Corporate Governance and Information Security Business views and opinions regarding COSO-ERM and ISO 27001

1
Corporate Governance and Information Security
Business views and opinions regarding COSO-ERM
and ISO 27001

• Part I COSO-ERM
• By Mounir Messaoud

2
Foreword

• This slideshow presents the main conclusions of
  the thesis related to COSO-ERM. The thesis is
  performed by Mounir Messaoud, a student at the
  Department of Computer and Systems Sciences, DSV
  at the Royal Institute of Technology, KTH.
• The thesis is performed in collaboration between
  DSV, SIG Security and IDC.
• The thesis is available for download.

3
COSO-ERM Conclusions of the study

• Still limited experiences in Sweden.
• Found to be a robust framework.
• Enhances corporate governance .
• COSO-ERM fulfills the needs.
• A framework with limited drawbacks.
• Automating software tools supporting the
  implementations of the framework will be needed.

4
COSO-ERM - Limited experiences

• Recently released framework (September 2004).
• Few organizations started using the framework to
  be fulfill SOX requirements.
• Swedish statutory requirements has indirectly
  (through preparatory work) pushed organization
  towards the use of COSO-ERM framework.
• Few organizations has implemented the framework
  but the number will be increasing.
• According to the survey 27 of the respondents
  were familiar with the framework while only 11
  of the respondents organizations have
  implemented the framework

5
COSO-ERM Robust framework

• A well built and a well thought through framework
  with a top-down approach and encompasses the
  entire organization.
• Integrates leading management with other staff.
• Creates a common language of risk.
• There are foremost positive opinions about the
  framework. In the survey, only the options
  good
  and very good were
  chosen.

6
COSO-ERM - Enhancing Corporate Governance

• COSO-ERM drives risk management to become a
  natural part of the daily work and procedures
• Risk management has a higher priority and it is
  then easier to communicate risks to senior
  management.
• Risk management reaches a higher level of
  efficiency.
• COSO-ERM is mainly chosen as a part of the
  business strategy.

7
COSO-ERM - Fulfills the needs

• The COSO-ERM framework is a good facilitator to
  fulfill the needs of an organization in terms of
  risk management.
• COSO-ERM is the framework to follow to enhance
  corporate governance and to meet legal
  requirements.
• The framework is recommended among others in the
  Swedish preparatory work to statutory 2007603 .

Do you find that the COSO-ERM framework has
fulfilled/will fulfill your needs?
8
COSO-ERM Limited drawbacks

• COSO-ERM is found to be more suitable for bigger
  organization with a full-time risk manager.
• In Sweden it is mainly organizations of bigger
  size that are implementing the framework.
  According to the survey 50 of the
  organizations have more than 5000 employees.
• The framework is felt to be left on an academic
  level.

9
COSO-ERM Tool support for implementation

• Tool support for the implementation of the
  framework is not a subject of importance at the
  moment.
• Organizations mainly use classic tools such as
  office suites.
• However, the need for tools will be increasing in
  a near future especially since 37 of the survey
  respondents find the issue interesting and
  another 36 find it important.

Do you find it necessary to automate the
processes with a software tool to facilitate the
implementation of the COSO-ERM framework?