13 August 2010

© The British Standards Institution 2010

La certificazione ISO27001Driver di crescita e caso di successo di una PMI italiana

LUIGI BRUSAMOLINO CISM, CRISC – Managing Director Southern EMEA - BSINICOLA MASSERONI – Responsabile GRC - FabbricaDigitale

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

2

Who is BSI? 10 Fast Facts

Global independent

business services

organization

Foundedin

1901

No owners/ shareholders…

all profit reinvested into

business

National Standards

Body in the UK

£222.8m revenue in

2009

>2,500 staff and

>50% non-UK

52 offices located around

the world

80,000 clients in

147 countries

#1 certification body in the UK

and USA

Standardsassessment, testing

certification, training, software

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

3

What we do

• Set innovative standards that are used throughout the globe

• Provide all the information and training relating to standardization that businesses need to succeed in their competitive markets

• Businesses rely on us to keep improving the way they run with good management processes and enterprise solutions

• Independently test and verify products and services to ensure that they are up to the job in terms of performance specification and safety

“Everyday worldwide, people use and rely on goods and services that

have been designed, certified, tested or verified relying on BSI.”

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

4

Operations in 147 Countries

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

5

Global Presence

Worldwide Offices

London

Singapore

Washington Beijing

New Delhi

Mexico City

Sao Paulo

Sydney

52 Offices WorldwideMonza, Padova

Roma (2012)

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

6

OUR SERVICES

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

7

Our portfolio of services

• Assessment and Certification

• Training

• Governance, Risk and Compliance

• Testing services

• Healthcare Services

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

8

BSI Assessment and CertificationA Global Market Leader

• Leading global certification body with over 69,000 certified locations and clients in over 140 countries

• A leader in the training, assessment and certification of:

Information Security – ISO/IEC 27001

IT Service Management – ISO/IEC 20000

Business Continuity – BS 25999

Quality – ISO 9001

Environmental Management – ISO 14001

Aerospace – AS9100

Health & Safety – OHSAS 18001

Energy Management – BS EN 16001/ISO50001

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

9

BSI Assessment and CertificationWhat we do:

• Information and guidance

• Assessment and Gap-analysis

• Second and third-party auditing and verification

• Certification

• Continual assessment and strategic reviews

• Business improvement tools, performance benchmarking and software solutions

BSI methodology

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

10

BSI Training

• We offer various types of training including:

Awareness Training

Implementation Training

Auditor Training

• Our delivery options:

Public training courses

In-house training course

e-learning courses

Custo

me

r jo

urn

ey

Awareness Training

Implementation Training

Auditor

training

Convenzione AIEA – BSI 2011

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

11

BSI Governance, Risk & Compliance (GRC)

Entropy™ Software

• A turn-key solution that provides the management system framework for fully functional integrated and auditable management systems including:

Environmental Management – ISO 14001

Health & Safety Management – OHSAS 18001

Quality Management – ISO 9001

Information Security Management – ISO/IEC 27001

Supplier Compliance Management (C-TPAT & AEO)

and other management systems standards

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

12

What is Entropy® Software?

12

Entropy® Software is a web-delivered solution which builds a fully functional and auditable environment that can integrate effective management with governance, risk and compliance.

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

131313

CE MARKING • CE marking required to sell or transport many products in Europe

• BSI is a Notified Body for 15 EU Directives

• Not a quality mark but legal requirement for many products in Europe

KITEMARK® CERTIFICATION • c 400 Kitemark schemes in fire, construction, electrical, personal safety

transport and services sectors including new Energy Reduction Verification.

• c 2,500 Kitemark licence holders

PRODUCT TESTING: • Manufacturers sometimes just want to test their product in R&D stage

and BSI can test to a manufacturers specification as well as British,

European and International Standards

• Direct Testing results in a highly-valued BSI Test Report not a certification licence

BSI Testing Services – Products

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

14

ISO 27001 facts and future trends

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

15

Page STRICTLY CONFIDENTIAL15

CAGR market: 31%

Last year growth market: 40%

World Market and BSI share ISO 27001 (2009 ISO Survey)

0

3000

6000

9000

12000

0

3000

6000

9000

12000

2004 2005 2006 2007 2008 2009

27001

Total Market BSI

BSI Current Share: 59%

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

16

• ISO/IEC 27007 - Guidelines for information security management systems auditing (2011)

• ISO/IEC 27008 - Guidance for auditors on information security management systems controls (2011)

• ISO/IEC 27010 - Information security management for inter-sector and inter-organizational comms (2012)

• ISO/IEC 27013 - Guidance on the integrated implementation of 20000-1 and 27001 (2012/2013)

• ISO/IEC 27014 - Information security governance (ISG) framework (2012/2013)

• ISO/IEC 27015 - Information security management guidelines for financial and insurance services (2012/2013)

• ISO/IEC 27032 - Guidelines for cyber-security (2012/2013)

• ISO/IEC 27033 - Information technology - IT Network security (6 parts) (5 parts to follow 2010-2012)

• ISO/IEC 27034 - Guidelines for application security (2012/2013)

• ISO/IEC 27035 - Information security incident management (2012/2013)

• ISO/IEC 27036 - Guidelines for security of outsourcing (2012/2013)

• ISO/IEC 27037 - Guidelines identification, Collection/Acquisition and preservation of digital evidence (2012/2013)

• ISO/IEC 27038 - Specification for Digital Redaction (2013)

27000 standards in developmentOther 27000 standard in development

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

17

Future trends in Information Risk / Governance?

• Government move towards „shared services‟

• Cloud computing (SaaS)

• Greater outsourcing / off-shoring

• Increased use of mobile working

• “Consumerisation”

• Growth in use of social media

• Proliferation of unstructured content (> need for e-discovery)

• Heightened regulatory oversight (new privacy / DP directives)

• Societal response to „surveillance state‟ (biometrics)

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

18

Future areas for standardisation

• Cloud Computing (new ISO/IEC Study Group)

ongoing review of current concepts, characteristics, definitions, types and components used in Cloud Computing

comparison of Cloud Computing to related technologies

mapping of existing consortia activity

Report (expected to identify new pieces of work for standardization) due in September 2011

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

19

BSI/RSM Survey 2011

© T

he B

ritish S

tandard

s I

nstitu

tio

n 2

010

20