1. First Practice - Information Security Management System Implementation and ISO 27001 Certification

2. Scope NBG Services Evaluation criteria Services and Business processes Evaluation results ISO/IEC 27001:2013 Certification Legal requirements

3. Scope International Payment and Reserve Management Service Georgian Payment and Security Settlement Service Human resources, Public Relations, Chancellery, Logistics, Legal, Accounting, Internal Audit) All Types of Information Assets

4. Approach

5. Goals Ensure compliance Confidentiality, Availability And Integrity needs. Establish controls for protection. Motivate employees Ensure in continuity. Ensure the protection of personal data (privacy). Ensure the availability and reliability of Infrastructure. Comply with - ISO/IEC 27001:2013. Ensure in external service providers compliance. Ensure flexibility and an acceptable level of InfoSec security

6. Acceptable Level

7. Initiation Project Competent Consultancy service Accreditation requirements Tender documentation Service requirements Project Management Practice

8. Policy Context of the National Bank of Georgia Scope (Procedure) policy (Policy) Objectives (Procedure) Roles and Responsibilities (Procedure) Risk management (Procedure) Documented information (Procedure) Internal audit (Procedure) ISMS Policy Manual Employee Guidelines National Bank of Georgia

9. Policy Cont. Business Continuity Plan BCP Procedure (Procedure) Business continuity (policy) Risk treatment plan Statement of Applicability (SoA) Plan to archive Information security objectives Contracting rules and templates Contract template with new employee (Contract template) Internal audit plan Information classification rule (Procedure) Awareness program and training presentation

10. Records, Reports Business impact analysis (Record) BCP Testing and Maintenance Cycles (Record) BCP Testing Report (Report) Assets register (Report) Risk identification and assessment (Report) Risk treatment report (Report) ISMS objectives status report (Report) Evidence of competence (Record) Monitoring and measurement (Record) Internal audit program (Record) Internal Audit report (Report) List of corrective actions with results of effectively analysis (Record) ISMS Management review (Record) ISMS Contacts with authorities and special groups (Record) List of suppliers related to ISMS (Record) Regulation about acceptance of residual risks (Report)

11. Decision Making Maximum 1 Working day Information security management committee and working group Change management committee Business continuity management committee and working group 2 months for 1 Service.

12. Acceptable Level

13. Audit Result No critical nonconformities No nonconformities Several recommendations 8 domains are on fifth level of CMM 6 domains are on fourth level of CMM ISO/IEC 27001:2013 cerficate

14. Thank You