Sign up to save your podcasts
Or
Share Danny Vukobratovich, ISO 27001 as the Engine, NIST CSF 2.0 as the Dashboard, A Practical Operating Model
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Danny Vukobratovich, ISO 27001 as the Engine, NIST CSF 2.0 as the Dashboard, A Practical Operating Model
Many organizations adopt security frameworks but struggle to turn them into day-to-day operations that reduce risk without slowing delivery. This talk presents a practical operating model that pairs ISO/IEC 27001 (as the certifiable management system that runs governance, risk management, internal audit, and continual improvement) with NIST Cybersecurity Framework 2.0 (as the outcome-focused "dashboard" for aligning security priorities to business objectives and communicating posture to leaders). Attendees will see how to translate business goals into CSF 2.0 current and target profiles, convert those profiles into ISO 27001 objectives and control ownership, and design "evidence by default" workflows that reduce audit fire drills. The session will include real-world design patterns (paved roads, tiered decision rights, exception handling with expiry, and control health metrics) and highlight where assurance programs often drift into "control theater." The goal is a repeatable approach that both practitioners and researchers can critique, improve, and apply. About the speaker: Danny Vukobratovich is a Sr. IT Security Analyst at Purdue University, where he manages Purdue IT's ISO program spanning ISO/IEC 27001 (information security), ISO 9001 (quality management), and ISO/IEC 20000-1 (IT service management). He also oversees Purdue IT's business continuity and disaster recovery planning, with an emphasis on building resilient, auditable operating models that support research and administrative missions. Danny's professional focus is translating risk and governance into practical mechanisms, including clear decision rights, "evidence by design," and metrics that measure control health rather than control presence. His background includes security risk assessments, incident response, monitoring and logging, identity and access management, and standards-based audits across diverse environments. Danny holds the CISSP, ISO/IEC 27001:2022 Lead Implementer, and ITIL 4 Strategic Leader certifications, and an M.S. in Cybersecurity Management.
View all episodes
By CERIAS <[email protected]>
4.1
77 ratings
Many organizations adopt security frameworks but struggle to turn them into day-to-day operations that reduce risk without slowing delivery. This talk presents a practical operating model that pairs ISO/IEC 27001 (as the certifiable management system that runs governance, risk management, internal audit, and continual improvement) with NIST Cybersecurity Framework 2.0 (as the outcome-focused "dashboard" for aligning security priorities to business objectives and communicating posture to leaders). Attendees will see how to translate business goals into CSF 2.0 current and target profiles, convert those profiles into ISO 27001 objectives and control ownership, and design "evidence by default" workflows that reduce audit fire drills. The session will include real-world design patterns (paved roads, tiered decision rights, exception handling with expiry, and control health metrics) and highlight where assurance programs often drift into "control theater." The goal is a repeatable approach that both practitioners and researchers can critique, improve, and apply. About the speaker: Danny Vukobratovich is a Sr. IT Security Analyst at Purdue University, where he manages Purdue IT's ISO program spanning ISO/IEC 27001 (information security), ISO 9001 (quality management), and ISO/IEC 20000-1 (IT service management). He also oversees Purdue IT's business continuity and disaster recovery planning, with an emphasis on building resilient, auditable operating models that support research and administrative missions. Danny's professional focus is translating risk and governance into practical mechanisms, including clear decision rights, "evidence by design," and metrics that measure control health rather than control presence. His background includes security risk assessments, incident response, monitoring and logging, identity and access management, and standards-based audits across diverse environments. Danny holds the CISSP, ISO/IEC 27001:2022 Lead Implementer, and ITIL 4 Strategic Leader certifications, and an M.S. in Cybersecurity Management.