IT SECURITY - ISO 27001 IT AUDIT

LABORATORY EXERCISE

Instructions
1. Read thoroughly and understand the given scenario.
2. Accomplish the IT Security Questionnaire Checklist for ISO 27001.
3. Based on the result of the checklist, recommend solutions (Controls) to prevent or
mitigate the IT security issues faced by the company.
4. Send your answer through e-mail : rhentecson.ccsict.isue@gmail.com

Scenario: A Retail Company Facing IT Security Issues

Company Overview
ABC Retail is a national retail chain that operates both brick-and-mortar stores and
an extensive online shopping platform. The company manages a wide range of customer
data, including payment information, personal details, and purchase histories. It employs
around 5,000 people and has an IT infrastructure that supports its operations, including
inventory management, customer relationship management (CRM), and point-of-sale (POS)
systems. However, ABC Retail company faced IT security issues. Their IT security framework
is outdated and fragmented. The company has implemented basic security measures, such
as firewalls, antivirus software, and password policies, but lacks a comprehensive and
integrated approach to information security.

Recently, ABC Retail experienced a significant security breach. Cyber attackers

infiltrated the company's network through a phishing email that targeted an employee in
the finance department. The email contained a malicious link that, once clicked, installed
malware on the employee’s computer. This malware provided the attackers with access to
the company’s internal network, allowing them to do the following:

1. Extract sensitive customer data, including credit card information and personal
identifiers.
2. Inject malware into the POS systems, leading to fraudulent transactions and data
leakage.
3. Initiate a ransomware attack, encrypting critical data and demanding a ransom for
decryption keys.

These attacked lead to the following immediate impacts:

1. The company is required to notify affected customers and regulatory bodies
about the breach, damaging its reputation and customer trust.
2. ABC Retail faces significant financial losses due to the ransom payment, loss
of business during downtime, and potential fines for non-compliance with
data protection regulations.
3. Business operations are severely disrupted as the IT team works to contain
the breach and restore systems from backups.

During the investigation, the following were the IT Security issues findings:

1. Inadequate Email Security. The phishing attack exploited weak email security protocols.
There was no advanced threat protection or robust spam filtering to prevent malicious
emails from reaching employees.
2. Lack of Employee Training. Employees were not adequately trained to recognize and
respond to phishing attempts, making them easy targets for social engineering attacks.
3. Insufficient Network Segmentation. Once inside the network, attackers moved laterally
with ease due to a lack of proper network segmentation, exposing critical systems and data.
4. Poor Incident Response Plan. The company lacked a robust incident response plan,
resulting in delayed detection and response to the breach.
5. Outdated Security Policies. Security policies were outdated and did not address the latest
threats or incorporate best practices for cybersecurity, as well as, no assigned new IT
Security Officer.
 IT Security Questionnaire Checklist for ISO 27001 Compliance
ABC Retail Company

This checklist provides a comprehensive evaluation framework to determine if a company

like ABC Retail complies with ISO 27001 standards. Each question targets a critical aspect of
information security management, ensuring a holistic assessment of the organization's
security posture.

NAME ______________________________________________________________________

Section 1: Information Security Policy

Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
1. Is there an established information
security policy that has been approved
by management?
2. Is the information security policy
communicated to all employees and
relevant external parties?
3. Is the information security policy
reviewed regularly and updated as
needed?

Section 2: Organization of Information Security

Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
4. Are roles and responsibilities for
information security clearly defined and
assigned?
5. Is there a dedicated information
security team or officer?
6. Are security responsibilities for
managing third-party relationships
clearly defined?

Section 3: Human Resource Security

Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
7. Are background checks conducted for
employees in sensitive positions?
8. Do employees receive regular
information security training and
awareness sessions?
9. Are there procedures for managing
 employees’ exit or change of
employment to ensure the return of
assets and removal of access rights?

Section 4: Asset Management

Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
10. Is there an up-to-date inventory of all
information assets?
11. Are information assets classified
according to their sensitivity and
criticality?
12. Are there procedures in place for
handling and labeling sensitive
information?

Section 5: Access Control

Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
13. Are access control policies documented
and implemented?
14. Is access to information and
information processing facilities
restricted based on business needs?
15. Is multi-factor authentication used for
accessing sensitive systems?
16. Are user access rights reviewed
regularly?

Section 6: Physical and Environmental Security

Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
17. Are physical security controls in place to
protect facilities and data centers?
18. Are there controls to prevent
unauthorized physical access to sensitive
areas?
19. Is equipment protected from
environmental threats and hazards?
Section 7: Operations Security

Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
20. Are operating procedures documented and
maintained?
21. Are changes to the IT environment controlled
through a formal change management
process?
22. Are antivirus and anti-malware solutions
deployed and regularly updated?
23. Are backups performed regularly, and are
backup restoration processes tested?

Section 8: Communications Security

Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
24. Are networks adequately protected against
threats (e.g., firewalls, IDS/IPS)?
25. Is sensitive information transmitted over
networks encrypted?
26. Are agreements in place for the secure
exchange of information with third parties?

Section 9: Information Security Incident Management

Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
27. Is there an incident response plan in place?
28. Are employees aware of how to report
information security incidents?
29. Are incidents logged, analyzed, and addressed
in a timely manner?
30. Are lessons learned from incidents
documented and used to improve the incident
response process?
Section 10: Information Security Aspects of Business Continuity Management
Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
Is there a business continuity plan that includes
information security?
Are business continuity plans tested and updated
regularly?

Section 11: Continuous Improvement

Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
Is there a mechanism for continuously monitoring
and reviewing the effectiveness of the ISMS?
Are regular management reviews conducted to
assess the performance and suitability of the
ISMS?

SUMMARY OF AUDIT REPORT FINDINGS AND CONCLUSION