Title: Corporate Governance and Information Security Business views and opinions regarding COSO-ERM and ISO 27001
1Corporate Governance and Information Security
Business views and opinions regarding COSO-ERM
and ISO 27001
- Part I COSO-ERM
- By Mounir Messaoud
2Foreword
- This slideshow presents the main conclusions of
the thesis related to COSO-ERM. The thesis is
performed by Mounir Messaoud, a student at the
Department of Computer and Systems Sciences, DSV
at the Royal Institute of Technology, KTH. -
- The thesis is performed in collaboration between
DSV, SIG Security and IDC. - The thesis is available for download.
-
3COSO-ERM Conclusions of the study
- Still limited experiences in Sweden.
- Found to be a robust framework.
- Enhances corporate governance .
- COSO-ERM fulfills the needs.
- A framework with limited drawbacks.
- Automating software tools supporting the
implementations of the framework will be needed.
4COSO-ERM - Limited experiences
- Recently released framework (September 2004).
- Few organizations started using the framework to
be fulfill SOX requirements. - Swedish statutory requirements has indirectly
(through preparatory work) pushed organization
towards the use of COSO-ERM framework. - Few organizations has implemented the framework
but the number will be increasing. - According to the survey 27 of the respondents
were familiar with the framework while only 11
of the respondents organizations have
implemented the framework
5COSO-ERM Robust framework
- A well built and a well thought through framework
with a top-down approach and encompasses the
entire organization. - Integrates leading management with other staff.
- Creates a common language of risk.
- There are foremost positive opinions about the
framework. In the survey, only the options
good
and very good were
chosen.
6COSO-ERM - Enhancing Corporate Governance
- COSO-ERM drives risk management to become a
natural part of the daily work and procedures - Risk management has a higher priority and it is
then easier to communicate risks to senior
management. - Risk management reaches a higher level of
efficiency. - COSO-ERM is mainly chosen as a part of the
business strategy.
7COSO-ERM - Fulfills the needs
- The COSO-ERM framework is a good facilitator to
fulfill the needs of an organization in terms of
risk management. - COSO-ERM is the framework to follow to enhance
corporate governance and to meet legal
requirements. - The framework is recommended among others in the
Swedish preparatory work to statutory 2007603 .
Do you find that the COSO-ERM framework has
fulfilled/will fulfill your needs?
8COSO-ERM Limited drawbacks
- COSO-ERM is found to be more suitable for bigger
organization with a full-time risk manager. - In Sweden it is mainly organizations of bigger
size that are implementing the framework.
According to the survey 50 of the
organizations have more than 5000 employees. - The framework is felt to be left on an academic
level.
9COSO-ERM Tool support for implementation
- Tool support for the implementation of the
framework is not a subject of importance at the
moment. - Organizations mainly use classic tools such as
office suites. - However, the need for tools will be increasing in
a near future especially since 37 of the survey
respondents find the issue interesting and
another 36 find it important.
Do you find it necessary to automate the
processes with a software tool to facilitate the
implementation of the COSO-ERM framework?