Essential ingredients for ISMS implementation success

Save the DateKlick for the .ics file to save the date


Target Audience Information Security Professionals
CIO’s, CISO, IT Manager, Security Officer, Security Architects and Engineers – all from end customer side who are interested in IT Security

From Consultancies and Resellers/Integrators are only technical peoples allowed to take part. Vendors and people with a Sales/Marketing role are not authorized as participants.

CPE Credits Earn 4.25 CPE (Continuing Professional Education) for attending this SIGS Afterwork Event. Please request a confirmation.
Location Radisson Blu Hotel
8058 Zürich-Flughafen

More information at

Date of Event 7th of November 2017
Language English, if non-German speaking people will attend, otherwise German
Schedule see agenda below
Participation Costs Fr. 55.— per participants
Organization, presentations, beverages and aperitif included


2:00 – 2:30 Registration & Coffee
2:30 – 2:30 Welcome & Introduction by the moderator
2:30 – 3:00 Kim Haverblad, Senior GRC Consultant at RSA Security Sweden

Information Security Program – the Risk Management Approach
How do an organisation find the acceptable level of security – by assessing the current risk and by assessing what the current level of risk the organisation is willing to accept. By the end of the day information risk management is really about what the trade-off that the organisation is willing to accept which provide the input to the decision making on how to handle the risks in accordance to ensure that you meet the control objectives.

Organisations which tend to focus more on compliance driven security approach often fails in assessment as the exercise is seen as a check-list activity rather than actually understanding the risks and threats which pose against the organisation.

3:00 – 3:30 David Doret, GRC Consulting Practice Lead at Kudelski Security

ISMS2: How to manage a complex ISMS program with a GRC platform
Setting up and maintaining an ISO 27001 ISMS is a challenge. But complex organizations (e.g. large multinational groups and public sector) are faced with the daunting task of running an ISMS program spanning multiple ISMSes with varying maturities, constraints, cultures and degree of integration with the group.

Experience shows that the complexity of such a program is more than the sum of its ISMSes, hence the concept of ISMS2. This level of complexity leads to inefficiencies (at best) and ineffectiveness (at worst). Through hard-won field experience and lessons learned, we gained insights into what works and what doesn’t.

Come and listen to how a GRC platform may help you address the scaling challenge of ISMS2.

3:30 – 4:00 Pascal Reiniger, Chief Information Security Officer at Canton of Basel-Stadt

A practical approach to implement a risk based ISMS
By law organizations are required to have adequate organizational and technical controls in place to ensure the security of their ICT infrastructure. While every organization needs to develop their own ISMS, the basics are more or less the same. In the end the security controls must cover the risks an organization is facing.

This presentation is showing a possible approach to align risk management with the different tools and processes as well as how to implement such an ISMS.

4:00 – 4:45 Break
4:45 – 5:30 HR Ing Martin EBNER, BSc MSc, Head of Cyber Security Operations in the (new) Service Support & Cyber Defence Command of the Austrian Armed Forces

Risk Management within 11 Layers
Risk management has matured over the last 15 years in organisations and companies. It became more and more a topic and a market for IT professionals, companies and studies in the field of risk management. Due to the fact that most of the people who deals with this topic have a technical background, often the understanding of threats for information in Cyberspace is limited to the ones within the OSI 7 Layer model. This model describes the theoretical fundament which is used as a basis for the construction of a space for information exchange between “trusted” users. The flow and secrecy of information is then described by the “Need to Know” principle and the Bell LaPadula security model. By the way; these principles are not differencing enough to handle the flow of information within an organisation and its processes in a feasible, secure way.

After having done the basic security homework, the next questions must be answered: are there reasons for an attack and who could be the actors?

Even when we implement an aligned security standard, we have to deal with a situation where the attackers easily are informed about our problems and failures. They are willing to exploit them, insofar as they have a motivation to do that.
Attackers are driven by monetized, personal hate, socialized, political, cultural and religious reasons which we can define as additional layers. That’s not really new, but who deals with threats out of those layers and do we have a chance to get a better foresight for concrete threats by having sensors out there? Can we create sensors within those layers and what can they look like?
The answer is yes, we can. The observation of cultural and religious, political spheres, social networks and persons in forums and at least their mind-set, gives us a chance to find threat actors before they get active.
The description of those new layers and the permanent observation of topics in these layers can lead to a foresight of threats emerging in and through the cyber domain. Such analyses can be easily adapted to the different views of politic, market, culture and religion.

5:30 – 6:00 Prof. Dr. Hannes P. Lubich, University of Applied Sciences and Arts Northwestern Switzerland

Interoperability between ISMS and IT Service Management – Lessons Learned and Potential Stumbling Blocks
At first sight, IT System / Service Management and Information Security Management appear to be closely related – in particular because of the methodological similarity of the predominant standards ISO 20000 and ISO 27000. In reality however, significant integration and interoperabil-ity issues exist between the world of IT Service Management and Information Security require-ments.

This presentation will discuss some of these difficulties, as well as potential solution ap-proaches.

6:00 – 6:30 Panel Discussion moderated
6:30 – open end Apéro Riche & Networking
The speakers will be onsite for Q&A


The Sponsors of this event are:

This is a ‘must attend’ event for all security professionals! We are confident that the relationships you develop here will prove to be crucial to your continuing success.

So don’t wait and register here if you have a XING account. If you don’t have or don’t like to have a XING account, just send us an email

With the registration for this event you accept, that SIGS may use the data entered for its own purposes and may share it with its event partners and event sponsors of this specific platform.

Mobile Menu