ASSIGNMENT
Principles and Practices of ISO/IEC 27001 Standards
Team Members
ABC
�Contents
Abstract.......................................................................................................................................................3
Introduction................................................................................................................................................4
Requirements for ISO 27001.......................................................................................................................6
1 Scope...................................................................................................................................................7
2 Normative References........................................................................................................................8
3 Terms and Definitions.........................................................................................................................8
4 Context of the Organization...............................................................................................................9
4.1 Internal and External Issues of the Organization.......................................................................9
4.2 Need and Expectations of the Interest Parties...........................................................................9
5 Leadership.........................................................................................................................................11
5.1 Leadership Commitment...........................................................................................................11
5.2 ISMS Policy................................................................................................................................11
5.3 Roles and Responsibilities.........................................................................................................12
6 Planning............................................................................................................................................13
6.1 Information Security Risk Assessment and Control Measures.................................................13
6.1.1 Identification of Business Process......................................................................................15
6.1.2 Business Impact Analysis Initiation....................................................................................15
6.1.3 Performing Asset Valuation...............................................................................................15
6.1.4 Determining Risks..............................................................................................................15
6.1.5 Performing Risk Assessment..............................................................................................16
6.1.6 Risk Treatment...................................................................................................................16
6.1.7 Follow-up...........................................................................................................................17
6.2 ISMS Objectives Development and Planning............................................................................17
7 Support..............................................................................................................................................19
7.1 ISMS Resources Provision.........................................................................................................19
7.2 ISMS Competence.....................................................................................................................19
7.3 ISMS Awareness........................................................................................................................19
7.4 ISMS Communication................................................................................................................20
7.5 ISMS Documentation................................................................................................................21
7.5.1 Levels of Documents..........................................................................................................21
7.5.2 Document Coding Scheme.................................................................................................21
Page 1 of 40
� 7.5.3 Document Preparation, Review and Approval...................................................................22
7.5.4 Access and Disposal of Obsolete Documents and Retained Records.................................22
8 Operation..........................................................................................................................................23
8.1 ISMS Operational Planning and Controls..................................................................................23
9 Performance Evaluation...................................................................................................................24
9.1 ISMS Monitoring and Measurement........................................................................................24
9.2 ISMS Audits...............................................................................................................................24
9.3 ISMS Management Review.......................................................................................................24
10 Improvement................................................................................................................................25
10.1 ISMS Non-Conformity and Corrective Action...........................................................................25
Benefits of Implementing ISO/IEC 27001.................................................................................................26
Case Study 01............................................................................................................................................28
Case Study 02:...........................................................................................................................................30
Case Study 03............................................................................................................................................31
Recommendation.....................................................................................................................................32
Conclusion.................................................................................................................................................33
References................................................................................................................................................34
Appendix...................................................................................................................................................36
Page 2 of 40
�Abstract
In this document, mandatory requirements related to the ISO/IEC 27001 Information
security management system (ISMS) have been summarized and briefly discussed. Annexure SL
structure of the ISO/IEC 27001 make it easier to integrate with other management system
standards. Ten clauses of the ISO/IEC 27001 including scope, normative references, terms and
definitions, context of the organization, planning, support, performance evaluation, and
improvements are also the part of this documents. Furthermore, recommendations and case
study related to Fredrickson also the part of this document.
Page 3 of 40
�Introduction
Businesses are increasingly reliant on information and communication technology (ICT) to
operate their operations, arrange production, provide services, and connect internally and with
clients [1]. With the development of information technology and its integrated applications in
different sectors including health care, banking, manufacturing, service sectors etc. has raised
the concerns in term of information technology security issues [2]. Similarly, emerging
information technologies and industry 4.0 applications have a number of access points from
where vulnerability could be done in any IT network [3]. In recent years, the European Union
has established a Cybersecurity Program, as well as many Directives and Regulations on
connected problems. These expressly emphasize the importance of certifications and guidelines
in assisting businesses in ensuring conformity with information security requirements [4]. To
address the progressive complex challenges of information system security (ISS), holistic
approaches are necessary. Significant managerial effort is required to balance trade-off
judgments between security and legal compliance in addition to cost and operations [5].
In the midst of increasing economic and legal challenges, businesses must increasingly take
adequate measures to secure their data assets and include this issue into their strategic
management [6]. The information security management system (ISMS) protects information
assets and offers a systematic method for risk management. As a result, it assists businesses in
meeting their own data security objectives in addition to those of their customers, as well as in
complying with legal data security obligations. As an international standard for this type of
ISMS, ISO/IEC 27001 "has been developed to specify requirements for developing, operating,
Page 4 of 40
�maintaining, and steadily improving an information security management system (ISO/IEC
27001:2013). ISO/IEC 27001 is widely regarded as the most important global standards for
management of information security [3]. With 36,362 valid certifications at 68,930 sites,
ISO/IEC 27001 ranks third globally amongst most often used management system standards,
trailing ISO 9001 for quality management (ranked first with over 900,000 valid certificates) and
ISO 14001 for environmental management [7]. Given the increasing importance of information
security, these actual statistics demonstrate well the still slow dissemination despite the
excellent ranking. Sector statistics from the ISO study of certified firms worldwide show that
ISO/IEC 27001 is largely used by businesses in the ICT sector [7].
Page 5 of 40
�Requirements for ISO 27001
ISO 27001 standards is based on the Plan Do Check Act (PDCA) principle. Organization needs to
be defined its scope of work and based on the scope of work documentation and
implementation with respect to information security management system (ISMS) have been
developed. ISO 27001 has total 10 clauses which need to be consider getting its implementation
in any organization [8] Following the schematic illustration of these clauses have been given in
Fig. 1.
Page 6 of 40
� Sope
Normative
References
Terms and
Definitions
Context of the
Organization
Leadership
Planning
Support
Operation
Performance
Evaluation
Improvement
Fig. 1. ISO 27001 Standard Implementation Requirements
1 Scope
Scope is defined the boundaries of ISMS implementation. Any organization which is
going to be implemented ISO 27001, it needs to be defined the boundaries of ISMS.
Boundaries include the any organization sections and sub-sections which are inter-related
with each other. Similarly, some organizations have more than one operational site then
these operational sites should also be defined in the scope of work. Like in Fig. 2,
“Information Security Management System Scope of the IT organization has been
Page 7 of 40
�illustrated Site A, B, and C. Scope of the organization also covered the context of
organization, interest parties, and assets etc.
Site A
Site B
IT
Organization
Site C
Site D
Fig. 2. Organization Scope based on Operational Sites
Page 8 of 40
�2 Normative References
ISO/IEC 27001 has many sections from different literature or previously published
standards. Therefore, references of the previously published work or standards have been
cited in the standards. These references have been given to get more clarification or
guidance regarding the different points or sections of the required standards.
References includes:
ISO/IEC 27002 Information Technology – Security Techniques – Code of Practice
3 Terms and Definitions
In standards wordings meanings of the English words have been different from the
dictionary vocabulary. Especially, these words contribute with reference to the context of
the usage. Like word ‘shall’ represent a mandatory requirement, similarly, for other
wording which are specific to any organization also defined in this. For example:
Audit
Risk Assessment and Control Measures
Corrective Actions
Information Security Controls
Process
Services and Products
Access Control
Authority, Accountability, Responsibility
Page 9 of 40
�4 Context of the Organization
Context is the theme or circumstances which define the nature of organization working.
In the latest version of ISO/IEC 27001:2013, standard structure has been changed into
annexure SL. In the revised version of the annexure SL organizational context needs to be
defined. [8]
4.1 Internal and External Issues of the Organization
This context has been defined considering the internal and external issues. These
internal and external issues include:
Organization Strengths
Weaknesses
Opportunities
Threats
Political Issues
Economic Issues
Social Issues
Technological Issues
Legal / Regulatory issues
All of these issues need to be addressed or considered in the context of the organization.
4.2 Need and Expectations of the Interest Parties
In context of the organization need and expectations of the interest parties also need be
covered these needs and expectations of the interest parties include:
Page 10 of 40
� Services or Product Quality
Service Level Agreements
Timelines
Finally, organization need to be determined the scope of information security management
systems. At which areas or part of the organization, this ISMS will be implemented as
thoroughly defined in the section 1 of this document. [8] But while defining the scope of work
following requirements need to be considered:
Internal and External Issues
Need and Expectations of the Interest Parties
Any other requirements which organization management considered the important
aspect
Finally, information security management system should be developed, implemented,
maintained, and continuously improved.
Page 11 of 40
�5 Leadership
5.1 Leadership Commitment
Improvement derives from top to down in any organization. It’s the commitment of the top
management which make the management system more progressive and bring improvement
within any organization. [8] In ISMS implementation, organization top management
commitment is the utmost requirement for the true implementation of the system within
organization. To show the commitment towards ISMS implementation organization should
defined and enforce following:
ISMS Policy
ISMS Objectives derived from ISMS Policy
ISMS implementation direction
Provision of resources for implementation
5.2 ISMS Policy
Overall intention and direction of the top management related to the ISMS should be defined
by the top management of the organization. [8] ISMS policy should be:
Based on Context of the Organization
Commitment to the legal and applicable requirement
Commitment to continual improvement
Provide framework for ISMS Objectives
Page 12 of 40
�ISMS policy should be available and communicated for all interest parties. A sample of the ISMS
Operation policy is given below:
Company XYZ is dedicated to providing an operational security at its facility and operations by
ensuring the following:
Protection from malware or any annoying software shall be done by installing firewalls
Physical security of the IT and utility resources shall be ensured by monitoring and
applying security protocols
Backup of the critical as well as non-critical data shall be taken and stored at devolved
locations
Security testing shall be done as per defined periods in order to identify the vulnerabilities
All breaches and potential susceptibilities find shall be resolved, otherwise the use of such
service shall be discontinued
Operational audits shall be performed as per defined interval to check the level of
implementation
5.3 Roles and Responsibilities
For better implementation of any management system within organization proper roles
and responsibilities within organization need to be defined. Roles and responsibilities of the
personnel should be defined based on the nature of work. [8] These roles and responsibilities
are shared with the relevant personnel of the organization.
Roles and responsibilities covered:
Responsibilities
Page 13 of 40
� Authorities
Accountabilities
Page 14 of 40
�6 Planning
6.1 Information Security Risk Assessment and Control Measures
Risk is defined as the preventive approach for any vulnerability within the organization.
ISMS related risk is identified by defining any risk management related techniques. [9] Risk
management also following the Plan Do Check Act (PDCA) cycle as given in Fig. 3.
Risk
Identification
Risk
Risk
Categorizatio
Treatment
n
Risk Control
Measures
Fig 3. ISMS Risk Cycle
Risk Identification:
ISMS related risks have been identified based on organization scope and context. For this, all
processes of the organization are covered.
Risk Categorization:
ISMS related risks have been categorized based on risk matrix mostly in the form of high, medium,
low risks.
Risk Control Measure:
ISMS related risk control measures have been recommended and implemented to reduce the risk
acceptable level.
Page 15 of 40
�Fig. 4. Risk Flow Diagram
Page 16 of 40
� Figure 4 has the sample process flow diagram for ISMS risk assessment which has been
briefly described below:
6.1.1 Identification of Business Process
Business Impact Analysis is performed against all the processes running in the organization. For
this purpose, Risk Management sheet is developed. Identify all departments and process
related to them.
6.1.2 Business Impact Analysis Initiation
Initiate business impact analysis by following contractual obligations, client requirement and
needs. Determine the maximum allowable downtime to recover the process or services.
Choose the most appropriate downtime limit based on business or client requirement of the
process.
6.1.3 Performing Asset Valuation
Performance of Asset Valuation is prioritized for assets involved in Critical and Important
processes Access Asset. Choose the Process (priority is given to processes deemed Critical,
Important, and at last Normal, respectively.
6.1.4 Determining Risks
Risk Assessment is performed for assets valued at Critical and Important. Identify the Asset
Type and determine the Threat and identify it under the specified column using Annexure A.
Page 17 of 40
�Threat is the act, event or thing, which may exploit the corresponding vulnerability to create
risk(s) to business process and assets.
Determine the Vulnerability of the assigned asset, which might be exploited by the selected
Threat. Vulnerabilities are weaknesses of an asset which might be exploited by a threat and
create risks in a business environment. [9]
Describe the risks under Risk Description which may affect the business process and the asset
being assessed for risks. The Risk must be created under the combination of the Threat and
Vulnerability chosen. One combination of Threat and Vulnerability might lead to more than one
Risks.
6.1.5 Performing Risk Assessment
Risk Treatment is decided on the basis of Risk Rating, while making sure that Residual Risk
is reduced to Minor based on the treatment measures adopted
6.1.6 Risk Treatment
Risks are accepted for Assets valued at Normal. Risks rated at Minor are accepted. Using the
same Risk Assessment sheet, choose the Controls Suggested:
Choose a Control listed in the drop-down-menu
Choose a Custom Control if the listed controls do not include the required risk
treatment measure
Page 18 of 40
� Selected No Control Required, if the Risk Rating is at Minor already (no Risk Treatment is
required)
6.1.7 Follow-up
Based on the Target Date assigned, follow-up with Risk Owners and concerned person, to
determine the Status of Risk Treatment under the appropriate column:
- Completed: Treatment is completed on time
- Pending: Status is unknown, Target Date is close
- Delayed: Status is overdue from Target Date
- Reassigned: Treatment was unsuccessful
The output of Business Impact Analysis, Asset Valuation, Risk Assessment and Risk
Treatment activities is reviewed annually. Designated Risk Owners ensure that Risk treatments
are implemented on fixed target days
6.2 ISMS Objectives Development and Planning
ISMS objectives have been derived from the ISMS related policy defined by the
organization. Policy act as a benchmark for objectives which should be specific, measurable,
realistic, and timely bounded (SMART). [9]
Page 19 of 40
� SMART
Measurea Timely
Specific Realistic Objective
ble Bounded
s
Fig. 5. Objectives Features
These are some sample objectives related to ISMS:
“To get XYZ facility certified based on ISO/IEC 27001, till Dec 2023 by 3 rd party
internationally accredited certification body”
“To provide at least 15 hours, Information Security Management System related training
to core team of IT and network team till Dec 2023”
Page 20 of 40
�7 Support
7.1 ISMS Resources Provision
In order to implement information security management system, resources in term of
finance, personnel, and asset etc. have been required. These resources have been provided by
the management for proper implementation of ISMS [8]
7.2 ISMS Competence
Competent personnel resources are also asset of the organization which plays an
important role in the implementation of ISMS ISO/IEC 27001. Increasing personnel
competences, through different trainings, under supervision working, and similar ways.
Competence is the combination of following:
Education Qualification Training Experience Competence
Fig. 6. Competence Chart
7.3 ISMS Awareness
Awareness cycle has been started from training need assessment related to information
security management system (ISMS). Organization newly hired and existing employees’
awareness has been increased through different trainings, physical demonstrations etc.
Training need assessment of these employees have been done by the immediate Incharge.
Based on training need assessment, training plan has been developed. According to training
Page 21 of 40
�plan, trainings have been conducted and proper records of the trainings have been maintained.
Finally, evaluation of the personnel based on trainings have been conducted. [8]
seTrain in
A gsm N
ed
t
n
Trin ati
Evalu g o
in n Train in
g P
lan
Train in g
Execu ti
o n
Fig. 7. Training Cycle
7.4 ISMS Communication
Proper communication of the ISO/IEC 27001 requirements and company polices /
procedures need to be shared with the relevant interest parties. For this purpose,
communication plan in Table 1 could be viable solution. [8]
Table 1. Communication Plan
Sr. What When Whom to How Who
No.
1 Quality policy After release/ Employees Bulletin board, Designation
review Displays
2 Quality After Employees Controlled hard Designation
objectives release/review copies
are shared, meetings
Page 22 of 40
� 3 CSR After receipt Employees Controlled hard copies Designation
from are shared, shared
customer/review folder
7.5 ISMS Documentation
Document and record control is the most important part in the ISO/IEC 27001 standard
implementation. Document and records contain confidential or public information all of this
need to be properly handled. [8] Some organizations have categorized document based on
confidential, and public. Documentation has been started from document level then further it
also has following parts:
7.5.1 Levels of Documents
The documents of ISMS are categorized into four levels due to their nature.
Level I: Organizational Chart, Policies & Manual
Level II: System Procedures, Operational Procedures
Level III: JDs, Work Instructions,
Level IV: Forms & Formats
Fig. 8. Hierarchy of Documents
7.5.2 Document Coding Scheme
Organization defines the document coding schemes based on the importance or level of
documents.
Page 23 of 40
�7.5.3 Document Preparation, Review and Approval
Management needs to define which type of document will be approved by whom. For this
matrix table as given in Table 2 can be used.
Table 2. Document Preparation, Review, and Approval
Level DOC Type Prepared By Reviewed by Approved by
I ORG, POL
II System Procedure
SOP, WIs
III
JDs
IV FRM
7.5.4 Access and Disposal of Obsolete Documents and Retained Records
Finally, document disposal is the concerned part which need to be handled properly. When
the retention period of records is expired, the validity and usefulness of records have been
verified. Then documents have been d estroyed and shred the record through shredder in his /
appointee’s presence. [9]
Page 24 of 40
�8 Operation
8.1 ISMS Operational Planning and Controls
Organization scope of work which are under the domain of ISMS should be documented,
planned, and maintained. These operational controls update on periodic basis. All operations
should address the ISMS and other operations related risks.
It started from operational planning for risk control and continuously rotate in a cycle of
planning, controlling, and execution [9]
Page 25 of 40
�9 Performance Evaluation
9.1 ISMS Monitoring and Measurement
ISMS implemented system performance has been evaluated with the application of
different techniques including internal and external audits. [9] Performance is also evaluated
on-going basis.
9.2 ISMS Audits
Audit is documented activity for cross verification against the defined policies/procedures
and implementation. Audit also have a different stage including following:
Auditors’ selection
Audit frequency and planning
Audit Execution
Audit Reporting
Corrective Actions against audit findings
Follow up of the findings
9.3 ISMS Management Review
Management conduct reviews to evaluate the performance of ISMS. Management review
is also planned activity as per pre-defined agendas which covered:
Organization Internal and External Issues
Audit Results
Resources
Risk and opportunities
Page 26 of 40
�10 Improvement
10.1 ISMS Non-Conformity and Corrective Action
Improvement is a never-ending process which is being done based on the check phased. As
any non-conformity has been highlighted. For improvement purpose, different organization
have number of strategies, but most adoptive strategy is to fill a corrective action plan (CAP) in
which proper root cause analysis has been done. A sample of the corrective action plan has
been given in the appendix B. CAP covers: [9]
Problem Statement
Root cause analysis
Proposed corrective action
Status of the corrective action
Finally, CAP is being closed after verification of the corrective action status.
Page 27 of 40
�Benefits of Implementing ISO/IEC 27001
ISO/IEC 27001 have many direct and indirect benefits for the organizations who adopted
and certified it. Some of them are given below:
Reduction in Vulnerability Risks:
Implementation of the ISO/IEC 27001 reduces the vulnerability risk because of the extensive
ISMS risk assessment which is a mandatory part of the ISO/IEC 27001 certification.
Furthermore, ISO/IEC 27002 suggested control measures also reduce the risks of ISMS. [8]
Systematic Way of IT Operations:
ISO/IEC 27001 certification define and document all policies/procedures which ultimately make
the IT operations in a systematic.
Customer Market Expansion:
ISO/IEC 27001 certification increase the organization worth in term if any customer is involved
in the business terms with the organization, then their information will be secured. Further, to
deal with good repute organization, it is one of the mandatory requirements that service
provider should have management system. [8]
Reliability and Customer Trust:
ISO/IEC 27001 increase the trust of customers because of ISO/IEC 27001 integrity has been
verified by 3rd party in pre-planned and periodic interval, therefore customer data robustness
and security doesn’t compromise.
Page 28 of 40
�Organizational Cultural Change:
ISO/IEC 27001 significantly improve the organizational culture, as roles, responsibilities, and
accountabilities of each personnel has been defined. Furthermore, there is a written
policies/procedure and systematic way of doing any operation within the organization.
Page 29 of 40
�Case Study 01
Canva Pty Ltd is a leading graphic design giant and publishing platform based in Australia. Canva
provides a graphic designing tool that is easy to use and comes with an abundance of pre-built
designs and templates to facilitate the design process. [10]
Privasec, who had already worked with several tech giants, was no stranger to the Canva way of
working and understood well its values, culture and the importance of implementing a solution
which preserved them. Beyond its proven track record of implementing ISMS certified to
ISO27001, Canva chose to work with Privasec because of its cultural fit, flexibility, and the
shared ideology in achieving security and risk management outcomes without hindering
business growth. [10]
Canva implemented an ISMS specifically designed to best meet its ways of working and
its ever-changing organisation;
Canva achieved certification to ISO27001. Privasec acted on behalf of Canva through the
certification process;
Canva successfully set up a team of security champions across the different group
functions, ensuring all key business stakeholders are involved, and are having
conversations about security.
ISO 27001 Clauses 4 to 10 prescribes the minimum requirements of the ISO 27001 standard for
the establishment of an Information Security Management System (ISMS). It follows the
continuous improvement cycle - Plan-Do-Check-Act (PDCA) - which an organisation must
establish in order to be able to go through certification. [8]
Page 30 of 40
�Plan – Identify Risk to the Confidentiality, Integrity and Availability (CIA) of assets
Do – Put relevant controls in place
Check – Audit the implementation for efficiency and effectiveness
Act – Improve ineffective or inefficient controls
To design the best possible system, Privasec begins by understanding the business
environment, business objectives, constraints, values and culture. Privasec then conducts an
initial information risk assessment to identify the actions and priorities for managing
information security risks. This highlights major gaps and areas for improvement, which allows
Privasec to create an associated and tailored risk treatment plan. Lastly, Privasec helps its
clients to remediate their gaps and executes an internal audit program to report on security
control effectiveness, progress of risk remediation and provides assurance back to the business
for review and action. [10]
Page 31 of 40
�Case Study 02:
Fredrickson is the leading liability collection organization which save its repute by implementing
and certifying the ISO/IEC 27001. Its customers have the following objectives to do business
with the Fredrickson: [11]
Independent assessment of the efficacy of information security procedures and policies
Client and regulatory oversight of information security measures has been reduced
To get more businesses by passing more pre-qualification
Increase the credibility and trust of the client
ISO/IEC 27001 certification has brought the Fredrickson consistent growth, both naturally and
through new customer acquisition. A Central Government Department, numerous well-known
UK financial institutions, and several FTSE 100 corporations are among Fredrickson's clients
because of ISO/IEC 27001 certifications. [11]
It is because clients and the public at large can now have complete trust in Fredrickson's
information security measures and the management of their private details. Fredrickson has
also noticed that the time of third-party audits of its security procedures has been significantly
shortened. [11]
Page 32 of 40
�Case Study 03
R.S. Software Ltd. is a global leader in the electronic payments industry. RS’s key driver for
seeking ISO 27001 registration was that, in addition to the fact that key clients required and
expected RS to demonstrate that it had a robust Information Security Management system in
place, the company wanted to ensure that all risks and vulnerabilities had been properly
addressed. [12]
RS implemented ISO 27001, their security controls addressed only certain aspects of IT or data
security, specifically leaving non-IT information assets less protected. After a gap analysis to
help identify, manage, and minimize the range of threats that information is regularly subjected
to, RS successfully implemented 132 of the 133 controls required by ISO 27001. [12]
RS identified a range of measures to ensure the confidentiality, integrity and availability of
information it needs to hold to carry out its business effectively. He was determined that these
measures should be pragmatic, business-focused, risk-based, holistic, systematic, cost-effective
and directed by the client’s own standards. With this in mind, the company sought certification
to the information security standard ISO/IEC 27001, which offers a comprehensive approach to
information security. [12]
R.S. Software Ltd can improve security for themselves and its clients
Badge on the wall’ proof of best practice to potential and existing clients
Increased security awareness and buy-in among management and staff
Enhanced security documentation and reporting
Page 33 of 40
�Recommendation
COVID-19 has changed the paradigm of office-based working within any organization, now
staff prefer to work off site instead of on-site which has also raised some new issues related to
the information security. This off-site working also helps to reduce the overhead expenses of
any organization but at the cost of new policies like remote working data security. These
policies and procedures have also been addressed by the ISO/IEC 27001 but currently, its
application is not properly implemented. Therefore, there is a need to work more in these black
box areas in order to protect the security of the IT related information. [8]
For any organization which wants to work information security, it is recommended that
such organization need to get ISO/IEC 27001 certification which will not only help them to get
more market and good customer but also provide confidence to the organization internal
interest parties that there is proper management system exist within the organization[9]
Page 34 of 40
�Conclusion
ISO/IEC 27001 is the 3rd most famous and applied standard of the International Organization of
the Standardization (ISO). ISO/IEC 27001 cover organizational context, planning, resources,
personnel, and operations of any organization along with plan, do, check, act cycle. There is no
doubt that ISO/IEC 27001 is proven standard with ISMS risk management and ISMS controls
which if any organization truly implemented then chances of vulnerability has been reduced
significantly [8]
ISO/IEC 27001 provides quality assurance of the information security related services of the
organization by targeting the physical and software-based resources. Therefore, any
organization which wants to secure information and willing to do business in a safer manner
then ISO/IEC 27001 a possible solution for this.
Page 35 of 40
�References
[1] eurostat. Digital economy and society statistics - enterprises [Online] Available:
[Link]
title=Digital_economy_and_society_statistics_-
_enterprises#Access_and_use_of_the_internet
[2] A. Tanović and I. S. Marjanovic, "Development of a new improved model of ISO 20000
standard based on recommendations from ISO 27001 standard," in 2019 42nd
International Convention on Information and Communication Technology, Electronics
and Microelectronics (MIPRO), 20-24 May 2019 2019, pp. 1503-1508, doi:
10.23919/MIPRO.2019.8756843.
[3] G. Culot, G. Nassimbeni, M. Podrecca, and M. Sartor, "The ISO/IEC 27001 information
security management standard: literature review and theory-based research agenda,"
The TQM Journal, vol. 33, no. 7, pp. 76-105, 2021, doi: 10.1108/TQM-09-2020-0202.
[4] E. Union. [Online] Available: [Link]
cyber-security/cybsec_comm_en.pdf
[5] A. Vance, M. T. Siponen, and D. W. Straub, "Effects of sanctions, moral beliefs, and
neutralization on information security policy violations across cultures," Information &
Management, vol. 57, no. 4, p. 103212, 2020/06/01/ 2020, doi:
[Link]
Page 36 of 40
�[6] R. Saint-Germain, "Information security management best practice based on ISO/IEC
17799," Information Management Journal, Article vol. 39, no. 4, pp. 60-66, 2005.
[Online]. Available:[Link]
47549101192&partnerID=40&md5=9160e032b9666f21d125fd05d2a79513.
[7] ISO. The ISO Survey of Management System Standard Certifications 2019 [Online]
Available: [Link]
[8] ISO/IEC 27001:2018 Information Security Management System Standard
[9] ISO/IEC 27002:2018 Information security controls
[10] [Link]
[11] [Link]
[Link]
[12] [Link]
Page 37 of 40
� Appendix
A. Risk Assessment Sheet
Risk
Risk Existing Control Risk Risk Controls
Threat Vulnerability Treatment
Description (ISO 27001) Rating Status Suggested
Description
Page 38 of 40
�B. Corrective Action Plan
CPA No. (to be filled by HOD): ___________
CPA Initiated by (Name): _________________________ CPA Initiated on (Date): __________
CPA Initiated due to (Please tick relevant appropriate box below):
Non-Conformance Complaint Suggestion
Internal Audit Any Other _________________________________
A. B. Description (to be filled by Initiator)
Signatures
Accepted Marked to: ________________ Date: _______________
Rejected: MR: __________________
* If accepted then ISO Coordinator to mark it to concerned dept. for Analysis.
B. Root Cause Analysis
C. Proposed Corrective Action Target Date :
Name & Signatures
(Person who carried out Root Cause Analysis and Proposed Corrective & Preventive Action)
D. Verification by the ISO Coordinator/HOD for Implementation Effectiveness
Is Proposed Action Implemented: YES NO Is it Effective: YES NO
Comments (if any):
CPA closing date: _______________ ISO Coordinator. / HOD Sign: _____________________
Page 39 of 40
