Dr Andrea C. Simmons MA, GDPR/P, CISSP, CISM, ISO27001 Lead Auditor, FBCS CITP, M.Inst.ISP, Senior Member ISSA, DHP (NC)

Andrea is an experienced information security/ assurance/ governance, risk and compliance (GRC) evangelist with expertise in several disciplines in the information security industry working across the public and private sector, implementing compliance programmes and information security management systems (ISMS) spanning Data Protection, including the General Data Protection Regulation [GDPR], Privacy and Data Handling, PCI DSS, Freedom of Information, Records & Information Management, ISO 27001 and related standards, Government Secure Codes of Connection, HMG SPF etc. Andrea has always allowed time for volunteer involvement in various professional bodies – previously spending a number of years as a member of the BCS Chartered Institute for IT Security Community of Expertise , and previously a Director of the Institute of Information Security Professionals, as well as currently a Senior Member of the ISSA, a long standing platinum level ISACA member, volunteer delivering Safe and Secure Online programs to UK schools for ISC2 and the management committee of the Information Assurance Advisory Council (IAAC) for many years. The endeavor has always been to shape the information security landscape and develop the Information Assurance profession for the future.

Andrea spent some time as Chief Information Security Officer (CISO) for HP Enterprise Services, a global outsourcing firm with thousands of worldwide clients. Alongside this demanding role, Andrea had been undertaking a PhD in Information Assurance, the results of which are i3GRC™. Andrea returned to independent consultancy in 2015.

In November 2008, Andrea wrote a 50,000 word report on achieving best practice in information security – which highlighted the need to focus on the umbrella view of information governance, under which sits information assurance, information security, Data Protection, Freedom of Information, and all the compliance, legislative and regulatory frameworks. This was published in December 2008 ( Achieving Best Practice in Public Sector Information Security, Ark Group Publishing, ISBN 978-1-906355-39-5). A second book was published in summer 2012 entitled Once more unto the Breach – Managing Information Security in an Uncertain World, ISBN 978-1-849283885 – based on experience gained “at the coal face” and was updated in December 2014 for reprint in Spring 2015.

“All employees have some responsibility for internal control as part of their accountability for achieving objectives. They, collectively, should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This will require an understanding of the company, its’ objectives, the industries and markets in which it operates, and the risks it faces.” Turnbull, 2000