ASSIGNMENT

Principles and Practices of ISO/IEC 27001 Standards

Team Members
ABC
Contents

Abstract.......................................................................................................................................................3
Introduction................................................................................................................................................4
Requirements for ISO 27001.......................................................................................................................6
1 Scope...................................................................................................................................................7
2 Normative References........................................................................................................................8
3 Terms and Definitions.........................................................................................................................8
4 Context of the Organization...............................................................................................................9
4.1 Internal and External Issues of the Organization.......................................................................9
4.2 Need and Expectations of the Interest Parties...........................................................................9
5 Leadership.........................................................................................................................................11
5.1 Leadership Commitment...........................................................................................................11
5.2 ISMS Policy................................................................................................................................11
5.3 Roles and Responsibilities.........................................................................................................12
6 Planning............................................................................................................................................13
6.1 Information Security Risk Assessment and Control Measures.................................................13
6.1.1 Identification of Business Process......................................................................................15
6.1.2 Business Impact Analysis Initiation....................................................................................15
6.1.3 Performing Asset Valuation...............................................................................................15
6.1.4 Determining Risks..............................................................................................................15
6.1.5 Performing Risk Assessment..............................................................................................16
6.1.6 Risk Treatment...................................................................................................................16
6.1.7 Follow-up...........................................................................................................................17
6.2 ISMS Objectives Development and Planning............................................................................17
7 Support..............................................................................................................................................19
7.1 ISMS Resources Provision.........................................................................................................19
7.2 ISMS Competence.....................................................................................................................19
7.3 ISMS Awareness........................................................................................................................19
7.4 ISMS Communication................................................................................................................20
7.5 ISMS Documentation................................................................................................................21
7.5.1 Levels of Documents..........................................................................................................21
7.5.2 Document Coding Scheme.................................................................................................21

Page 1 of 40
 7.5.3 Document Preparation, Review and Approval...................................................................22
7.5.4 Access and Disposal of Obsolete Documents and Retained Records.................................22
8 Operation..........................................................................................................................................23
8.1 ISMS Operational Planning and Controls..................................................................................23
9 Performance Evaluation...................................................................................................................24
9.1 ISMS Monitoring and Measurement........................................................................................24
9.2 ISMS Audits...............................................................................................................................24
9.3 ISMS Management Review.......................................................................................................24
10 Improvement................................................................................................................................25
10.1 ISMS Non-Conformity and Corrective Action...........................................................................25
Benefits of Implementing ISO/IEC 27001.................................................................................................26
Case Study 01............................................................................................................................................28
Case Study 02:...........................................................................................................................................30
Case Study 03............................................................................................................................................31
Recommendation.....................................................................................................................................32
Conclusion.................................................................................................................................................33
References................................................................................................................................................34
Appendix...................................................................................................................................................36

Page 2 of 40
Abstract

In this document, mandatory requirements related to the ISO/IEC 27001 Information

security management system (ISMS) have been summarized and briefly discussed. Annexure SL

structure of the ISO/IEC 27001 make it easier to integrate with other management system

standards. Ten clauses of the ISO/IEC 27001 including scope, normative references, terms and

definitions, context of the organization, planning, support, performance evaluation, and

improvements are also the part of this documents. Furthermore, recommendations and case

study related to Fredrickson also the part of this document.

Page 3 of 40
Introduction

Businesses are increasingly reliant on information and communication technology (ICT) to

operate their operations, arrange production, provide services, and connect internally and with

clients [1]. With the development of information technology and its integrated applications in

different sectors including health care, banking, manufacturing, service sectors etc. has raised

the concerns in term of information technology security issues [2]. Similarly, emerging

information technologies and industry 4.0 applications have a number of access points from

where vulnerability could be done in any IT network [3]. In recent years, the European Union

has established a Cybersecurity Program, as well as many Directives and Regulations on

connected problems. These expressly emphasize the importance of certifications and guidelines

in assisting businesses in ensuring conformity with information security requirements [4]. To

address the progressive complex challenges of information system security (ISS), holistic

approaches are necessary. Significant managerial effort is required to balance trade-off

judgments between security and legal compliance in addition to cost and operations [5].

In the midst of increasing economic and legal challenges, businesses must increasingly take

adequate measures to secure their data assets and include this issue into their strategic

management [6]. The information security management system (ISMS) protects information

assets and offers a systematic method for risk management. As a result, it assists businesses in

meeting their own data security objectives in addition to those of their customers, as well as in

complying with legal data security obligations. As an international standard for this type of

ISMS, ISO/IEC 27001 "has been developed to specify requirements for developing, operating,

Page 4 of 40
maintaining, and steadily improving an information security management system (ISO/IEC

27001:2013). ISO/IEC 27001 is widely regarded as the most important global standards for

management of information security [3]. With 36,362 valid certifications at 68,930 sites,

ISO/IEC 27001 ranks third globally amongst most often used management system standards,

trailing ISO 9001 for quality management (ranked first with over 900,000 valid certificates) and

ISO 14001 for environmental management [7]. Given the increasing importance of information

security, these actual statistics demonstrate well the still slow dissemination despite the

excellent ranking. Sector statistics from the ISO study of certified firms worldwide show that

ISO/IEC 27001 is largely used by businesses in the ICT sector [7].

Page 5 of 40
Requirements for ISO 27001

ISO 27001 standards is based on the Plan Do Check Act (PDCA) principle. Organization needs to

be defined its scope of work and based on the scope of work documentation and

implementation with respect to information security management system (ISMS) have been

developed. ISO 27001 has total 10 clauses which need to be consider getting its implementation

in any organization [8] Following the schematic illustration of these clauses have been given in

Fig. 1.

Page 6 of 40
 Sope

Normative
References

Terms and
Definitions

Context of the
Organization

Leadership

Planning

Support

Operation

Performance
Evaluation

Improvement

Fig. 1. ISO 27001 Standard Implementation Requirements

1 Scope

Scope is defined the boundaries of ISMS implementation. Any organization which is

going to be implemented ISO 27001, it needs to be defined the boundaries of ISMS.

Boundaries include the any organization sections and sub-sections which are inter-related

with each other. Similarly, some organizations have more than one operational site then

these operational sites should also be defined in the scope of work. Like in Fig. 2,

“Information Security Management System Scope of the IT organization has been

Page 7 of 40
illustrated Site A, B, and C. Scope of the organization also covered the context of

organization, interest parties, and assets etc.

Site A

Site B
IT
Organization
Site C

Site D

Fig. 2. Organization Scope based on Operational Sites

Page 8 of 40
2 Normative References

ISO/IEC 27001 has many sections from different literature or previously published

standards. Therefore, references of the previously published work or standards have been

cited in the standards. These references have been given to get more clarification or

guidance regarding the different points or sections of the required standards.

References includes:

 ISO/IEC 27002 Information Technology – Security Techniques – Code of Practice

3 Terms and Definitions

In standards wordings meanings of the English words have been different from the

dictionary vocabulary. Especially, these words contribute with reference to the context of

the usage. Like word ‘shall’ represent a mandatory requirement, similarly, for other

wording which are specific to any organization also defined in this. For example:

 Audit

 Risk Assessment and Control Measures

 Corrective Actions

 Information Security Controls

 Process

 Services and Products

 Access Control

 Authority, Accountability, Responsibility

Page 9 of 40
4 Context of the Organization

Context is the theme or circumstances which define the nature of organization working.

In the latest version of ISO/IEC 27001:2013, standard structure has been changed into

annexure SL. In the revised version of the annexure SL organizational context needs to be

defined. [8]

4.1 Internal and External Issues of the Organization

This context has been defined considering the internal and external issues. These

internal and external issues include:

 Organization Strengths

 Weaknesses

 Opportunities

 Threats

 Political Issues

 Economic Issues

 Social Issues

 Technological Issues

 Legal / Regulatory issues

All of these issues need to be addressed or considered in the context of the organization.

4.2 Need and Expectations of the Interest Parties

In context of the organization need and expectations of the interest parties also need be

covered these needs and expectations of the interest parties include:

Page 10 of 40
  Services or Product Quality

 Service Level Agreements

 Timelines

Finally, organization need to be determined the scope of information security management

systems. At which areas or part of the organization, this ISMS will be implemented as

thoroughly defined in the section 1 of this document. [8] But while defining the scope of work

following requirements need to be considered:

 Internal and External Issues

 Need and Expectations of the Interest Parties

 Any other requirements which organization management considered the important

aspect

Finally, information security management system should be developed, implemented,

maintained, and continuously improved.

Page 11 of 40
5 Leadership

5.1 Leadership Commitment

Improvement derives from top to down in any organization. It’s the commitment of the top

management which make the management system more progressive and bring improvement

within any organization. [8] In ISMS implementation, organization top management

commitment is the utmost requirement for the true implementation of the system within

organization. To show the commitment towards ISMS implementation organization should

defined and enforce following:

 ISMS Policy

 ISMS Objectives derived from ISMS Policy

 ISMS implementation direction

 Provision of resources for implementation

5.2 ISMS Policy

Overall intention and direction of the top management related to the ISMS should be defined

by the top management of the organization. [8] ISMS policy should be:

 Based on Context of the Organization

 Commitment to the legal and applicable requirement

 Commitment to continual improvement

 Provide framework for ISMS Objectives

Page 12 of 40
ISMS policy should be available and communicated for all interest parties. A sample of the ISMS

Operation policy is given below:

Company XYZ is dedicated to providing an operational security at its facility and operations by

ensuring the following:

 Protection from malware or any annoying software shall be done by installing firewalls

 Physical security of the IT and utility resources shall be ensured by monitoring and

applying security protocols

 Backup of the critical as well as non-critical data shall be taken and stored at devolved

locations

 Security testing shall be done as per defined periods in order to identify the vulnerabilities

 All breaches and potential susceptibilities find shall be resolved, otherwise the use of such

service shall be discontinued

 Operational audits shall be performed as per defined interval to check the level of

implementation

5.3 Roles and Responsibilities

For better implementation of any management system within organization proper roles

and responsibilities within organization need to be defined. Roles and responsibilities of the

personnel should be defined based on the nature of work. [8] These roles and responsibilities

are shared with the relevant personnel of the organization.

Roles and responsibilities covered:

 Responsibilities

Page 13 of 40
 Authorities

 Accountabilities

Page 14 of 40
6 Planning

6.1 Information Security Risk Assessment and Control Measures

Risk is defined as the preventive approach for any vulnerability within the organization.

ISMS related risk is identified by defining any risk management related techniques. [9] Risk

management also following the Plan Do Check Act (PDCA) cycle as given in Fig. 3.

Risk
Identification

Risk
Risk
Categorizatio
Treatment
n

Risk Control
Measures

Fig 3. ISMS Risk Cycle

Risk Identification:

ISMS related risks have been identified based on organization scope and context. For this, all

processes of the organization are covered.

Risk Categorization:

ISMS related risks have been categorized based on risk matrix mostly in the form of high, medium,

low risks.

Risk Control Measure:

ISMS related risk control measures have been recommended and implemented to reduce the risk

acceptable level.

Page 15 of 40
Fig. 4. Risk Flow Diagram

Page 16 of 40
 Figure 4 has the sample process flow diagram for ISMS risk assessment which has been

briefly described below:

6.1.1 Identification of Business Process

Business Impact Analysis is performed against all the processes running in the organization. For

this purpose, Risk Management sheet is developed. Identify all departments and process

related to them.

6.1.2 Business Impact Analysis Initiation

Initiate business impact analysis by following contractual obligations, client requirement and

needs. Determine the maximum allowable downtime to recover the process or services.

Choose the most appropriate downtime limit based on business or client requirement of the

process.

6.1.3 Performing Asset Valuation

Performance of Asset Valuation is prioritized for assets involved in Critical and Important

processes Access Asset. Choose the Process (priority is given to processes deemed Critical,

Important, and at last Normal, respectively.

6.1.4 Determining Risks

Risk Assessment is performed for assets valued at Critical and Important. Identify the Asset

Type and determine the Threat and identify it under the specified column using Annexure A.

Page 17 of 40
Threat is the act, event or thing, which may exploit the corresponding vulnerability to create

risk(s) to business process and assets.

Determine the Vulnerability of the assigned asset, which might be exploited by the selected

Threat. Vulnerabilities are weaknesses of an asset which might be exploited by a threat and

create risks in a business environment. [9]

Describe the risks under Risk Description which may affect the business process and the asset

being assessed for risks. The Risk must be created under the combination of the Threat and

Vulnerability chosen. One combination of Threat and Vulnerability might lead to more than one

Risks.

6.1.5 Performing Risk Assessment

Risk Treatment is decided on the basis of Risk Rating, while making sure that Residual Risk

is reduced to Minor based on the treatment measures adopted

6.1.6 Risk Treatment

Risks are accepted for Assets valued at Normal. Risks rated at Minor are accepted. Using the

same Risk Assessment sheet, choose the Controls Suggested:

 Choose a Control listed in the drop-down-menu

 Choose a Custom Control if the listed controls do not include the required risk

treatment measure

Page 18 of 40
  Selected No Control Required, if the Risk Rating is at Minor already (no Risk Treatment is

required)

6.1.7 Follow-up

Based on the Target Date assigned, follow-up with Risk Owners and concerned person, to

determine the Status of Risk Treatment under the appropriate column:

- Completed: Treatment is completed on time

- Pending: Status is unknown, Target Date is close

- Delayed: Status is overdue from Target Date

- Reassigned: Treatment was unsuccessful

The output of Business Impact Analysis, Asset Valuation, Risk Assessment and Risk

Treatment activities is reviewed annually. Designated Risk Owners ensure that Risk treatments

are implemented on fixed target days

6.2 ISMS Objectives Development and Planning

ISMS objectives have been derived from the ISMS related policy defined by the

organization. Policy act as a benchmark for objectives which should be specific, measurable,

realistic, and timely bounded (SMART). [9]

Page 19 of 40
 SMART
Measurea Timely
Specific Realistic Objective
ble Bounded
s

Fig. 5. Objectives Features

These are some sample objectives related to ISMS:

 “To get XYZ facility certified based on ISO/IEC 27001, till Dec 2023 by 3 rd party

internationally accredited certification body”

 “To provide at least 15 hours, Information Security Management System related training

to core team of IT and network team till Dec 2023”

Page 20 of 40
7 Support

7.1 ISMS Resources Provision

In order to implement information security management system, resources in term of

finance, personnel, and asset etc. have been required. These resources have been provided by

the management for proper implementation of ISMS [8]

7.2 ISMS Competence

Competent personnel resources are also asset of the organization which plays an

important role in the implementation of ISMS ISO/IEC 27001. Increasing personnel

competences, through different trainings, under supervision working, and similar ways.

Competence is the combination of following:

Education Qualification Training Experience Competence

Fig. 6. Competence Chart

7.3 ISMS Awareness

Awareness cycle has been started from training need assessment related to information

security management system (ISMS). Organization newly hired and existing employees’

awareness has been increased through different trainings, physical demonstrations etc.

Training need assessment of these employees have been done by the immediate Incharge.

Based on training need assessment, training plan has been developed. According to training

Page 21 of 40
plan, trainings have been conducted and proper records of the trainings have been maintained.

Finally, evaluation of the personnel based on trainings have been conducted. [8]
seTrain in
A gsm N
ed
t
n
Trin ati
Evalu g o
in n Train in
g P
lan

Train in g
Execu ti
o n

Fig. 7. Training Cycle

7.4 ISMS Communication

Proper communication of the ISO/IEC 27001 requirements and company polices /

procedures need to be shared with the relevant interest parties. For this purpose,

communication plan in Table 1 could be viable solution. [8]

Table 1. Communication Plan

Sr. What When Whom to How Who

No.

1 Quality policy After release/ Employees Bulletin board, Designation

review Displays
2 Quality After Employees Controlled hard Designation

objectives release/review copies

are shared, meetings

Page 22 of 40
 3 CSR After receipt Employees Controlled hard copies Designation
from are shared, shared
customer/review folder

7.5 ISMS Documentation

Document and record control is the most important part in the ISO/IEC 27001 standard

implementation. Document and records contain confidential or public information all of this

need to be properly handled. [8] Some organizations have categorized document based on

confidential, and public. Documentation has been started from document level then further it

also has following parts:

7.5.1 Levels of Documents

The documents of ISMS are categorized into four levels due to their nature.

Level I: Organizational Chart, Policies & Manual

Level II: System Procedures, Operational Procedures

Level III: JDs, Work Instructions,

Level IV: Forms & Formats

Fig. 8. Hierarchy of Documents

7.5.2 Document Coding Scheme

Organization defines the document coding schemes based on the importance or level of

documents.

Page 23 of 40
7.5.3 Document Preparation, Review and Approval

Management needs to define which type of document will be approved by whom. For this

matrix table as given in Table 2 can be used.

Table 2. Document Preparation, Review, and Approval

Level DOC Type Prepared By Reviewed by Approved by

I ORG, POL

II System Procedure

SOP, WIs
III
JDs

IV FRM

7.5.4 Access and Disposal of Obsolete Documents and Retained Records

Finally, document disposal is the concerned part which need to be handled properly. When

the retention period of records is expired, the validity and usefulness of records have been

verified. Then documents have been d estroyed and shred the record through shredder in his /

appointee’s presence. [9]

Page 24 of 40
8 Operation

8.1 ISMS Operational Planning and Controls

Organization scope of work which are under the domain of ISMS should be documented,

planned, and maintained. These operational controls update on periodic basis. All operations

should address the ISMS and other operations related risks.

It started from operational planning for risk control and continuously rotate in a cycle of

planning, controlling, and execution [9]

Page 25 of 40
9 Performance Evaluation

9.1 ISMS Monitoring and Measurement

ISMS implemented system performance has been evaluated with the application of

different techniques including internal and external audits. [9] Performance is also evaluated

on-going basis.

9.2 ISMS Audits

Audit is documented activity for cross verification against the defined policies/procedures

and implementation. Audit also have a different stage including following:

 Auditors’ selection

 Audit frequency and planning

 Audit Execution

 Audit Reporting

 Corrective Actions against audit findings

 Follow up of the findings

9.3 ISMS Management Review

Management conduct reviews to evaluate the performance of ISMS. Management review

is also planned activity as per pre-defined agendas which covered:

 Organization Internal and External Issues

 Audit Results

 Resources

 Risk and opportunities

Page 26 of 40
10 Improvement

10.1 ISMS Non-Conformity and Corrective Action

Improvement is a never-ending process which is being done based on the check phased. As

any non-conformity has been highlighted. For improvement purpose, different organization

have number of strategies, but most adoptive strategy is to fill a corrective action plan (CAP) in

which proper root cause analysis has been done. A sample of the corrective action plan has

been given in the appendix B. CAP covers: [9]

 Problem Statement

 Root cause analysis

 Proposed corrective action

 Status of the corrective action

Finally, CAP is being closed after verification of the corrective action status.

Page 27 of 40
Benefits of Implementing ISO/IEC 27001

ISO/IEC 27001 have many direct and indirect benefits for the organizations who adopted

and certified it. Some of them are given below:

Reduction in Vulnerability Risks:

Implementation of the ISO/IEC 27001 reduces the vulnerability risk because of the extensive

ISMS risk assessment which is a mandatory part of the ISO/IEC 27001 certification.

Furthermore, ISO/IEC 27002 suggested control measures also reduce the risks of ISMS. [8]

Systematic Way of IT Operations:

ISO/IEC 27001 certification define and document all policies/procedures which ultimately make

the IT operations in a systematic.

Customer Market Expansion:

ISO/IEC 27001 certification increase the organization worth in term if any customer is involved

in the business terms with the organization, then their information will be secured. Further, to

deal with good repute organization, it is one of the mandatory requirements that service

provider should have management system. [8]

Reliability and Customer Trust:

ISO/IEC 27001 increase the trust of customers because of ISO/IEC 27001 integrity has been

verified by 3rd party in pre-planned and periodic interval, therefore customer data robustness

and security doesn’t compromise.

Page 28 of 40
Organizational Cultural Change:

ISO/IEC 27001 significantly improve the organizational culture, as roles, responsibilities, and

accountabilities of each personnel has been defined. Furthermore, there is a written

policies/procedure and systematic way of doing any operation within the organization.

Page 29 of 40
Case Study 01

Canva Pty Ltd is a leading graphic design giant and publishing platform based in Australia. Canva

provides a graphic designing tool that is easy to use and comes with an abundance of pre-built

designs and templates to facilitate the design process. [10]

Privasec, who had already worked with several tech giants, was no stranger to the Canva way of

working and understood well its values, culture and the importance of implementing a solution

which preserved them. Beyond its proven track record of implementing ISMS certified to

ISO27001, Canva chose to work with Privasec because of its cultural fit, flexibility, and the

shared ideology in achieving security and risk management outcomes without hindering

business growth. [10]

 Canva implemented an ISMS specifically designed to best meet its ways of working and

its ever-changing organisation;

 Canva achieved certification to ISO27001. Privasec acted on behalf of Canva through the

certification process;

 Canva successfully set up a team of security champions across the different group

functions, ensuring all key business stakeholders are involved, and are having

conversations about security.

ISO 27001 Clauses 4 to 10 prescribes the minimum requirements of the ISO 27001 standard for

the establishment of an Information Security Management System (ISMS). It follows the

continuous improvement cycle - Plan-Do-Check-Act (PDCA) - which an organisation must

establish in order to be able to go through certification. [8]

Page 30 of 40
Plan – Identify Risk to the Confidentiality, Integrity and Availability (CIA) of assets

Do – Put relevant controls in place

Check – Audit the implementation for efficiency and effectiveness

Act – Improve ineffective or inefficient controls

To design the best possible system, Privasec begins by understanding the business

environment, business objectives, constraints, values and culture. Privasec then conducts an

initial information risk assessment to identify the actions and priorities for managing

information security risks. This highlights major gaps and areas for improvement, which allows

Privasec to create an associated and tailored risk treatment plan. Lastly, Privasec helps its

clients to remediate their gaps and executes an internal audit program to report on security

control effectiveness, progress of risk remediation and provides assurance back to the business

for review and action. [10]

Page 31 of 40
Case Study 02:

Fredrickson is the leading liability collection organization which save its repute by implementing

and certifying the ISO/IEC 27001. Its customers have the following objectives to do business

with the Fredrickson: [11]

 Independent assessment of the efficacy of information security procedures and policies

 Client and regulatory oversight of information security measures has been reduced

 To get more businesses by passing more pre-qualification

 Increase the credibility and trust of the client

ISO/IEC 27001 certification has brought the Fredrickson consistent growth, both naturally and

through new customer acquisition. A Central Government Department, numerous well-known

UK financial institutions, and several FTSE 100 corporations are among Fredrickson's clients

because of ISO/IEC 27001 certifications. [11]

It is because clients and the public at large can now have complete trust in Fredrickson's

information security measures and the management of their private details. Fredrickson has

also noticed that the time of third-party audits of its security procedures has been significantly

shortened. [11]

Page 32 of 40
Case Study 03

R.S. Software Ltd. is a global leader in the electronic payments industry. RS’s key driver for

seeking ISO 27001 registration was that, in addition to the fact that key clients required and

expected RS to demonstrate that it had a robust Information Security Management system in

place, the company wanted to ensure that all risks and vulnerabilities had been properly

addressed. [12]

RS implemented ISO 27001, their security controls addressed only certain aspects of IT or data

security, specifically leaving non-IT information assets less protected. After a gap analysis to

help identify, manage, and minimize the range of threats that information is regularly subjected

to, RS successfully implemented 132 of the 133 controls required by ISO 27001. [12]

RS identified a range of measures to ensure the confidentiality, integrity and availability of

information it needs to hold to carry out its business effectively. He was determined that these

measures should be pragmatic, business-focused, risk-based, holistic, systematic, cost-effective

and directed by the client’s own standards. With this in mind, the company sought certification

to the information security standard ISO/IEC 27001, which offers a comprehensive approach to

information security. [12]

R.S. Software Ltd can improve security for themselves and its clients

 Badge on the wall’ proof of best practice to potential and existing clients

 Increased security awareness and buy-in among management and staff

 Enhanced security documentation and reporting

Page 33 of 40
Recommendation

COVID-19 has changed the paradigm of office-based working within any organization, now

staff prefer to work off site instead of on-site which has also raised some new issues related to

the information security. This off-site working also helps to reduce the overhead expenses of

any organization but at the cost of new policies like remote working data security. These

policies and procedures have also been addressed by the ISO/IEC 27001 but currently, its

application is not properly implemented. Therefore, there is a need to work more in these black

box areas in order to protect the security of the IT related information. [8]

For any organization which wants to work information security, it is recommended that

such organization need to get ISO/IEC 27001 certification which will not only help them to get

more market and good customer but also provide confidence to the organization internal

interest parties that there is proper management system exist within the organization[9]

Page 34 of 40
Conclusion

ISO/IEC 27001 is the 3rd most famous and applied standard of the International Organization of

the Standardization (ISO). ISO/IEC 27001 cover organizational context, planning, resources,

personnel, and operations of any organization along with plan, do, check, act cycle. There is no

doubt that ISO/IEC 27001 is proven standard with ISMS risk management and ISMS controls

which if any organization truly implemented then chances of vulnerability has been reduced

significantly [8]

ISO/IEC 27001 provides quality assurance of the information security related services of the

organization by targeting the physical and software-based resources. Therefore, any

organization which wants to secure information and willing to do business in a safer manner

then ISO/IEC 27001 a possible solution for this.

Page 35 of 40
References

[1] eurostat. Digital economy and society statistics - enterprises [Online] Available:

https://ec.europa.eu/eurostat/statisticsexplained/index.php?

title=Digital_economy_and_society_statistics_-

_enterprises#Access_and_use_of_the_internet

[2] A. Tanović and I. S. Marjanovic, "Development of a new improved model of ISO 20000

standard based on recommendations from ISO 27001 standard," in 2019 42nd

International Convention on Information and Communication Technology, Electronics

and Microelectronics (MIPRO), 20-24 May 2019 2019, pp. 1503-1508, doi:

10.23919/MIPRO.2019.8756843.

[3] G. Culot, G. Nassimbeni, M. Podrecca, and M. Sartor, "The ISO/IEC 27001 information

security management standard: literature review and theory-based research agenda,"

The TQM Journal, vol. 33, no. 7, pp. 76-105, 2021, doi: 10.1108/TQM-09-2020-0202.

[4] E. Union. [Online] Available: https://www.eeas.europa.eu/archives/docs/policies/eu-

cyber-security/cybsec_comm_en.pdf

[5] A. Vance, M. T. Siponen, and D. W. Straub, "Effects of sanctions, moral beliefs, and

neutralization on information security policy violations across cultures," Information &

Management, vol. 57, no. 4, p. 103212, 2020/06/01/ 2020, doi:

https://doi.org/10.1016/j.im.2019.103212.

Page 36 of 40
[6] R. Saint-Germain, "Information security management best practice based on ISO/IEC

17799," Information Management Journal, Article vol. 39, no. 4, pp. 60-66, 2005.

[Online]. Available:https://www.scopus.com/inward/record.uri?eid=2-s2.0-

47549101192&partnerID=40&md5=9160e032b9666f21d125fd05d2a79513.

[7] ISO. The ISO Survey of Management System Standard Certifications 2019 [Online]

Available: https://www.iso.org/the-iso-survey.html

[8] ISO/IEC 27001:2018 Information Security Management System Standard

[9] ISO/IEC 27002:2018 Information security controls

[10] https://privasec.com/wp-content/uploads/2021/08/ISO-27001-case-study.pdf

[11] https://www.bsigroup.com/globalassets/localfiles/en-hk/pdf/bsi-iso-iec-27001-case-
study-fredrickson-international-en-uk.pdf

[12] https://www.intertek.com/business-assurance/ensuring-info-security-iso-27001/

Page 37 of 40
 Appendix

A. Risk Assessment Sheet

Risk
Risk Existing Control Risk Risk Controls
Threat Vulnerability Treatment
Description (ISO 27001) Rating Status Suggested
Description

           
           
           
           
           
           
           
           
           
           
           
           
           
           
           
           
           
           
           

Page 38 of 40
B. Corrective Action Plan
CPA No. (to be filled by HOD): ___________

CPA Initiated by (Name): _________________________ CPA Initiated on (Date): __________

CPA Initiated due to (Please tick relevant appropriate box below):

 Non-Conformance  Complaint  Suggestion

 Internal Audit  Any Other _________________________________
A. B. Description (to be filled by Initiator)

Signatures

 Accepted Marked to: ________________ Date: _______________

 Rejected: MR: __________________

* If accepted then ISO Coordinator to mark it to concerned dept. for Analysis.

B. Root Cause Analysis

C. Proposed Corrective Action Target Date :

Name & Signatures

(Person who carried out Root Cause Analysis and Proposed Corrective & Preventive Action)

D. Verification by the ISO Coordinator/HOD for Implementation Effectiveness

Is Proposed Action Implemented:  YES  NO Is it Effective:  YES  NO

Comments (if any):

CPA closing date: _______________ ISO Coordinator. / HOD Sign: _____________________

Page 39 of 40