Achieving ISO 27001 Certification by implementing an Information Security Management System
Owopetu, Odunayo (2018-12-04)
Achieving ISO 27001 Certification by implementing an Information Security Management System
Owopetu, Odunayo
(04.12.2018)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2018121450956
https://urn.fi/URN:NBN:fi-fe2018121450956
Tiivistelmä
Information security is intended to protect the confidentiality, integrity and availability of information assets within an organisation. In recent times, there has been a significant trend in increasing cyber-attacks, data theft and breaches. Research indicates that in the year 2016, approximately 4 billion records were exposed globally and about 75% of organisations have encountered this problem over the last two years. The risks on information security are still very high and rising due to the increasing value of data, opportunities for information exploitation and cyber-crime.
ISO 27001 is a globally recognised certifiable Standard that is used to implement and manage information security within an organisation. ISO 27001 however, is not only a certification but a specification for creating and implementing an Information Security Management System (ISMS). Although there are various methods of implementing an ISMS, for the purpose of this thesis, the ISO 27001 framework would be considered. The aim of this thesis is to implement an ISMS within an organisation and subsequently, achieve the ISO 27001 certification.
This thesis describes the minimum requirements to be met before an ISMS can be established in an organisation. The approach used in this thesis is risk based; PDCA cycle which evaluates all the risks associated with the people, process and technology employed within the organisation. This would ensure that a gap analysis is conducted to determine if the required security controls are non-existent in the organisation and provide remedial measures for the gaps identified in order for the organisation to meet the basic requirements for the ISO 27001 certification.
Achieving the ISO 27001 certification is crucial as this would help the organisation better source for business and give the organisation a competitive edge in its business sector. The organisation in this case is a private company which sources for government contracts for its business. These days, most government contracts now contain clauses that demand potential clients to possess the ISO 27001 certification. The role of the author of this thesis is that of a lead information security consultant working with the implementation team with the goal of supporting the organisation to achieve the ISO 27001 certification.
ISO 27001 is a globally recognised certifiable Standard that is used to implement and manage information security within an organisation. ISO 27001 however, is not only a certification but a specification for creating and implementing an Information Security Management System (ISMS). Although there are various methods of implementing an ISMS, for the purpose of this thesis, the ISO 27001 framework would be considered. The aim of this thesis is to implement an ISMS within an organisation and subsequently, achieve the ISO 27001 certification.
This thesis describes the minimum requirements to be met before an ISMS can be established in an organisation. The approach used in this thesis is risk based; PDCA cycle which evaluates all the risks associated with the people, process and technology employed within the organisation. This would ensure that a gap analysis is conducted to determine if the required security controls are non-existent in the organisation and provide remedial measures for the gaps identified in order for the organisation to meet the basic requirements for the ISO 27001 certification.
Achieving the ISO 27001 certification is crucial as this would help the organisation better source for business and give the organisation a competitive edge in its business sector. The organisation in this case is a private company which sources for government contracts for its business. These days, most government contracts now contain clauses that demand potential clients to possess the ISO 27001 certification. The role of the author of this thesis is that of a lead information security consultant working with the implementation team with the goal of supporting the organisation to achieve the ISO 27001 certification.