Desklib Logo

Organizational Readiness and Risk Assessment for ISO 27001:2013 Certification

Verified

Added on  2023/06/10

|9
|1054
|440
AI Summary
This article discusses the significance of assessing organizational readiness and performing risk assessment before applying for ISO 27001:2013 certification. It covers the process and schedule for risk assessment and the technical team involved. The article also explains the procedure for ISO/IEC 27001: 2013 certification.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
Running Head: Cyber Security
Cyber security
Name of the Student
Name of the University
Author note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
1Cyber Security
Table of Contents
Organizational readiness for the ISO 27001:2013 certification:.....................................................2
Risk assessment before the certification:.........................................................................................3
Risk assessment schedule:...........................................................................................................4
Internal technical team involved:.................................................................................................5
Procedure for ISO/IEC 27001: 2013 certification:..........................................................................6
References:......................................................................................................................................7
Document Page
2Cyber Security
Organizational readiness for the ISO 27001:2013 certification:
In order to make the ISO 27001:2013 certification effective for the organization and
ensure that the investment for the certification is a successful one, a formal assessment of the
organizational readiness is an important factor to consider, if not mandatory. It gives the
organization a fair idea whether it is ready for the certification or not. The topic of information
investment has become one of the major topic in the field of business investment and to derive
success from the investment has been the prime concern for the organizations (Luftman, 2015).
In order to make the investment successful, it is important to make sure that the business
strategies are properly aligned. Hence, it becomes necessary to assess and evaluate the Strategic
Alignment Maturity Levels from the perspective of the Corporate and Project Implementation. In
order to ensure the strategic alignment, the transition of focus from corporate level to project
level is necessary. Although the decision are taken at the corporate level, but the shift of focus at
the project implement level is necessary to achieve alignment at the project implementation
(Luftman & Kempiah, 2015). Project alignment is initiated with the corporate strategic
alignment, followed by the project alignment which makes the organization alignment strategy
successful.
Document Page
3Cyber Security
Risk assessment before the certification:
Risk assessment is an important factor to consider whenever any company wants to apply for
any certification in the relevant field the company is operating. The process of acquiring any IT
certification is a complex process and it is always important to perform through risk assessment
of the existing IT infrastructure for getting a clear picture about the strength of the infrastructure
to comply with the certification (Weinstein, 2016). It is an effective tool to understand the
internal as well as external security threat and whether the system is sufficient enough to mitigate
with the security threats and the vulnerabilities. Without proper risk assessment of the
information infrastructure, the process of acquiring the certification has little to no success
(Nilsen et al., 2017). Hence this process is very important and should be performed effectively
before applying for the certification. The process involves two important tasks:
Preparation of the schedule
Creation of the technical team for the assessment
TASKS DURATION
1. system documentation 20
1.1 boundary selection of system 5
1.2 record of system related information 3
1.3 documentation of system purpose 4
1.4 documentation of system security 8
2. determination of system risk 30
2.1 identification of threats 5

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
4Cyber Security
2.2 identification of vulnerabilities 5
2.3 Describe risks 5
2.4 identification of existing controls 3
2.5 determination of likelihood of occurrence 3
2.6 determination of severity of impact 5
2.7 determination of risk level 4
3. determination of safeguard 20
3.1 recommendation of controls with safeguards 8
3.2. determination of residual occurrence with controls and safe guard in
place
4
3.3 determination of the residual sensitivity and impact of the controls 4
3.4 determination of residual risk level 4
Document Page
5Cyber Security
Risk assessment schedule:
Document Page
6Cyber Security
Internal technical team involved:
Phase of the task Key people involved Description of the task
System
documentation
System
administrator
Technical
reviewer
System technical
owner
Risk assessment
manager
High-level documentation
Design of network diagram
Documentation of critical and sensitive
information
Review of the existing security policy with
reference to the overall system security
requirements
Risk determination System
administrator
Technical
reviewer
System technical
owner
Details explanation of the threats and
vulnerabilities
Review of risk with respect to the threats and
vulnerabilities
Assessment of the system controls
Review of the impact related to the identified
risks
Safeguard
documentation
System
administrator
Categorize the available and the planned
safeguards to mitigate the threat

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
7Cyber Security
System technical
owner
Technical
reviewer
System business
owner
Categorize the vulnerabilities with respect to
sensitivity and likelihood
Categorize the controls technique with
respect to the impact or the importance
plan for modification or identification of new
and improved safeguards if needed
Procedure for ISO/IEC 27001: 2013 certification:
In order to ensure that the organization and the associated information security
management system (ISMS) is compatible for the certification, the certification authority
performs a certification audit initially. The aim of the initial audit is to review that the ISMS of
the organization is as per the ISO 27001 standard and the organization operates in accordance
with policies, procedures and objective exclusive to the organization itself (Humphreys, 2016).
These reviews are generally performed within two to three months and the certification is
provided once all the standards and the requirements are properly met by the organization.
Document Page
8Cyber Security
References:
Humphreys, E. (2016). Implementing the ISO/IEC 27001: 2013 ISMS Standard. Artech House.
Luftman, J. (2015). Key Issues for IT Executives 2004. MIS Quarterly, 4(2), 269–286.
Luftman, J., & Kempaiah, R. (2015). An Update on Business-IT Alignment: A Line Has been
Drawn. Information Systems, 6(3).
Nilsen, R., Levy, Y., Terrell, S., & Beyer, D. (2017). A Developmental Study on Assessing the
Cybersecurity Competency of Organizational Information System Users.
Weinstein, R. (2016). Cybersecurity: Getting beyond Technical Compliance Gaps. NYUJ Legis.
& Pub. Pol'y, 19, 913.
1 out of 9
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

© 2024   |   Zucol Services PVT LTD   |   All rights reserved.