Hello, I am Philip Nordfalk

I am an experienced management consultant with a demonstrated history of work within Governance, Risk, Control and Compliance areas. I'm skilled in Enterprise Risk Management, Business Processes, Internal Controls, Information Security and Compliance Management. Strong consulting professional with a Bachelor of Commerce (HD) based on Economics and Business Administration from Copenhagen Business School as well as several certifications in information security and risk management.

I have good experience in identifying and understanding legislation and standards relevant to customer's business and help to get this implemented in practice. Examples are advisory services and implementation support related to SOX, eIDAS and GDPR.

In addition, I have acted as a project manager on many projects, and I’m not afraid of doing “hands-on” detailed work if this is required on an engagement.

I do have good experience in gaining an overall understanding of the business and the environment in which it operates in order to “right-size” efforts that I advise on and assist the customer with. I have helped many companies from overall design of concepts through architecting more detailed procedures and work instructions and then helped the company implement and use these in their day-to-day work.

Skills summary

My skills and experience include the following:

I do have good working knowledge and experience with the following frameworks and legislation:

Frameworks supporting management of Information Security and IT Service Management
  • ISO 27000 – series
  • Cobit (4.1 and 5 versions)
  • ISF (Information Security Forum) – Standard of Good Practice
  • CIS Framework
  • ITIL
  • NSIS - Danish National Standard for Identity Assurance Levels
Framework supporting enterprise
  • COSO – frameworks related to Enterprise Risk Management, Internal Controls and Fraud Prevention. COSO is the preferred framework in supporting Sarbanes-Oxley compliance as well as laying out the basis of Corporate Governance.
  • Danish Banking Law ("Lov om finansiel virksomhed")
  • Danish Privacy Act
  • EU General Data Protection Regulation (GDPR)
  • EU eIDAS Regulation - on Electronic Identification and Trust Services
  • Sarbanes-Oxlye Act of 2002 (SOX)

Personal characteristics


Education and certification


2011-now Self-employed Freelance Senior Consultant working with large customers in various engagements and projects. This included establishing an Information Security Framework (primarily based on ISO 27000), establishing a framework for running an internal Information Security Compliance function, advise on and work in a larger Identity and Access Management System implementation, establishing procedures and performing activities for internal controls that works in practice.
2006-2011 Practice Area Manager, Risk and Security Management Services, Devoteam Consulting A/S
2000-2006 Senior Manager, Enterprise Risk Services, Deloitte
1979-2000 Several positions in Coopers & Lybrand (now PriceWaterhouseCoopers), including Director, Global Risk Management Services and Senior Manager, Computer Assurance Services in Los Angeles, USA.

Selected projects

Nets - Professional advisory and implementation services in several areas related to compliance, including responsibilities for MitID / NemLog-In conformity assessments for EU eIDAS Regulation and coordination of NSIS notifications. Also included design and implementation of compliance related procedures in both development and operational phases and compliance with contractual requirements.
GlobalConnect – Professional advisory and implementation services, related to implementation of GDPR actions and procedures, including implementation of a (GDPR) Governance and Management System (RISMA). Involved coordination and guidance in several European countries.
Vækstfonden – The Danish Growth Fund: Professional advisory and implementation services, primarily related to implementation of GDPR actions and to design, authoring and implementation of policies and procedures for Identity and Access Management. This also included extensive planning, facilitation, analysis and assistance in structuring of access controls and implementation of a supporting IAM system.
Milestone Systems A/S: Assistance in designing and implementing procedures, work instructions and training for Information Security. The work included a governance structure for Information Security in the company, based on standards such as ISO 27000 and Cobit. Member of core team in the company’s GDPR project, especially in coordination between the company’s Information Security activities and other GDPR activities to avoid parallel and redundant efforts. Participated as an advisor and executor on interpreting the regulations and implementing necessary business procedures (IT as well as non-IT). Member of the core team and major participation in the company’s implementation of an Identity and Access Management System, primarily on the business side.
GSV Materieludlejning A/S: Provisioning of advisory services and workshops to reach GDPR compliance. The work included assistance on identifying and mapping relevant business processes, setting up necessary documentation, assistance in creating awareness material and more.
SDC A/S: Engaged as Compliance Officer in a major Danish IT Services Provider company within the financial sector. This engagement included establishing and facilitating cross-functional workshops and other activities to assist in improving and streamlining the compliance efforts of the organization. It also involved mapping of relevant legislation to policies, procedures and practices. Making controls and documentation on the policies and procedures.
VP Securities A/S: Advice and services on revitalization of information security and compliance in a large Danish finance business. The project included Risk Management and Internal Controls disciplines and establishment of a formal security framework and methodology – primarily based on the ISF standards.
SimCorp: Advice and support in designing and implementing an Enterprise Risk Framework in a global company developing software for the financial sector. Deliveries included authoring an Enterprise Risk Management Manifesto / Guide.

Mecom Group plc/Berlingske Media: Group Internal Auditor, included cross border activities, coordination and reporting.
Jeld-Wen Inc.: Project and professional management – process change and implementation project for a US based global manufacturing company as part of the company’s Sarbanes-Oxley (SOX) compliance project. Acted as European IT Project Lead with team and professional responsibility for roll-out in Europe, liaising with and reporting to the PMO in the US.
Danish Courts: Project and professional management – test and quality assurance project and security advice carried out for Denmark’s electronic real property registration system (Elektronisk Tinglysning). Member of the projects’ overall steering group, chaired two subcommittees, managed a team of 7-10 individuals consisting of consultants and customers personnel. Tight coordination with system vendor. Challenging multipart project.

Project and professional management of several audit, consultancy, compliance and implementation projects for a number of big, international companies in relation to implementation of SOX. The projects, which were primarily concerned with setup of information security and with compliance management, included customers like Volvo Car Corporation/Ford Motor Company (Gothenburg, Sweden), Roper Industries and Sauer-Danfoss (Denmark and several European locations). Management of larger project teams and international coordination.
Last update: 5. March 2020