Managing Cyber Risks Across A Global OrganizationSIGS Technology Conference,17 May 2017

Rick Rietdijk, Nestlé

Introduction

2

2015 Objective:

All our local IT organizations to become "ISMS Ready" by end of 2015

Nestlé Headquarters - Vevey, Switzerland

At a glance

3

The way our company is organized

Geographies*• AMS• EMENA• AOA

*Matching IT organization - "GLOBE"

4

• 40+ local IT organizations – across the markets• 6 shared services organizations – across the zones• 12 global "business solutions" / support teams

Today’s reality

Risk Management … What else?

5

ISMS … Looking back

2012-2013 – The start

•Build knowledge and skills•ISO/IEC 27001:2005 standard•Risk management methodology

•Coaches•Start training ISO standard

•One ISMS implementation ISO/IEC 27001:2005 certified

2014 – Picking up the pace

•Repeatable implementation approach•Onsite workshop, risk management methodology

•Existing operations review meetings•Templates

•Continued training on ISO standard

•Eight (8) new ISO/IEC 27001:2013 certifications

2015 – The challenge

• ….

6

The challenge

… by end 2015 !

2015 GLOBE Objective:…. Target is set to 40 ….

All local GLOBE and shared servicesorganizations "ISMS ready" …7

×

ISO/IEC 27001:2013 certifications

Actions taken to achieve the objective

• Extend the coaching network• Coaches and head coaches

• Fine tune & industrialize the approach• Compact timelines for an implementation

• Initial workshop to certification: 12-16 weeks!• "ISMS Ready Assessment" introduced

• Master planning for all locations• Manage resources: coaches, local ISMS owner and lead, external auditors• Set milestone dates: workshop, ISMS ready assessment, certification audit

• Management support• Progress reported at GLOBE level

GO FOR IT8

Key achievements

9

…The one tool to manage them all…

• Enterprise management• Risk management• Policy management• Incident management• ISMS

10

Approach towards Archer implementation• Configuration workshops – plan without coaches• Focus on basic functionality – minimum to start

managing ISMS through Archer, extend later• Integrations – add later as required• Define migration approach

• Around risk assessment• Combination of data import and manual completion

• Data import templates• Leverage coaches for tool & process training

• Further screen and workflow simplifications – after pilots and coaches training

11

Our Archer journey

Q3 Q4 Q1 Q2 Q3 Q4

12

Migrations to ArcherWorkshops,Configuration

Tests

First config to prod,Training materials,Data import templates,Pilot imports

Training pilots & coaches,Simplifications

Security Incident Mgmt,Metrics

Exceptions Mgmt,Global Filter,S&C Accelerator pilot

Application Inventory,ControlLibrary,Mgmt Dashboard

2015 2016

Archer training

Maturity of ISMS and Archer usage

Evolve the Archer solution

• Management support• Top down - alignment on objectives• Bottom up - ISMS implementations by local teams

• Rapid and thorough implementation approach• Commitment

• Dedicated team• Sustainable

• Awareness• One repository

Key success factors

13

Thank you for your attention!

14