Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
ISO/IEC 27001.pdf
1. School: School of Education, Social
Sciences and Technology
Degree Programme: Bachelors of Information
Technology
Course: Strategic IS and Business Policy- BIT 442
Assignment No. 1
Lecturer’s Name: Mr. Gilbert Mwale
Student No: BIT19114277
Student Name: LIIEWA SONGOLO
Student E-mail: liiewasongolo26@gmail.com
UNILUS Pioneer Campus
P.O. Box 36711
LUSAKA.
Physical Address:
UNILUS
Plot No. 37413, Off Alick Nkhata Road (Behind Alliance Francaise), Mass Media,
LUSAKA
2. 1. Standard: ISO/IEC 27001
2. The ISO code for ISO/IEC 27001 is 27001
Here is more information about the standard, such as its release year, primary
objectives, and characteristics:
Launch Year: The first edition of ISO/IEC 27001 was released in 2005. Since then, it
has undergone alterations; the most recent being ISO/IEC 27001:2013.
Principal Goals:
Information Security Management: The main goal of ISO/IEC 27001 is to give
organizations a methodical and organized approach to managing information security.
It aids in the creation and upkeep of efficient information security management
systems (ISMS) for enterprises.
Risk Management: Information security risks must be recognized, evaluated, and
managed, according to ISO/IEC 27001. Organizations are obliged to assess the
possible threats to their information assets and put in place adequate security
measures to lessen or manage these threats.
Continuous Improvement: The standard encourages a culture of ongoing
information security improvement. Organizations are advised to continuously monitor
and review it to ensure their ISMS stays successful in the face of changing threats and
vulnerabilities.
Key Attributes:
Information security is approached from a risk-based perspective in accordance
with ISO/IEC 27001 standards. As a result, businesses must evaluate the threats
to their information assets and determine priorities for their efforts and resources
based on the severity of the threats.
Complete Controls: Annex A of the standard contains a complete list of security
controls and goals. Access control, cryptography, physical security, and incident
management are just a few of the measures that address various facets of
information security. These controls can be chosen and customized by
organizations to meet their own demands.
The importance of top management's commitment to information security is
emphasized by ISO/IEC 27001. An organization's leadership should show
support for the ISMS and make sure that it is incorporated into all of the
organization's operational procedures.
What makes ISO/IEC 27001 so important?
The management of cyber-risks can appear challenging or even unattainable given the
surge in cybercrime and the ongoing emergence of new threats. Organizations can
become risk-aware by using ISO/IEC 27001, which also enables them to spot and fix
problems early on.
3. Information security is promoted holistically by ISO/IEC 27001, which involves
screening people, policy, and technology. A tool for risk management, cyber-
resilience, and operational excellence is an information security management system
that has been implemented in accordance with this standard.
The three principles of the ISO/IEC 27001 are:
Confidentiality: Only the appropriate people can access the information kept by the
company. An example would be Using encryption to protect sensitive information
from unauthorized access and decipherment.
Integrity: Data that the organization utilizes to further its business or keeps safe for
others is reliably stored and not destroyed or corrupted.
Verifying the integrity and authenticity of electronic documents and conversations
using digital signatures.
Availability: Meaning that the organization and its clients can access the information
whenever it is necessary so that business aims and customer expectations are achieved.
Setting up redundant systems and backups to ensure that services and data are
available even in the event of hardware failures
3. Overview of ISO/IEC 27001
The world's largest developer of voluntary international standards is the International
Organization for Standardization (ISO), a nongovernmental organization that operates
independently. The International Electrotechnical Commission (IEC) is the top body
in the world for developing and disseminating international standards for technology
connected to electrical, electronic, and allied fields.
The ISO/IEC 27000 family of standards, which were released by the joint ISO/IEC
subcommittee, include hundreds of controls and control mechanisms that can be used
by companies of all shapes and sizes to safeguard their information assets. These
international standards give organizations a framework for policies and practices that
cover all physical, technical, and legal controls involved in information risk
management operations.
An Information Security Management System (ISMS) is formally specified in the
security standard ISO/IEC 27001 with the goal of bringing information security under
explicit management control. It establishes standards for how to install, oversee, keep
up with, and continuously enhance the ISMS as a formal specification. Additionally,
it recommends a set of best practices that cover the need for documentation,
responsibility divisions, availability, access control, security, auditing, and corrective
and preventive actions. Organizations can more easily adhere to the many statutory
and regulatory requirements related to the protection of information by obtaining
ISO/IEC 27001 certification. (Microsoft Corporation, 2023)
4. Question 2
1.
i. Failure due to technology: The computerized systems may experience problems
that cause downtime and operational disruptions.
ii. Security Breaches: Automation involves the digital storage of sensitive consumer
and financial information, which leaves it open to cyberattacks and data breaches.
iii. Cost: Due to unforeseen costs for software, hardware, or consulting services, the
project may go above its allocated budget.
iv. Resistance by Employees: Fearing a loss of employment or having trouble
adjusting to new technologies, employees may resistresistant to the automation
process.
v. Training Issues: Staff may need substantial training to use the new systems
successfully, which could cause production losses while they are adjusting.
vi. Integration problems: It's possible that the new technology won't connect
perfectly with the current systems, leading to ineffective operations.
vii. Compliance with regulations: Modifications to data processing and reporting
procedures may result in problems adhering to industry rules and data privacy
legislation.
viii. Vendor Reliability: Project schedules may be affected if the company depends on
outside vendors for technology parts or services.
ix. Scalability: As the firm expands, the system could be difficult to scale,
necessitating further expenditures and disruptions.
x. Dependencies that weren't anticipated: Dependencies on outside elements,
including software upgrades or third-party services, could be dangerous.
xi. Project Delays: The project timetable may be extended by delays in the delivery
of hardware or software or by unforeseen problems.
xii. Loss of Institutional information: If valuable institutional information is not
properly documented, the firm may lose it as procedures become more automated.
Assumption List:
Resource Accessibility: Assuming that the project has access to the finance and
experienced IT personnel that it needs.
Data Backup and Recovery: Assuming effective data backup and recovery
practices are in place to reduce the risk of data loss.
Regulatory Compliance: Assuming that the project will abide by all applicable
data privacy laws and industry standards.
Change Management: Assuming that a thorough plan for dealing with change-
related employee resistance is in place to address it and ensure a smooth
transition.
Vendor Reliability: Assuming that the service or technology suppliers chosen are
dependable and capable of meeting project deadlines.
Backing from Stakeholders: Assuming that the automation program has the
backing of important stakeholders like employees, management, and investors.
2.
5. 3. RISK MATRIX
RISK
RATING
KEY
LOW MEDIUM HIGH EXTREME
0 –
ACCEPTABLE
1 – ALARP
as low as
reasonably
practicable
2 –
GENERALLY
UNACCEPTA
BLE
3 –
INTOLERABL
E
–––––––––––––
–––––
OK TO
PROCEED
–––––––––––––
–––––
TAKE
MITIGATION
EFFORTS
–––––––––––––
–––––
SEEK
SUPPORT
–––––––––––––
–––––
PLACE
EVENT
ON HOLD
SEVERITY
ACCEPTABLE TOLERABLE
UNDESIRABL
E
INTOLERABL
E
LIKELIHO
OD
LITTLE TO
NO EFFECT
ON EVENT
EFFECTS ARE
FELT,
BUT NOT
CRITICAL
TO OUTCOME
SERIOUS
IMPACT
TO THE
COURSE OF
ACTION
AND
OUTCOME
COULD
RESULT
IN DISASTER
IMPROBA
BLE
LOW MEDIUM MEDIUM HIGH
RISK IS
UNLIKEL
Y
TO
OCCUR
– 1 – – 4 – – 6 – – 10 –
POSSIBLE LOW MEDIUM HIGH EXTREME
RISK
WILL
LIKELY
OCCUR
– 2 – – 5 – – 8 – – 11 –
PROBABL
E
MEDIUM HIGH HIGH EXTREME
RISK
WILL
OCCUR
– 3 – – 7 – – 9 – – 12 –
6. REFERENCES
Culot, G., Nassimbeni, G., Podrecca, M. and Sartor, M. (2021), "The ISO/IEC 27001
information security management standard: literature review and theory-based
research agenda", The TQM Journal, Vol. 33 No. 7, pp. 76-
105. https://doi.org/10.1108/TQM-09-2020-0202
Microsoft Corporation. (2023). ISO/IEC 27001:2013 Information Security
Management Standards. Retrieved from [https://learn.microsoft.com/en-
us/compliance/regulatory/offering-iso-27001]
Project Management Institute (2008). A Guide to the Project Management Body of
Knowledge (PMBOK® Guide). 4th Edition. Project Management Institute