Design, Implementation, and Evaluation of ISO 27001 Process Controls in IT Infrastructure: An Analysis of Risk Probability and Process Efficiency

Abstract

ISO/IEC 27001:2022 is a cybersecurity standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), against which organizations can certify their Information Security Management System (ISMS). This thesis has been carried out with an organization operating in the IT industry. ISO/IEC 27001 is a widely recognized standard, and the organization has therefore chosen to certify its ISMS against it. The increasing number of cyber threats, growing regulatory requirements, and customer expectations serve as the primary drivers for pursuing certification. A literature review is conducted to establish a foundational understanding of the subject and to examine the requirements of the standard. The empirical part of the research is carried out as a case study for the organization. Six controls from Annex A of ISO/IEC 27001 are selected for design and implementation in order to strengthen the cybersecurity of the organization's IT infrastructure and ensure compliance with the standard. A qualitative analysis is performed to assess how the implemented controls mitigate identified risks, how they influence process efficiency, and whether opportunities exist for automation to reduce any negative impacts on efficiency. The findings indicate that the implemented controls are effective in mitigating threats. However, the increased need for documentation reduces process efficiency. Consequently, several automation opportunities are proposed to minimize these negative effects.