Professional Documents
Culture Documents
Furqan ISMS Lo1 and Lo2
Furqan ISMS Lo1 and Lo2
System (ISMS).
ASSIGNMENT # 1
Submitted By: Furqan Ali.
Submitted To: Ch Waqas Ahmed.
Contents
LO1:.......................................................................................................................................................2
P1:.....................................................................................................................................................2
~1~
LO1:
~2~
P1:
What is an Information Security Management System (ISMS)?
An organization implements ISMS procedures, guidelines, and protocols to protect delicate
data and prevent uncertified access or destruction.
The collection of ISMS guidelines protects critical information assets and other delicate
resources that belong to an organization; when an organization implements an ISMS, it
exponentially decreases the risk of data breaches, restricts their liability in case of a breach,
and decreases the effect of any security incidents.
Fundamental principles of
ISMS.
Every organization has its
own critical and essential
data related to its business
employees, which they want
to be secured from every
threat, hack, or bug.
Therefore, every company
has installed the
Information Security
Management System, which includes a security policy is the best approach that can help
an organization manage its information security.
Confidentiality:
Confidentiality is the first critical principle of isms. Confidentiality is very delicate to ISMS
to block unauthorized access, use, disclosure, or destruction of delicate information. The
information category includes trade secrets, financial data, and personal information crucial
to a business’s operation and reputation. For example, an imaginary scenario, such as a big
firm that manages private client information, such as credit card numbers or medical
information, must be protected from prying eyes and accessible only to authorized
individuals. Several methods, like access limitations, data encryption, and training for staff
awareness, can be used to achieve this.
Integrity:
Integrity is a crucial feature of Information Security Management Systems (ISMS) that
ensures sensitive data is not modified or removed without authorization. Financial
transactions, client records, and other information necessary to a firm’s operation may be
included. To secure its data from unauthorized change or destruction, a small firm that
~3~
handles financial transactions must use access limits, backups, and security methods such as
digital signatures or checksums. These approaches must be validated and examined regularly
to ensure their effectiveness and identify weaknesses. Any firm dealing with sensitive data
must be protected to ensure its integrity and security.
Availability:
The availability of sensitive information in the context of ISMS refers to keeping it
unavailable or inaccessible to authorized users. It is critical for organizations that rely on IT
systems to function because it guarantees that systems and data are constantly accessible to
authorized employees. Redundancy, backups, disaster recovery plans, access restrictions,
firewalls, and intrusion detection systems can help businesses achieve this. These procedures
must also be tested and monitored regularly to uncover any weaknesses. It is vital to
safeguard availability to guarantee business continuity and avoid disruptions to critical
activities.
Management commitment:
This clause identifies specific aspects of the management system where top management is
expected to demonstrate leadership and commitment. These include but are not limited to:
Continuous improvement:
A large part of running an information security management system is to see it as a living and
breathing system. Organizations that take improvement seriously will be assessing, testing,
~4~
reviewing, and measuring the performance of the ISMS as part of the broader business-led
strategy, going beyond a ‘tick box’ regime.
There are several mechanisms already covered within ISO 27001 for the continual evaluation
and improvement of the ISMS including:
Risk assessment and treatment – ongoing
Objectives monitoring, measurement, and evaluation – ongoing
Internal audits – ongoing
Management reviews – ongoing
Nonconformities and corrective actions – ongoing
Internal controls:
Businesses must develop and maintain proper internal controls to keep track of and
respond correctly to the multiplicity of information security hazards their
organizations face.
Compliance:
The objective is to avoid breaches of legal, statutory, regulatory or contractual
obligations related to information security and any security requirements. It’s an
essential part of the information security management system (ISMS)
Documentation:
The ISMS should include essential documentation in the form of policies, processes,
and records to back it up.
Communication:
Organizations must create effective communication channels to ensure all essential
stakeholders understand their roles in deploying and maintaining the information
security management system (ISMS).
Asset management:
An effective information management system is necessary for systematically
cataloging, categorizing, and managing an organization's information assets and
assuring those assets' security.
Compliance:
An ISMS policy helps the organization to comply with legal and regulatory requirements
related to information security, such as the General Data Protection Regulation (GDPR) or
the Health Insurance Portability and Accountability Act (HIPAA).
Increased Security:
~5~
An ISMS policy establishes a set of security controls that can help to reduce the likelihood
and impact of security incidents, such as data breaches.
Improved Reputation:
An ISMS policy helps to demonstrate to customers, partners, and other stakeholders that the
organization takes information security seriously.
Increased Efficiency:
An ISMS policy provides a framework for the efficient management of information security,
reducing duplication of effort and ensuring that resources are allocated effectively.
Cost Savings:
An ISMS policy can help to reduce the costs associated with security incidents, such as data
breaches, by identifying and addressing risks before they materialize.
Continuous Improvement:
An ISMS policy provides a mechanism for ongoing review and improvement of the
organization's information security practices.
Improved Communication:
An ISMS policy helps to facilitate communication about information security issues and
practices across the organization, increasing awareness and understanding of security risks
and controls.
Competitive Advantage:
An ISMS policy can provide a competitive advantage by demonstrating to customers and
partners that the organization takes information security seriously and has a robust approach
to managing it.
Implementing an ISMS will help Sovereign Technologies identify and manage information
security risks and build appropriate controls to protect sensitive data and satisfy ISO 27001
certification standards. A staff awareness and training session would also help them
understand the importance of information security and their role in protecting sensitive
information. This ensures that all employees know the potential hazards and dangers
associated with their jobs and are prepared to respond appropriately in emergencies.
~6~
Continuous Monitoring:
ISMS allows sovereign technology systems to conduct regular vulnerability assessments and
continuous monitoring to identify and mitigate potential security threats.
Increased Resilience:
By implementing ISMS, sovereign technology systems can improve their resilience to cyber-
attacks and ensure that they can continue to operate in the face of disruptions.
Cost-Effective Security:
ISMS helps in optimizing the use of resources for securing sovereign technology systems,
making it a cost-effective approach.
Increased Trust: ISMS provides a framework for implementing effective security measures,
which can help build trust with stakeholders and partners who rely on sovereign technology
systems.
Improved Performance:
By reducing security risks and vulnerabilities, ISMS can improve the performance of
sovereign technology systems, making them more efficient and effective.
~7~
Competitive Advantage:
By implementing ISMS, sovereign technology systems can differentiate themselves from
competitors by demonstrating their commitment to security and compliance.
Continuous Improvement:
ISMS emphasizes continuous improvement in security practices, which ensures that
sovereign technology systems can adapt to evolving security threats and maintain a high level
of protection over time.
LO2
P2: Processes & Procedures for Establishing and Maintaining An
ISMS
An Information Security Management System (ISMS) is a framework that helps
organizations protect their confidential data and information systems from cyber threats.
Implementing and maintaining an ISMS is crucial to any organization's security strategy.
Here is a critical assessment of how an organization can implement and maintain an ISMS:
Regular evaluations and audits are used to monitor and assess security measures. This ensures
that the controls continue to function properly and that any defects are identified and rectified
as soon as possible.
Seek Certification:
The firm may pursue ISO 27001:2013 accreditation for its ISMS. An external audit is
necessary to determine whether the ISMS fits the standards. Certification assures
stakeholders that the organization has a strong and successful ISMS in place.
M2:
To secure the organization's information assets from potential risks and threats, an
Information Security Management System (ISMS) must be built in a methodical and
complete manner. Cryptech was contracted by Sovereign Technologies to build and deploy
~9~
an ISMS to get ISO 27001 certification. Follow these steps to put an ISMS into action in the
real world:
implementation is done gradually to avoid disrupting day-to-day activities and that the
organization can respond to the changes.
7. Monitor and Review:
Finally, it must be monitored and revised to ensure that the ISMS remains suitable and
relevant. This includes conducting regular audits, reviewing policies and procedures, and
updating the ISMS architecture to deal with emerging threats and hazards. Cryptech must
work with Sovereign Technologies to continually improve the ISMS and adapt to the
organization's changing needs.
8. Internal Audits:
CrypTech will carry out internal audits at Sovereign Technologies to evaluate the
success of the Information Security Management System (ISMS) installation and
adherence to all corporate policies and procedures.
CrypTech will have advice on how to improve the ISMS and fix any issues that arise.
• Sovereign Technologies' information security management plan lays out the steps it
will take to safeguard its data.
• Details on the books needed for employee training are wanted. CrypTech will
provide educational materials to help staff members understand the information
security policy and management approach.
1. Sovereign Technology's first business item is to assess its existing Information Security
Management System (ISMS) capabilities.
2. A list of the assets that must be protected, the business operations that rely on them, and
the stakeholders involved in those activities is created.
3. The ISMS would have to be altered to satisfy the requirements of the sovereign
technology.
1. The analyst must conduct a risk assessment to determine the severity of potential threats
to the information security of Sovereign Technology.
2. To achieve the goal, it is necessary to study the potential risks the organization may face,
determine the severity of these risks, and estimate the possibility that these risks will
become a reality.
3. Sovereign Technology should develop a risk management plan to decrease risks.
1. Sovereign Technology must build effective control methods after recognizing and
analyzing potential dangers.
2. As part of the rollout, controls for both internal operations and external service
providers would be required.
~ 12 ~
1. Routine performance reviews on the ISMS are required for Sovereign Technology to
guarantee that it performs as planned.
2. Any necessary changes must be made to ensure it continues performing properly. The
category includes duties such as.
a. conducting internal audits
b. Management reviews.
c. Control testing and assessment regularly.
3. Metrics may be used to assess the effectiveness of Sovereign Technology's ISMS.
1. Sovereign Technology must provide awareness and training to ensure that all workers,
particularly those with information security responsibilities, know their responsibilities.
i. Employees
ii. contractors, and
iii. third-party service providers
2. An essential part of this would be education on proper security measures and methods
for storing personal information.
1. Frequent training sessions are required to ensure that all staff understand the importance
of information security and their roles in securing the firm.
~ 13 ~
Bibliography
https://www.isms.online/?s=management+commitment+in+isms
https://preteshbiswas.com/2019/08/01/iso-270012013-clause-5-leadership/