• home
• services
• me
• contact

Hello, I am Philip Nordfalk

I am an experienced management consultant with a demonstrated history of work within Governance, Risk, Control and Compliance areas. I'm skilled in Enterprise Risk Management, Business Processes, Internal Controls, Information Security and Compliance Management. Strong consulting professional with a Bachelor of Commerce (HD) based on Economics and Business Administration from Copenhagen Business School as well as several certifications in information security and risk management.

I have good experience in identifying and understanding legislation and standards relevant to customer's business and help to get this implemented in practice. Examples are advisory services and implementation support related to SOX, eIDAS and GDPR.

In addition, I have acted as a project manager on many projects, and I’m not afraid of doing “hands-on” detailed work if this is required on an engagement.

I do have good experience in gaining an overall understanding of the business and the environment in which it operates in order to “right-size” efforts that I advise on and assist the customer with. I have helped many companies from overall design of concepts through architecting more detailed procedures and work instructions and then helped the company implement and use these in their day-to-day work.

Skills summary

My skills and experience include the following:

• Business and management consultancy
• Business Analyst
• Business process design and implementation
• Information security, including policies, processes and proceudres and Identity and Access Management
• Operational risk management
• Compliance with laws, legislation, policies, contracts, frameworks, standards ...
• Review and auditing
• Functional testing
• Project management
• Stakeholder management

I do have good working knowledge and experience with the following frameworks and legislation:

Frameworks supporting management of Information Security and IT Service Management	ISO 27000 – series Cobit (4.1 and 5 versions) ISF (Information Security Forum) – Standard of Good Practice CIS Framework ITIL NSIS - Danish National Standard for Identity Assurance Levels
Framework supporting enterprise	COSO – frameworks related to Enterprise Risk Management, Internal Controls and Fraud Prevention. COSO is the preferred framework in supporting Sarbanes-Oxley compliance as well as laying out the basis of Corporate Governance.
Legislation	Danish Banking Law ("Lov om finansiel virksomhed") Danish Privacy Act EU General Data Protection Regulation (GDPR) EU eIDAS Regulation - on Electronic Identification and Trust Services Sarbanes-Oxlye Act of 2002 (SOX)

Personal characteristics

• Goal focused
• Business oriented – focusing on quality and value
• Analytical, good at spotting correlations, not losing overview
• Professional, creative, energetic, challenging, engaged
• Structured and organized
• Extrovert, empathic, good punch, good at creating/maintaining social cohesion and relationships
• Accustomed to communications on all levels within a company
• Good at working in teams as well as independently
• Good at presenting and organizing / facilitating workshops as efficient knowledge sharing tools
• Cheerful, positive and a good sense of humor

Languages

• Danish: Native,
• English: Full professional proficiency,
• Swedish and Norwegian: Conversational level

Education and certification

• Bachelor of Commerce – Economics and Business Administration (1985)
• CISM – Certified Information Security Manager (2008)
• CRP – Certified Risk Professional (2002)
• CISA – Certified Information Systems Auditor (1990)

Experience

2011-now	Self-employed Freelance Senior Consultant working with large customers in various engagements and projects. This included establishing an Information Security Framework (primarily based on ISO 27000), establishing a framework for running an internal Information Security Compliance function, advise on and work in a larger Identity and Access Management System implementation, establishing procedures and performing activities for internal controls that works in practice.
2006-2011	Practice Area Manager, Risk and Security Management Services, Devoteam Consulting A/S
2000-2006	Senior Manager, Enterprise Risk Services, Deloitte
1979-2000	Several positions in Coopers & Lybrand (now PriceWaterhouseCoopers), including Director, Global Risk Management Services and Senior Manager, Computer Assurance Services in Los Angeles, USA.

Selected projects

2024-	DSV: Advice and support in creating and updating IT Risk Management Policy and supporting processes. Supporting flow of risk assessments and risk handling, including coordination with stakeholders.
2021-2023	Nets - Professional advisory and implementation services in several areas related to compliance, including responsibilities for MitID / NemLog-In conformity assessments for EU eIDAS Regulation and coordination of NSIS notifications. Also included design and implementation of compliance related procedures in both development and operational phases and compliance with contractual requirements.
2020-2021	GlobalConnect – Professional advisory and implementation services, related to implementation of GDPR actions and procedures, including implementation of a (GDPR) Governance and Management System (RISMA). Involved coordination and guidance in several European countries.
2019	Vækstfonden – The Danish Growth Fund: Professional advisory and implementation services, primarily related to implementation of GDPR actions and to design, authoring and implementation of policies and procedures for Identity and Access Management. This also included extensive planning, facilitation, analysis and assistance in structuring of access controls and implementation of a supporting IAM system.
2017-2019	Milestone Systems A/S: Assistance in designing and implementing procedures, work instructions and training for Information Security. The work included a governance structure for Information Security in the company, based on standards such as ISO 27000 and Cobit. Member of core team in the company’s GDPR project, especially in coordination between the company’s Information Security activities and other GDPR activities to avoid parallel and redundant efforts. Participated as an advisor and executor on interpreting the regulations and implementing necessary business procedures (IT as well as non-IT). Member of the core team and major participation in the company’s implementation of an Identity and Access Management System, primarily on the business side.
2017-	GSV Materieludlejning A/S: Provisioning of advisory services and workshops to reach GDPR compliance. The work included assistance on identifying and mapping relevant business processes, setting up necessary documentation, assistance in creating awareness material and more.
2016	SDC A/S: Engaged as Compliance Officer in a major Danish IT Services Provider company within the financial sector. This engagement included establishing and facilitating cross-functional workshops and other activities to assist in improving and streamlining the compliance efforts of the organization. It also involved mapping of relevant legislation to policies, procedures and practices. Making controls and documentation on the policies and procedures.
2015-2016	VP Securities A/S: Advice and services on revitalization of information security and compliance in a large Danish finance business. The project included Risk Management and Internal Controls disciplines and establishment of a formal security framework and methodology – primarily based on the ISF standards.
2015	SimCorp: Advice and support in designing and implementing an Enterprise Risk Framework in a global company developing software for the financial sector. Deliveries included authoring an Enterprise Risk Management Manifesto / Guide.
2013-2015	Mecom Group plc/Berlingske Media: Group Internal Auditor, included cross border activities, coordination and reporting.
2011-2012	Jeld-Wen Inc.: Project and professional management – process change and implementation project for a US based global manufacturing company as part of the company’s Sarbanes-Oxley (SOX) compliance project. Acted as European IT Project Lead with team and professional responsibility for roll-out in Europe, liaising with and reporting to the PMO in the US.
2007-2009	Danish Courts: Project and professional management – test and quality assurance project and security advice carried out for Denmark’s electronic real property registration system (Elektronisk Tinglysning). Member of the projects’ overall steering group, chaired two subcommittees, managed a team of 7-10 individuals consisting of consultants and customers personnel. Tight coordination with system vendor. Challenging multipart project.
2003-2006	Project and professional management of several audit, consultancy, compliance and implementation projects for a number of big, international companies in relation to implementation of SOX. The projects, which were primarily concerned with setup of information security and with compliance management, included customers like Volvo Car Corporation/Ford Motor Company (Gothenburg, Sweden), Roper Industries and Sauer-Danfoss (Denmark and several European locations). Management of larger project teams and international coordination.