Exhibitor Press Releases

Subpage Hero

  

28 Aug 2021

Demystifying ISO27001 (ISMS) and Red Teaming

Privasec Stand: B23
Demystifying ISO27001 (ISMS) and Red Teaming

​The Privasec team conducted an online workshop last week and saw more than 85 attendees joining us on Teams with their questions.

As a recap, in the workshop, our GRC consultant Shepherd Gonera shared the top 10 actionable tips to help guide organisations that are looking to embark on their ISO 27001 certification journey. Our RED practice lead Riley Kidd and Asia Head Quan Heng Lim also introduced the Red Teaming exercises according to CORIE/ AASE requirements.

In case you have missed any portion of the workshop or would like to review some of the talking points, here is the link to the recording. We have also included the Q&A (below) that was addressed during the session. For those who are interested in finding out more, check out our we

bsite on ISO 27001 and Red Teaming, including a detailed methodology of a red team attack simulation.

We are always a call or email away so do reach out to us if you would like to have a further chat/ have any questions.

You can also follow us on Linkedin to keep updated about our upcoming events.

If you have attended the workshop, and need to claim a CPE point, do contact us so that we can ensure it is in our attendance list as well for audit purposes.

 

Questions and Answers

 

ISO 27001 (ISMS)

How long does the ISMS take to implement?

The ISO 27001 Certification is a journey, where there will be variance in implementation for every organisation. The factors like organisation size and information gathering differs for every client. For Privasec, the typical implementation range between 3 to 6 months.

We are a small start-up company that are looking to build our ISMS. How should I go about weighing the different factors for implementing ISMS, in terms of costs, implementation efforts and time?

 At Privasec, we do offer a few options around our services depending on the organisation's needs.

Many companies who are more constraint in time and resources would prefer to outsource the entire ISMS, where at Privasec, we can provide turn-key solutions for the entire ISMS implementation. Conversely, some companies that are of smaller size and limited budget may prefer to implement the ISMS themselves, where in the process, Privasec would provide the guidance and workshop to these companies.

The cost is depended on the organisation’s work structure in terms of implementation efforts, where there will be ways to work around budget and tailor a solution and offering to meet your organisation's needs. 

How would the ISMS work on companies that are working in multi countries, i.e Singapore, Australia, New Zealand, etc with similar systems in place across all regions i.e Cloud etc?

The ISMS can span across multiple countries/location under one single certification. There are no limitations. In fact, you can draw some inefficiencies across multiple locations. Usually, organisations start from one location and grow the scope of certification. However, this depends on the organisations and their business models and structure.

Based on your experience, which business unit(s) will be in the best position to lead the ISMS implementation/ transformation?

Typically, the security team will lead such implementation, but it is subjective due to the organisation’s size, nature, and structure. While not every organisation has a dedicated cyber security team, in general it falls on IT or Security team but having an internal audit or compliance team to lead will help.

For bigger organisation, representatives from individual team/business units to drive the risk behaviour is crucial for successful outcome. In all scenarios, we drive those activities and make sure stakeholders involved understand the risk language.

ISO 27001 is for a company, but does the process help to validate the product that the company develops also?

With your company being certified to ISO 27001, it gives assurance to your clients and stakeholder, where it shows that your company is taking the risk-based approach for your system. It also gives confidence to your clients that the product comes from a company that is secure and alert about the risks.

ISO 27001 is a governance standard. It does not secure your product.

 

ISO 27001 also includes Penetration Testing for the company, is there option that we can perform a Penetration test for the product developed?

Whilst a penetration test is not mandatory, it will most likely be a check your organisation will need to perform. Yes, Privasec can perform a penetration test of the product. The details to tailor the scope of the penetration test needs to be further discussed.

 

 

RED TEAMING

Red Teaming is a new concept for many, especially for those who are not in the critical infrastructure industry. How does an organisation tell if they are ready for the Red Team exercise, in terms of the maturity of their security function?

It’s a case-by-case basis, depending on the outcome the organisation is looking for.

Red Teaming could be suitable for the following reasons:

  1. For people who are trying to justify the security problems that they have identified, and a Red Team exercise can demonstrate the impact of the security problem to the organisation’s critical assets. This can be effective for an executive to justify the budget required to protect critical assets.  
  1. Due to regulatory requirements, some organisation might require a Red Teaming report to demonstrate their security posture.
  2. Proactive checks on security systems and infrastructure to holistically understand security posture. With Red Teaming exercises, an organisation can identify unknown vulnerabilities and harden their security with the findings.

 

As compared to ISO 27001 where the timeline is driven by the organisation, what is the timeline/timeframe for the implementation of Corie or AASE?

For CORIE engagements, depending on the tier of your organisation, the document specifies the number of scenarios that an organisation needs to perform which correlates to the time needed to perform the engagement.

For Bespoke Red Teaming, where the organisation can select the components for Red Teaming, the costs will have a direct correlation to the time. In general, some components can take one to two weeks, some can be 1 month or longer.

However, do keep in mind, for a proper Red Team engagement to be conducted, some preparation time for the attacks will be required, for example the creation of malware or the setting up of phishing website as an initial attack vector.

Depending on the approach and scenario, the attacks need to be spread out and timed wisely to simulate real-world threats. This is where the engagement can range from 3 to 6 months.

 

The CORIE and AASE Framework is new for organisations, will Privasec be in a good position to help an organisation determine the components needed for compliance?

For CORIE, this is not up to the organisation, the components to comply is dictated by the regulating body. For case-by-case basis testing, it will be something that we can help an organisation understand, by looking at their needs. However, most of the time, companies do know what their crown jewels are, where these critical assets need to be protected and that there are known threat actors that could be targeting them. Privasec can then come in to help guide these companies to comply with these regulations.

For AASE, the compliance depends on the organisation’s objectives, where it is meant to be a guideline. It does describe how deep one can go for the attacks, and it does have a table around the objective that can be sought out by the blue team as well as an assessment for the organisation’s defence capability. According to that, an organisation can perform any exercises where it can be doing a simple penetration test to cyber range to automated attack simulation to advanced adversary attack simulation.

Will there be fines or penalties for non-compliance to CORIE or AASE?

For CORIE, the framework is still in pilot phase where there are no penalties or fines for non-compliance.

Similarly, for AASE, it is also more of a due diligence for companies, where if your organisation’s risk is assessed internally to be of critical level, then the organisation should look to conduct Red Teaming for compliance.

Also, for the case of license review or regulatory review, the typical assessment for risk level will deem it to be reasonable to conduct Red Teaming.

With COVID regulations in place, do we have to go on site to do this test or can we do it remotely

Testing can be done remotely but being onsite can help simulate the greater than normal risks. If we go onsite, we can be with the white team to share information about the process and execution of the attacks. Even if we are not onsite, we are always open to transparently share information about the engagement as and when required.

Loading

Sponsors

Diamond Sponsor

  • Threatlocker

 

Platinum Sponsors

  • PacificTech
  • Sophos

Zero Trust VIP Lounge Sponsor

  • beyondtrust

 

Keynote Theatre Sponsor

  • Crowdstrike

 

Theatre Sponsor

  • Microsoft

 

Gold Sponsors

  • Fortinet
  • Barracuda
  • Cloudbric
  • Darktrace
  • Devo

Gold Sponsors

  • Halodata
  • i-sprint
  • Microsoft
  • Qualys
  • Keysight

Silver Sponsors

  • Blackberry
  • Comforte
  • CDNetworks
  • Hackuity
  • Hillstone
  • Horangi
  • logon

Silver Sponsors

  • Flexxon
  • Internet & Idee
  • Illumio
  • Intel741
  • Imperva
  • Thales
  • wiz

Silver Sponsors

  • Carbonite
  • CDNetworks
  • MyRepublic
  • Sangfor
  • Seculetter

Silver Sponsors

  • Ivanti
  • Panorays
  • Mimecast
  • PulseSecure
  • Radware
  • Privasec

 

Silver Sponsors

  • SonicWall
  • Tenable
  • Waterfall Security
  • XM Cyber

 

Silver Sponsors

  • Cysclae
  • Titanium

 

Bronze Sponsors

  • Scantist
  • Toffs Technologies
  • appView
  • Delinia
  • DT Asia
  • Firemon
  • Fortanix

Bronze Sponsors

  • Gatewatcher
  • Cloudnosys
  • Indeed ID
  • PowerDMARC
  • Utimaco
  • Wizlynx

 

Bronze Sponsors

  • Intigriti
  • Thomas Murray
  • Knit Technologies
  • Riskrecon
  • Securosys
  • Telescience
  • UCware

 

Bronze Sponsors

  • nexus
  • socly
  • techfindr
  • atakama

 

Bronze Sponsors

  • Endpoint Cososys
  • Prevalent
  • uSecure
  • Gigamon

 

Bronze Sponsors

  • Apricorn
  • Kanguru

 

Partners

Knowledge Partner

  • BICSI

News Distribution Partner

  • ACN Newswire

Associate Content Partner

  • Uptime Institute

Strategic SEO Partner

  • AdVantage

Strategic Event Partner

  • ISC2
  • Frost & Sullivan

Event Partners

  • AiSP
  • ARC Advisory
  • Asia Cloud Computing Association (ACCA)
  • Asosiasi Cloud Computing Indonesia
  • Fintech Association of Hong Kong
  • Accelerating Asia

Event Partners

  • Best Practice of eCommerce
  • BigDataX
  • CMO Council
  • ISACA
  • CSCIS
  • La French Tech
  • ASME

Event Partners

  • Practical DevSecOps
  • Digital Advertising Association Thailand (DAAT)
  • DevOps Institute
  • Forrester
  • Singapore Chamber of E-Commerce
  • Plug And Play
  • Co Creation Lab

Event Partners

  • IASA
  • IPI Singapore
  • itSMF
  • IFMA
  • European Data Centre Association
  • GS1

Event Partners

  • KinerjaBisa
  • Logistics & Supply Chain Management Society
  • Michael Page
  • NexChange
  • SG Tech
  • CHIME

Event Partners

  • Singapore Cyber Security Consortium (SGCSC)
  • Structure Research
  • General Assembly
  • Open Connectivity Foundation
  • Smart Asia India
  • Crest

Media Partners

  • ACN Newswire
  • APAC CIO
  • APSM
  • Asia Blockchain Review
  • Asia Research News

Media Partners

  • Australian Cybersecurity Magazine
  • Australian Security Magazine
  • BizClik Media
  • European Data Centre Association

Media Partners

  • Chief IT
  • CIO Advisor APAC
  • Cross Border Magazine
  • AI Time Journal

Media Partners

  • CryptoNewsZ
  • ComputerWeekly.com
  • Cyber Security ASEAN
  • Asia Content News
  • Enterprise Security Magazine

Media Partners

  • Data Storage ASEAN
  • e27
  • Fintech Finance
  • CMO Asia
  • GovTech SEA

Media Partners

  • Jumpstart Media
  • My Security Media
  • Retail CIO Outlook
  • Cybersec Asia
  • Frontier Enterprise – Jicara Media

Media Partners

  • Telecom Era
  • Supply Chain Digital
  • Techwire Asia
  • Gigabit
  • Digicon Asia

Media Partners

  • FutureIoT
  • Marketing Ops
  • Payment & Cards Network
  • Techtarget
  • FutureCIO

Official Partner Hotel

  • MBS

Media Partners

  • Wire 19
  • 计算机网络世界
  • Supply Chain Brain
  • Disruptive Tech Asean
  • FutureCFO

  • Hillstone