1

Anoop Parappully

Enterprise Risk Management (ITS-835-B01) - Second Bi-term

University of the Cumberlands

Professor Dr. Jimmie Flores

Novemeber 07, 2022

 2

Introduction

In this research paper, I will analyze the ISO framework, such as ISO 20071, which

safeguard organizational data methodologically and cost-effectively. Also, the following three

topics are investigated and explained in this paper: First, we investigate whether or not ISO

27001 would work well in my current or previous organization. I also analyze its significance as

we perceive it in the organization. Second, we discuss alternative frameworks to ISO 27001 and

explore whether these frameworks are more effective than ISO 27001. Finally, I disclose more

useful frameworks that handle the risks satisfactorily.

Do you think that ISO 27001 standard would work well in the organization that you cur-

rently or previously have worked for? If you are currently using ISO 27001 as an ISMS

framework, analyze its effectiveness as you perceive in the organization.

An information security management system (ISMS) is a framework of guidelines and

procedures for systematically governing an organization's sensitive information. This data

includes legal, physical, and technical controls. These are also part of risk management

processes. ISMS framework is introduced to reduce threats and guarantee enterprise continuity.

It is possible only by proactively restricting the influence of a security violation. ISO 27001 is a

part of ISMS as a specification. ISO 27001 is officially known as "ISO/IEC 27001:2005". ISO

27001 provides a standard for establishing, enforcing, managing, monitoring, inspecting,

conserving, and improving an information security management system.

Currently, I work for Applied Materials, which is a semi-conductor manufacturing

organization. In our organization, ISO20071 is very important because of cyber-attacks. Its

policies equipped our organization with actionable details to determine information safety
 3

standards and commitments to enhance our data security strategy. It can be used as a guide

in the future to resolve safety breaches.

(Applied Materials Certifications)

(CERTIFICATE)

As per the certification, “Applied Materials Inc has implemented an Information Security

Management System in accordance with ISO/IEC 27001:2013. This is for the scope of

Development, sales, manufacturing, services, and supporting processes to provide equipment and
 4

software to the Semiconductor Systems, Display, and Adjacent Markets. The certificate is valid

from 2020-12-30 until 2022-11-14, Subject to the successful completion of annual periodic

audits.” (CERTIFICATE, p. 1)

Applied Materials implemented the latest version, "ISO 27001:2013," in the

organization. It is vital for the Information Security Management System (ISMS) because of the

standards provided by ISO 27001. The main advantage of ISO 27001 is improvising ISMS and

providing procedures to establish, operate, monitor, and maintain. Across the board, ISO 27001

allows Applied Materials to help in the following areas:

 Protecting sensitive and personal data and information

 Adequate administration of threats to data protection

 Client and employee data protection

 Regulatory Compliance Management

 Reduce risk vulnerability by recognizing security problems

 Researching new demands for industry elaboration

 Create products that are consistent with each other

 ISO 27001 can fulfill contractual requirements as it complies with laws and

regulations

 It is imperative to implement ISO 27001, where confidentiality of data is vital.

Compliance management is implemented in Applied Materials as part of cyber security. It

also guarantees that enterprise security measures align with ISO 27001 standards. We are

following a five-phase approach in our organization as follows:

 5

(Compliance Management in Organizations)

1. SCOPE DETERMINATION: This is the phase where the complaint team tries to

understand the business strategies. It is done by having many discussions with decision-

makers to comprehend the trade and ISMS context.

2. GAP ANALYSIS: Security experts perform the gap analysis, implicates asset

identification, existing control identification, and risk assessment. These professionals

map out the security infrastructure of business processes that could exist and in demand.

These experts make an action plan to fulfill the gap in case any deviation from the

requirements occurs.

3. IMPLEMENTATION: In this step, the organization's security experts will implement

compliance. There will be a scope with a list of safety and access controls,

communication channels, SOPs, etc., for each team involved. After this, an efficiency

review is performed to confine the efficiency of the rules instructed.

4. INTERNAL AUDIT: In this step, security experts confirm whether the executed rules

and procedures are being pursued within the organization. These trials review the level at

which ISO 27001 has been enforced and its adaption in the organization. Hence it is also

known as ISO:27001 Pre-Audit.

 6

5. CERTIFICATION: This procedure is conducted by autonomous auditors, not the

implementer. The security experts get in the auditor for the operation of accreditation.

Therefore, taking care of the end-to-end approach, from coverage decision to

certification, reduces the consumer's procedure.

Are there other frameworks mentioned has been discussed in the article that might

be more effective?

Banking, IT, Finance, and Healthcare handle sensitive data. To demonstrate a point, a

recent study by the Federation of Small Businesses (FSB) revealed that only 2% of partner

enterprises are certified for Cyber Essentials or ISO27001. Even more alarming, only 4% had a

reported incident scenario. Most small companies don’t own the power, resources, or proficiency

to get ISO 27001 or equivalent measures.

 Information Assurance for Small to Medium‐sized Enterprises (IASME) is trying

to address these issues. It’s a management measure developed as a safety standard for

SMEs. IASME was formed in 2010 and is funded by the government in the UK.

IASME supports institutions in investigating the maturity of their current data

protection and direction via executing a data protection standard. It’s a standard

procedure that’s not straightforward to any sector and is believed to be more

affordable than ISO27001, especially for SMEs.

The range of IASME transits the pursuing:

 Risk assessment and management

 Monitoring

 Change management
 7

 Training and managing people

 Backup

 Incident response and business continuity

Note: IASME is a considerably more cost-effective method. Complete certification to ISO 27001

can cost up to $50,000. In distinction, IASME certification generally costs only a few hundred or

up to $1,500.

 The National Institute of standards and technology (NIST) is a cybersecurity

framework. This framework is reliable for installing various safety measures that the

industry operates in addressing cyber security dangers ("NIST big data interoperability

framework: Volume 4, security and privacy, version 2," 2018). The security framework

has delivered an excellent strategy for developing a cybersecurity program, which

encloses completing an initial review of the present condition of the industry data

protection stance and the protection level of the machines across the network. Set the

results of this review are further integrated with the various activities mandated by the

framework to ensure that the cybersecurity program is sufficiently customized to the

industry requirements and objectives (Lepofsky, 2014). Some of the immediate benefits

of utilizing this framework contain what is well-aligned with the strategic decision-

making on risk management, improving the industry competitiveness.

NIST offers the industry confidence against cybersecurity threats by complying

with its policies and guidelines. NIST equips its customers with an option to determine

and evaluate risks, and then they will have a clear picture of how to react and reflect on

incidents. The instantaneous advantages are the defense against cyberattacks, malware,

ransomware, and different cyber hazards. NIST and the Cybersecurity Frame compliance
 8

can't propose an entire security warranty. They are procedures and policies for creating a

better plan. But the NIST resources are incomparable in one stage. Enterprises always

require to acquire extensive cybersecurity programs applying continuous net monitoring,

protection policies, and continuous training for workers.

Has any other research you uncover suggest there are better frameworks to use for ad-

dressing risks?

There are different frameworks associated with ISO 27001, for illustration, Certified

Identity Management professionals (CIMA) and Certified Identity and Access Managers

(CIAM). The most important discipline of the info security field helps in the success of user

identities and their access to the initiative incomes (Montasari & Hill, 2019). The professionals

employ it to support and promote programs for comfortably accessing the data by the organizing

mechanisms and endearing to the users. (CIMP) the program is developed by professionals interested in

resolving organizational tasks regarding project leadership obligations. It contains all the data in an

organization. It even assists in the plotting of corporate objectives to the IT objectives. Also, it is operated

to disseminate the mature standards utilized to estimate an organization's achievement (Monev, 2020).

One of the safety frameworks is the COBIT or the management pursuits for data and connected

technology. It is globally acknowledged as the most encyclopedic yield for IT administration, IT

operations, and threat administration (Youn, Nam, & Jo, 2020). The COBIT is introductory in presenting

the collection of best practices and rules around IT, which will allow the Corporation to increase

significantly through IT conclusions and mitigate potential risks. These days many organizations are

looking for digital transformation, and there comes COBIT 5. It assists organizations with digital

transformation with instantaneous and effortless responses to risks, disturbances, or modifications.

Employing technologies and techniques to the finest of their knowledge and allowing businesses to

succeed is the motto of digital transformation. Similarly, the introduction of COBIT has obtained many

beneficial transformations in how IT teams work in an institution.

 9

Conclusion

To conclude this research paper, Organizations ought to enforce ISO 27001 for their

smooth administration of additional sectors. The benefit of ISO 27001 in any organization

recreates a critical part of its victory. For model, it discourages any cyber-attacks; it enables both

customers' and dealers' solitude. Furthermore, it improves the adequate transmission of contracts

within diverse organizations. It globally proposes a methodical approach for the enjoyment and

application of ISMS in an organization. It permits the institutions to evolve technically, which

means that the organization is complete with ISO 27001 standards. The documentation of ISO

27001 supports the community and prevents data gaps, and it is a pleasure in the company's

protection. The pieces of ISMS, which communicate with ISO 27001, are allowed to be noticed.

It is also employed to prevent the resolution of the business using the ISMS strategy (Kobayashi,

et al., 2019).
 10

References

Llc, L., & Pires, A. (2021, July 9). IS IASME a viable alternative to ISO 27001 certification?

LIFARS, a SecurityScorecard company. Retrieved November 6, 2022, from

https://www.lifars.com/2021/07/is-iasme-a-viable-alternative-to-iso-27001-certification/

Team, I. M. (2022, September 1). How does ISO 27001 improve organization's ISMS. Impelsys.

Retrieved November 6, 2022, from https://www.impelsys.com/blog/how-does-iso-27001-

improve-organizations-isms/

Certifications. Applied Materials. (n.d.). Retrieved November 6, 2022, from

https://www.appliedmaterials.com/us/en/corporate-responsibility/reports-and-policies/

certifications.html

Joy, A. (2022, September 27). Understanding NIST compliance: Benefits & Importance.

Network Coverage. Retrieved November 6, 2022, from https://www.netcov.com/nist-

compliance-its-benefits/#:~:text=The%20Benefits%20of%20Complying%20with

%20NIST&text=The%20immediate%20benefits%20are%20protection,costs

%20associated%20with%20security%20risks

-, I. H., By, -, Ingrid HorvathIngrid Horvath is an IT Security professional with more than five

years of experience in risk management, Horvath, I., Ingrid Horvath is an IT Security

professional with more than five years of experience in risk management, & here, P. enter

your name. (2022, October 14). Benefits of COBIT 5 that help achieve digital

transformation. Invensis Learning Blog. Retrieved November 6, 2022, from

https://www.invensislearning.com/blog/benefits-of-cobit-5/
 11

Pallavi Dutta https://www.kratikal.com/ C, Leader, C. M. and T., & posts, S. author's. (2021,

June 18). The importance of ISO standards in organizations. Kratikal Blogs. Retrieved

November 6, 2022, from

https://kratikal.com/blog/organizations-need-iso-27001/#:~:text=Overall%2C%20ISO

%2027001%20helps%20the,like%20GDPR%2C%20SOX%2C%20etc