Professional Documents
Culture Documents
ISO 27001 Assignment (02 Nov 2022)
ISO 27001 Assignment (02 Nov 2022)
ISO 27001 Assignment (02 Nov 2022)
Team Members
ABC
Contents
Abstract.......................................................................................................................................................3
Introduction................................................................................................................................................4
Requirements for ISO 27001.......................................................................................................................6
1 Scope...................................................................................................................................................7
2 Normative References........................................................................................................................8
3 Terms and Definitions.........................................................................................................................8
4 Context of the Organization...............................................................................................................9
4.1 Internal and External Issues of the Organization.......................................................................9
4.2 Need and Expectations of the Interest Parties...........................................................................9
5 Leadership.........................................................................................................................................11
5.1 Leadership Commitment...........................................................................................................11
5.2 ISMS Policy................................................................................................................................11
5.3 Roles and Responsibilities.........................................................................................................12
6 Planning............................................................................................................................................13
6.1 Information Security Risk Assessment and Control Measures.................................................13
6.1.1 Identification of Business Process......................................................................................15
6.1.2 Business Impact Analysis Initiation....................................................................................15
6.1.3 Performing Asset Valuation...............................................................................................15
6.1.4 Determining Risks..............................................................................................................15
6.1.5 Performing Risk Assessment..............................................................................................16
6.1.6 Risk Treatment...................................................................................................................16
6.1.7 Follow-up...........................................................................................................................17
6.2 ISMS Objectives Development and Planning............................................................................17
7 Support..............................................................................................................................................19
7.1 ISMS Resources Provision.........................................................................................................19
7.2 ISMS Competence.....................................................................................................................19
7.3 ISMS Awareness........................................................................................................................19
7.4 ISMS Communication................................................................................................................20
7.5 ISMS Documentation................................................................................................................21
7.5.1 Levels of Documents..........................................................................................................21
7.5.2 Document Coding Scheme.................................................................................................21
Page 1 of 40
7.5.3 Document Preparation, Review and Approval...................................................................22
7.5.4 Access and Disposal of Obsolete Documents and Retained Records.................................22
8 Operation..........................................................................................................................................23
8.1 ISMS Operational Planning and Controls..................................................................................23
9 Performance Evaluation...................................................................................................................24
9.1 ISMS Monitoring and Measurement........................................................................................24
9.2 ISMS Audits...............................................................................................................................24
9.3 ISMS Management Review.......................................................................................................24
10 Improvement................................................................................................................................25
10.1 ISMS Non-Conformity and Corrective Action...........................................................................25
Benefits of Implementing ISO/IEC 27001.................................................................................................26
Case Study 01............................................................................................................................................28
Case Study 02:...........................................................................................................................................30
Case Study 03............................................................................................................................................31
Recommendation.....................................................................................................................................32
Conclusion.................................................................................................................................................33
References................................................................................................................................................34
Appendix...................................................................................................................................................36
Page 2 of 40
Abstract
security management system (ISMS) have been summarized and briefly discussed. Annexure SL
structure of the ISO/IEC 27001 make it easier to integrate with other management system
standards. Ten clauses of the ISO/IEC 27001 including scope, normative references, terms and
improvements are also the part of this documents. Furthermore, recommendations and case
Page 3 of 40
Introduction
operate their operations, arrange production, provide services, and connect internally and with
clients [1]. With the development of information technology and its integrated applications in
different sectors including health care, banking, manufacturing, service sectors etc. has raised
the concerns in term of information technology security issues [2]. Similarly, emerging
information technologies and industry 4.0 applications have a number of access points from
where vulnerability could be done in any IT network [3]. In recent years, the European Union
connected problems. These expressly emphasize the importance of certifications and guidelines
address the progressive complex challenges of information system security (ISS), holistic
judgments between security and legal compliance in addition to cost and operations [5].
In the midst of increasing economic and legal challenges, businesses must increasingly take
adequate measures to secure their data assets and include this issue into their strategic
management [6]. The information security management system (ISMS) protects information
assets and offers a systematic method for risk management. As a result, it assists businesses in
meeting their own data security objectives in addition to those of their customers, as well as in
complying with legal data security obligations. As an international standard for this type of
ISMS, ISO/IEC 27001 "has been developed to specify requirements for developing, operating,
Page 4 of 40
maintaining, and steadily improving an information security management system (ISO/IEC
27001:2013). ISO/IEC 27001 is widely regarded as the most important global standards for
management of information security [3]. With 36,362 valid certifications at 68,930 sites,
ISO/IEC 27001 ranks third globally amongst most often used management system standards,
trailing ISO 9001 for quality management (ranked first with over 900,000 valid certificates) and
ISO 14001 for environmental management [7]. Given the increasing importance of information
security, these actual statistics demonstrate well the still slow dissemination despite the
excellent ranking. Sector statistics from the ISO study of certified firms worldwide show that
Page 5 of 40
Requirements for ISO 27001
ISO 27001 standards is based on the Plan Do Check Act (PDCA) principle. Organization needs to
be defined its scope of work and based on the scope of work documentation and
implementation with respect to information security management system (ISMS) have been
developed. ISO 27001 has total 10 clauses which need to be consider getting its implementation
in any organization [8] Following the schematic illustration of these clauses have been given in
Fig. 1.
Page 6 of 40
Sope
Normative
References
Terms and
Definitions
Context of the
Organization
Leadership
Planning
Support
Operation
Performance
Evaluation
Improvement
1 Scope
Boundaries include the any organization sections and sub-sections which are inter-related
with each other. Similarly, some organizations have more than one operational site then
these operational sites should also be defined in the scope of work. Like in Fig. 2,
Page 7 of 40
illustrated Site A, B, and C. Scope of the organization also covered the context of
Site A
Site B
IT
Organization
Site C
Site D
Page 8 of 40
2 Normative References
ISO/IEC 27001 has many sections from different literature or previously published
standards. Therefore, references of the previously published work or standards have been
cited in the standards. These references have been given to get more clarification or
References includes:
In standards wordings meanings of the English words have been different from the
dictionary vocabulary. Especially, these words contribute with reference to the context of
the usage. Like word ‘shall’ represent a mandatory requirement, similarly, for other
wording which are specific to any organization also defined in this. For example:
Audit
Corrective Actions
Process
Access Control
Page 9 of 40
4 Context of the Organization
Context is the theme or circumstances which define the nature of organization working.
In the latest version of ISO/IEC 27001:2013, standard structure has been changed into
annexure SL. In the revised version of the annexure SL organizational context needs to be
defined. [8]
This context has been defined considering the internal and external issues. These
Organization Strengths
Weaknesses
Opportunities
Threats
Political Issues
Economic Issues
Social Issues
Technological Issues
All of these issues need to be addressed or considered in the context of the organization.
In context of the organization need and expectations of the interest parties also need be
Page 10 of 40
Services or Product Quality
Timelines
systems. At which areas or part of the organization, this ISMS will be implemented as
thoroughly defined in the section 1 of this document. [8] But while defining the scope of work
aspect
Page 11 of 40
5 Leadership
Improvement derives from top to down in any organization. It’s the commitment of the top
management which make the management system more progressive and bring improvement
commitment is the utmost requirement for the true implementation of the system within
ISMS Policy
Overall intention and direction of the top management related to the ISMS should be defined
by the top management of the organization. [8] ISMS policy should be:
Page 12 of 40
ISMS policy should be available and communicated for all interest parties. A sample of the ISMS
Company XYZ is dedicated to providing an operational security at its facility and operations by
Protection from malware or any annoying software shall be done by installing firewalls
Physical security of the IT and utility resources shall be ensured by monitoring and
Backup of the critical as well as non-critical data shall be taken and stored at devolved
locations
Security testing shall be done as per defined periods in order to identify the vulnerabilities
All breaches and potential susceptibilities find shall be resolved, otherwise the use of such
Operational audits shall be performed as per defined interval to check the level of
implementation
For better implementation of any management system within organization proper roles
and responsibilities within organization need to be defined. Roles and responsibilities of the
personnel should be defined based on the nature of work. [8] These roles and responsibilities
Responsibilities
Page 13 of 40
Authorities
Accountabilities
Page 14 of 40
6 Planning
Risk is defined as the preventive approach for any vulnerability within the organization.
ISMS related risk is identified by defining any risk management related techniques. [9] Risk
management also following the Plan Do Check Act (PDCA) cycle as given in Fig. 3.
Risk
Identification
Risk
Risk
Categorizatio
Treatment
n
Risk Control
Measures
ISMS related risks have been identified based on organization scope and context. For this, all
Risk Categorization:
ISMS related risks have been categorized based on risk matrix mostly in the form of high, medium,
low risks.
ISMS related risk control measures have been recommended and implemented to reduce the risk
acceptable level.
Page 15 of 40
Fig. 4. Risk Flow Diagram
Page 16 of 40
Figure 4 has the sample process flow diagram for ISMS risk assessment which has been
Business Impact Analysis is performed against all the processes running in the organization. For
this purpose, Risk Management sheet is developed. Identify all departments and process
related to them.
Initiate business impact analysis by following contractual obligations, client requirement and
needs. Determine the maximum allowable downtime to recover the process or services.
Choose the most appropriate downtime limit based on business or client requirement of the
process.
Performance of Asset Valuation is prioritized for assets involved in Critical and Important
processes Access Asset. Choose the Process (priority is given to processes deemed Critical,
Risk Assessment is performed for assets valued at Critical and Important. Identify the Asset
Type and determine the Threat and identify it under the specified column using Annexure A.
Page 17 of 40
Threat is the act, event or thing, which may exploit the corresponding vulnerability to create
Determine the Vulnerability of the assigned asset, which might be exploited by the selected
Threat. Vulnerabilities are weaknesses of an asset which might be exploited by a threat and
Describe the risks under Risk Description which may affect the business process and the asset
being assessed for risks. The Risk must be created under the combination of the Threat and
Vulnerability chosen. One combination of Threat and Vulnerability might lead to more than one
Risks.
Risk Treatment is decided on the basis of Risk Rating, while making sure that Residual Risk
Risks are accepted for Assets valued at Normal. Risks rated at Minor are accepted. Using the
Choose a Custom Control if the listed controls do not include the required risk
treatment measure
Page 18 of 40
Selected No Control Required, if the Risk Rating is at Minor already (no Risk Treatment is
required)
6.1.7 Follow-up
Based on the Target Date assigned, follow-up with Risk Owners and concerned person, to
The output of Business Impact Analysis, Asset Valuation, Risk Assessment and Risk
Treatment activities is reviewed annually. Designated Risk Owners ensure that Risk treatments
ISMS objectives have been derived from the ISMS related policy defined by the
organization. Policy act as a benchmark for objectives which should be specific, measurable,
Page 19 of 40
SMART
Measurea Timely
Specific Realistic Objective
ble Bounded
s
“To get XYZ facility certified based on ISO/IEC 27001, till Dec 2023 by 3 rd party
“To provide at least 15 hours, Information Security Management System related training
Page 20 of 40
7 Support
finance, personnel, and asset etc. have been required. These resources have been provided by
Competent personnel resources are also asset of the organization which plays an
competences, through different trainings, under supervision working, and similar ways.
Awareness cycle has been started from training need assessment related to information
security management system (ISMS). Organization newly hired and existing employees’
awareness has been increased through different trainings, physical demonstrations etc.
Training need assessment of these employees have been done by the immediate Incharge.
Based on training need assessment, training plan has been developed. According to training
Page 21 of 40
plan, trainings have been conducted and proper records of the trainings have been maintained.
Finally, evaluation of the personnel based on trainings have been conducted. [8]
seTrain in
A gsm N
ed
t
n
Trin ati
Evalu g o
in n Train in
g P
lan
Train in g
Execu ti
o n
procedures need to be shared with the relevant interest parties. For this purpose,
Page 22 of 40
3 CSR After receipt Employees Controlled hard copies Designation
from are shared, shared
customer/review folder
Document and record control is the most important part in the ISO/IEC 27001 standard
implementation. Document and records contain confidential or public information all of this
need to be properly handled. [8] Some organizations have categorized document based on
confidential, and public. Documentation has been started from document level then further it
The documents of ISMS are categorized into four levels due to their nature.
Organization defines the document coding schemes based on the importance or level of
documents.
Page 23 of 40
7.5.3 Document Preparation, Review and Approval
Management needs to define which type of document will be approved by whom. For this
I ORG, POL
II System Procedure
SOP, WIs
III
JDs
IV FRM
Finally, document disposal is the concerned part which need to be handled properly. When
the retention period of records is expired, the validity and usefulness of records have been
verified. Then documents have been d estroyed and shred the record through shredder in his /
Page 24 of 40
8 Operation
Organization scope of work which are under the domain of ISMS should be documented,
planned, and maintained. These operational controls update on periodic basis. All operations
It started from operational planning for risk control and continuously rotate in a cycle of
Page 25 of 40
9 Performance Evaluation
ISMS implemented system performance has been evaluated with the application of
different techniques including internal and external audits. [9] Performance is also evaluated
on-going basis.
Audit is documented activity for cross verification against the defined policies/procedures
Auditors’ selection
Audit Execution
Audit Reporting
Audit Results
Resources
Page 26 of 40
10 Improvement
Improvement is a never-ending process which is being done based on the check phased. As
any non-conformity has been highlighted. For improvement purpose, different organization
have number of strategies, but most adoptive strategy is to fill a corrective action plan (CAP) in
which proper root cause analysis has been done. A sample of the corrective action plan has
Problem Statement
Finally, CAP is being closed after verification of the corrective action status.
Page 27 of 40
Benefits of Implementing ISO/IEC 27001
ISO/IEC 27001 have many direct and indirect benefits for the organizations who adopted
Implementation of the ISO/IEC 27001 reduces the vulnerability risk because of the extensive
ISMS risk assessment which is a mandatory part of the ISO/IEC 27001 certification.
Furthermore, ISO/IEC 27002 suggested control measures also reduce the risks of ISMS. [8]
ISO/IEC 27001 certification define and document all policies/procedures which ultimately make
ISO/IEC 27001 certification increase the organization worth in term if any customer is involved
in the business terms with the organization, then their information will be secured. Further, to
deal with good repute organization, it is one of the mandatory requirements that service
ISO/IEC 27001 increase the trust of customers because of ISO/IEC 27001 integrity has been
verified by 3rd party in pre-planned and periodic interval, therefore customer data robustness
Page 28 of 40
Organizational Cultural Change:
ISO/IEC 27001 significantly improve the organizational culture, as roles, responsibilities, and
policies/procedure and systematic way of doing any operation within the organization.
Page 29 of 40
Case Study 01
Canva Pty Ltd is a leading graphic design giant and publishing platform based in Australia. Canva
provides a graphic designing tool that is easy to use and comes with an abundance of pre-built
Privasec, who had already worked with several tech giants, was no stranger to the Canva way of
working and understood well its values, culture and the importance of implementing a solution
which preserved them. Beyond its proven track record of implementing ISMS certified to
ISO27001, Canva chose to work with Privasec because of its cultural fit, flexibility, and the
shared ideology in achieving security and risk management outcomes without hindering
Canva implemented an ISMS specifically designed to best meet its ways of working and
Canva achieved certification to ISO27001. Privasec acted on behalf of Canva through the
certification process;
Canva successfully set up a team of security champions across the different group
functions, ensuring all key business stakeholders are involved, and are having
ISO 27001 Clauses 4 to 10 prescribes the minimum requirements of the ISO 27001 standard for
Page 30 of 40
Plan – Identify Risk to the Confidentiality, Integrity and Availability (CIA) of assets
To design the best possible system, Privasec begins by understanding the business
environment, business objectives, constraints, values and culture. Privasec then conducts an
initial information risk assessment to identify the actions and priorities for managing
information security risks. This highlights major gaps and areas for improvement, which allows
Privasec to create an associated and tailored risk treatment plan. Lastly, Privasec helps its
clients to remediate their gaps and executes an internal audit program to report on security
control effectiveness, progress of risk remediation and provides assurance back to the business
Page 31 of 40
Case Study 02:
Fredrickson is the leading liability collection organization which save its repute by implementing
and certifying the ISO/IEC 27001. Its customers have the following objectives to do business
Client and regulatory oversight of information security measures has been reduced
ISO/IEC 27001 certification has brought the Fredrickson consistent growth, both naturally and
UK financial institutions, and several FTSE 100 corporations are among Fredrickson's clients
It is because clients and the public at large can now have complete trust in Fredrickson's
information security measures and the management of their private details. Fredrickson has
also noticed that the time of third-party audits of its security procedures has been significantly
shortened. [11]
Page 32 of 40
Case Study 03
R.S. Software Ltd. is a global leader in the electronic payments industry. RS’s key driver for
seeking ISO 27001 registration was that, in addition to the fact that key clients required and
place, the company wanted to ensure that all risks and vulnerabilities had been properly
addressed. [12]
RS implemented ISO 27001, their security controls addressed only certain aspects of IT or data
security, specifically leaving non-IT information assets less protected. After a gap analysis to
help identify, manage, and minimize the range of threats that information is regularly subjected
to, RS successfully implemented 132 of the 133 controls required by ISO 27001. [12]
information it needs to hold to carry out its business effectively. He was determined that these
and directed by the client’s own standards. With this in mind, the company sought certification
to the information security standard ISO/IEC 27001, which offers a comprehensive approach to
R.S. Software Ltd can improve security for themselves and its clients
Badge on the wall’ proof of best practice to potential and existing clients
Page 33 of 40
Recommendation
COVID-19 has changed the paradigm of office-based working within any organization, now
staff prefer to work off site instead of on-site which has also raised some new issues related to
the information security. This off-site working also helps to reduce the overhead expenses of
any organization but at the cost of new policies like remote working data security. These
policies and procedures have also been addressed by the ISO/IEC 27001 but currently, its
application is not properly implemented. Therefore, there is a need to work more in these black
box areas in order to protect the security of the IT related information. [8]
For any organization which wants to work information security, it is recommended that
such organization need to get ISO/IEC 27001 certification which will not only help them to get
more market and good customer but also provide confidence to the organization internal
interest parties that there is proper management system exist within the organization[9]
Page 34 of 40
Conclusion
ISO/IEC 27001 is the 3rd most famous and applied standard of the International Organization of
the Standardization (ISO). ISO/IEC 27001 cover organizational context, planning, resources,
personnel, and operations of any organization along with plan, do, check, act cycle. There is no
doubt that ISO/IEC 27001 is proven standard with ISMS risk management and ISMS controls
which if any organization truly implemented then chances of vulnerability has been reduced
significantly [8]
ISO/IEC 27001 provides quality assurance of the information security related services of the
organization which wants to secure information and willing to do business in a safer manner
Page 35 of 40
References
[1] eurostat. Digital economy and society statistics - enterprises [Online] Available:
https://ec.europa.eu/eurostat/statisticsexplained/index.php?
title=Digital_economy_and_society_statistics_-
_enterprises#Access_and_use_of_the_internet
[2] A. Tanović and I. S. Marjanovic, "Development of a new improved model of ISO 20000
and Microelectronics (MIPRO), 20-24 May 2019 2019, pp. 1503-1508, doi:
10.23919/MIPRO.2019.8756843.
[3] G. Culot, G. Nassimbeni, M. Podrecca, and M. Sartor, "The ISO/IEC 27001 information
The TQM Journal, vol. 33, no. 7, pp. 76-105, 2021, doi: 10.1108/TQM-09-2020-0202.
cyber-security/cybsec_comm_en.pdf
[5] A. Vance, M. T. Siponen, and D. W. Straub, "Effects of sanctions, moral beliefs, and
https://doi.org/10.1016/j.im.2019.103212.
Page 36 of 40
[6] R. Saint-Germain, "Information security management best practice based on ISO/IEC
17799," Information Management Journal, Article vol. 39, no. 4, pp. 60-66, 2005.
[Online]. Available:https://www.scopus.com/inward/record.uri?eid=2-s2.0-
47549101192&partnerID=40&md5=9160e032b9666f21d125fd05d2a79513.
[7] ISO. The ISO Survey of Management System Standard Certifications 2019 [Online]
Available: https://www.iso.org/the-iso-survey.html
[10] https://privasec.com/wp-content/uploads/2021/08/ISO-27001-case-study.pdf
[11] https://www.bsigroup.com/globalassets/localfiles/en-hk/pdf/bsi-iso-iec-27001-case-
study-fredrickson-international-en-uk.pdf
[12] https://www.intertek.com/business-assurance/ensuring-info-security-iso-27001/
Page 37 of 40
Appendix
Risk
Risk Existing Control Risk Risk Controls
Threat Vulnerability Treatment
Description (ISO 27001) Rating Status Suggested
Description
Page 38 of 40
B. Corrective Action Plan
CPA No. (to be filled by HOD): ___________
Signatures
(Person who carried out Root Cause Analysis and Proposed Corrective & Preventive Action)
Page 39 of 40