to meet the standard
![Page 22: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/22.jpg)
Certificate Lifecycle
• Certification process– Desktop review of documentation/policies– Audit process
• Speaking to various members of staff• Gauging policy adherence
![Page 23: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/23.jpg)
Certificate Lifecycle
• ISO certificates are generally valid for a 3 year term
• Regular continuing assessment visits, depending on size and geographical locations
• Third year re-assessment, just like initial assessments
![Page 24: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/24.jpg)
What does it all mean?
• In most cases it makes RFPs a check box exercise• Clients are becoming savvier and wiser to their own
needs, simply complying with a standard will not be enough in the future
• Certification should be all a client needs rather than needing to ask 10s of questions
• You should be willing to share your scope and high level documentation with the Client if requested
![Page 25: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/25.jpg)
How Many Organisations?
• ISO 9001 – Over 1,000,000*
• ISO 27001 – Over 7800**
• ISO 14001 – Over 223,000***
• ISO 22301 – ??
Sources: *www.bsigroup.com**www.iso27001certificates.com**http://www.nqa.com/en/atozservices/what-is-iso-14001.asp
![Page 26: Differentiate Your RFP from the Competition with ISO ...ilta.personifycloud.com/webfiles/productfiles/914085/RRMPG1.pdfDifferentiate Your RFP from the Competition with ISO Certification](https://reader033.fdocuments.us/reader033/viewer/2022051722/5aa1a6727f8b9ada698be89a/html5/thumbnails/26.jpg)
Q & A