ISMS Implementation Plan for ABC Organisation (2016-17)

Verified

Added on 2019/09/20

AI Summary

This report outlines an Information Security Management System (ISMS) implementation plan for the ABC organization, addressing its recent information security breaches. The plan begins by defining the scope of the ISMS, encompassing organizational characteristics, business functions, and critical assets. A comprehensive information security policy statement, including management commitment, is provided. The core of the report involves a risk assessment, identifying at least 12 information security risks using a model like NIST SP 800-30, detailing threat events, vulnerabilities, and their potential impacts. The report then proposes responses to each identified risk, justifying the chosen approach, and selecting appropriate information security controls from ISO 27002 to mitigate risks. The implementation of these controls, including policies, procedures, and technical measures, is also described, providing a practical guide for improving ABC's information security posture and working towards ISO 27001 certification. The report adheres to a word limit of 3000 words, excluding bibliography and appendices.

Assignment 2
The organisation ABC has suffered 3 information security related breaches in the past 18
months and wants to implement an Information Security Management System (ISMS) to
address major shortcomings in its management of information security.
You have been recruited as the Chief Information Security Officer (CISO) and your first task
is to prepare a plan for implementing an ISMS within ABC, with the long term aim of
achieving ISO 27001 certification.
For the purpose of this assignment you are being asked to complete a number of tasks
associated with the planning stage of an ISMS.
Note: The organisation you choose as ABC can be in any industry or sector. It can be a real
organisation you are familiar with or a made-up organisation. You will need to clearly
describe the organisation and its systems when you define the scope of the ISMS.
Your assignment should incorporate all of the following elements:
• Define the Scope of the ISMS. The scope of the ISMS describes the boundaries of the
ISMS in terms of organisational characteristics such as location(s), business functions,
assets, and technology. It should include a list of important business functions that are
critical to the organisation’s mission and survival. It should also include a list of
important information, information technology and system assets.
• Prepare an information security policy statement for you chosen organisation. This
should include a statement of management commitment as well as setting out the
organisation’s approach to managing information security.
• Carry out a risk assessment that should identify at least 12 information security risks to
you chosen organisation, its network, systems and information. Use one of the risk
assessment models such as NIST SP 800-30. Identify relevant threat events and sources
and determine their relevance. Identify vulnerabilities (and their severity) within the
organisation that could be exploited by the threat events you identified. You should select
vulnerabilities that are appropriate to your chosen organisation. Determine the likelihood
of the threat events occurring and being successful, and the type and magnitude of the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

adverse impacts to the organisation. Finally determine the level of each risk to the
organisation.
• Describe how you propose to respond to the risks you identified in the risk assessment.
Justify the response you have chosen for each risk. At least 6 of the risks should require
mitigation.
• Select information security controls to address the risks you have identified that need to
be mitigated. To address a particular risk you will typically require a number of controls.
Use the ISO 27002 list of controls and reference each controls selected (e.g. 7.1.1
Inventory of assets). Briefly describe how you would implement each of the selected
controls. You should include policies, procedures and technical controls.
Make whatever logical assumptions about the organisation ABC, its information systems and
its information security that you feel are necessary to give you adequate scope to complete
this assignment
• 3000 words (excluding Bibliography and Appendices).