Cyber Security Report: Achieving ISO 27001:2013 Certification Audit

Verified

Added on 2023/06/10

AI Summary

This report provides a comprehensive analysis of an organization's readiness for ISO 27001:2013 certification. It emphasizes the importance of assessing organizational readiness to ensure the success of the certification investment. The report details the significance of risk assessment, including schedule preparation and the involvement of an internal technical team. It outlines the procedure for ISO/IEC 27001:2013 certification, focusing on the initial audit by the certification authority to verify the organization's ISMS compliance with the ISO 27001 standard. The document highlights key tasks such as system documentation, risk determination, and safeguard implementation, providing a structured approach to achieving certification readiness.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running Head: Cyber Security
Cyber security
Name of the Student
Name of the University
Author note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1Cyber Security
Table of Contents
Organizational readiness for the ISO 27001:2013 certification:.....................................................2
Risk assessment before the certification:.........................................................................................3
Risk assessment schedule:...........................................................................................................4
Internal technical team involved:.................................................................................................5
Procedure for ISO/IEC 27001: 2013 certification:..........................................................................6
References:......................................................................................................................................7

2Cyber Security
Organizational readiness for the ISO 27001:2013 certification:
In order to make the ISO 27001:2013 certification effective for the organization and
ensure that the investment for the certification is a successful one, a formal assessment of the
organizational readiness is an important factor to consider, if not mandatory. It gives the
organization a fair idea whether it is ready for the certification or not. The topic of information
investment has become one of the major topic in the field of business investment and to derive
success from the investment has been the prime concern for the organizations (Luftman, 2015).
In order to make the investment successful, it is important to make sure that the business
strategies are properly aligned. Hence, it becomes necessary to assess and evaluate the Strategic
Alignment Maturity Levels from the perspective of the Corporate and Project Implementation. In
order to ensure the strategic alignment, the transition of focus from corporate level to project
level is necessary. Although the decision are taken at the corporate level, but the shift of focus at
the project implement level is necessary to achieve alignment at the project implementation
(Luftman & Kempiah, 2015). Project alignment is initiated with the corporate strategic
alignment, followed by the project alignment which makes the organization alignment strategy
successful.

3Cyber Security
Risk assessment before the certification:
Risk assessment is an important factor to consider whenever any company wants to apply for
any certification in the relevant field the company is operating. The process of acquiring any IT
certification is a complex process and it is always important to perform through risk assessment
of the existing IT infrastructure for getting a clear picture about the strength of the infrastructure
to comply with the certification (Weinstein, 2016). It is an effective tool to understand the
internal as well as external security threat and whether the system is sufficient enough to mitigate
with the security threats and the vulnerabilities. Without proper risk assessment of the
information infrastructure, the process of acquiring the certification has little to no success
(Nilsen et al., 2017). Hence this process is very important and should be performed effectively
before applying for the certification. The process involves two important tasks:
 Preparation of the schedule
 Creation of the technical team for the assessment
TASKS DURATION
1. system documentation 20
1.1 boundary selection of system 5
1.2 record of system related information 3
1.3 documentation of system purpose 4
1.4 documentation of system security 8
2. determination of system risk 30
2.1 identification of threats 5

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4Cyber Security
2.2 identification of vulnerabilities 5
2.3 Describe risks 5
2.4 identification of existing controls 3
2.5 determination of likelihood of occurrence 3
2.6 determination of severity of impact 5
2.7 determination of risk level 4
3. determination of safeguard 20
3.1 recommendation of controls with safeguards 8
3.2. determination of residual occurrence with controls and safe guard in
place
4
3.3 determination of the residual sensitivity and impact of the controls 4
3.4 determination of residual risk level 4

5Cyber Security
Risk assessment schedule:

6Cyber Security
Internal technical team involved:
Phase of the task Key people involved Description of the task
System
documentation
 System
administrator
 Technical
reviewer
 System technical
owner
 Risk assessment
manager
 High-level documentation
 Design of network diagram
 Documentation of critical and sensitive
information
 Review of the existing security policy with
reference to the overall system security
requirements
Risk determination  System
administrator
 Technical
reviewer
 System technical
owner
 Details explanation of the threats and
vulnerabilities
 Review of risk with respect to the threats and
vulnerabilities
 Assessment of the system controls
 Review of the impact related to the identified
risks
Safeguard
documentation
 System
administrator
 Categorize the available and the planned
safeguards to mitigate the threat

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7Cyber Security
 System technical
owner
 Technical
reviewer
 System business
owner
 Categorize the vulnerabilities with respect to
sensitivity and likelihood
 Categorize the controls technique with
respect to the impact or the importance
 plan for modification or identification of new
and improved safeguards if needed
Procedure for ISO/IEC 27001: 2013 certification:
In order to ensure that the organization and the associated information security
management system (ISMS) is compatible for the certification, the certification authority
performs a certification audit initially. The aim of the initial audit is to review that the ISMS of
the organization is as per the ISO 27001 standard and the organization operates in accordance
with policies, procedures and objective exclusive to the organization itself (Humphreys, 2016).
These reviews are generally performed within two to three months and the certification is
provided once all the standards and the requirements are properly met by the organization.

8Cyber Security
References:
Humphreys, E. (2016). Implementing the ISO/IEC 27001: 2013 ISMS Standard. Artech House.
Luftman, J. (2015). Key Issues for IT Executives 2004. MIS Quarterly, 4(2), 269–286.
Luftman, J., & Kempaiah, R. (2015). An Update on Business-IT Alignment: A Line Has been
Drawn. Information Systems, 6(3).
Nilsen, R., Levy, Y., Terrell, S., & Beyer, D. (2017). A Developmental Study on Assessing the
Cybersecurity Competency of Organizational Information System Users.
Weinstein, R. (2016). Cybersecurity: Getting beyond Technical Compliance Gaps. NYUJ Legis.
& Pub. Pol'y, 19, 913.