Shane York, CISA, CRISC, CISSP, ISO-ISMS LI LA, Senior Associate, Schellman & Company & Ryan Mackie, ISO Certification Services Practice Director, Schellman & Company

In the wake of the modern epidemic of high profile information security breaches, the need for organizations to implement sound information security controls is greater than ever before. Although often given a backseat to the latest network security appliances and software suites, information security controls provide the foundation of the information security management and governance program, or ISMS. Unfortunately, most breaches can be directly traced back to a breakdown in the effectiveness of, or sometimes total lack of, an information security control. Such circumstances raise the question; how does an entity identify, implement, and verify effectiveness of information security controls? What limit, if any, is placed on the selection of controls to implement? Additionally, how may an organization ensure that the controls implemented reduce risk the business actually faces? In this presentation we address the role of the information security control within the ISMS, the need to tailor the controls to the business processes, and the best methods for verifying effectiveness of the controls.