Organizations that you work for will often apply an IT governance framework such as COBIT or ISO 27001, or one of the others that are available. These frameworks provide guidelines for IT governance in the organization and offer guidelines for building a governance system. In this unit, you will apply the ISO 27001 Information Security Management System (ISMS) framework to begin outlining a governance strategy for an organization.
Select an organization that you would like to develop an IT governance strategy for, using ISO 27001, Information Security Management System (ISMS). You can find ISMS on the Internet or in this unit’s reading. The organization should be one you are familiar with from having worked there.
In your paper, include the following:
Define and discuss the ISO 27001 Information Security Management System in terms of the Deming Cycle of continuous improvement of Plan-Do-Check-Act (PDCA)
Brief description of the organization and type of business engaged in.
High-level information security policy that defines management’s overall objective for information security as it relates to business requirements and relevant laws and regulations.
Information security direction for the organization
Information security objectives for the organization
Information on how the organization will meet contractual, legal, and regulatory requirements
A statement of commitment to continuous improvement of the ISMS.
High-level risk assessment (for purposes of this paper, discuss the top 3–4 risks only)
Define a risk management framework that will be used
Identify risks and describe the risk
Analyze and evaluate the risks in terms of severity and impact
Statement of Applicability
Full Answer Section
- Act: Based on the findings from the "Check" stage, the organization takes corrective actions to improve the ISMS. This could involve revising policies, implementing new controls, or updating risk assessments.
- Acme Library: Brief Description
Acme Library is a public library with a physical location and a growing online presence. They offer a variety of resources, including books, ebooks, audiobooks, and online databases. They also provide public Wi-Fi access and computer workstations for patron use.
- High-Level Information Security Policy
Acme Library is committed to protecting the confidentiality, integrity, and availability of all information assets, including library materials, patron data, and staff information. We will comply with all applicable laws and regulations regarding information security. We will implement appropriate security controls to mitigate risks and continuously improve our information security posture.
- Information Security Direction
Acme Library will strive to achieve the following information security objectives:
- Protect the confidentiality of patron data, library materials, and staff information.
- Ensure the integrity and accuracy of all information assets.
- Maintain the availability of information systems and resources for authorized users.
- Meeting Contractual, Legal, and Regulatory Requirements
Acme Library will identify and comply with all relevant contractual, legal, and regulatory requirements concerning information security. This may include data privacy laws, copyright laws, and industry best practices.
- Commitment to Continuous Improvement
Acme Library is committed to continuously improving its ISMS. We will regularly review our information security policies, conduct risk assessments, and update our controls as needed. We will also provide ongoing security awareness training to staff.
- High-Level Risk Assessment (Top 3 Risks):
- Data Breach: A cyberattack could compromise patron data, library materials, or staff information. This could lead to identity theft, financial loss, and reputational damage.
- Unauthorized Access: Unauthorized access to library systems could allow individuals to alter or delete data, disrupt operations, or spread malware.
- Human Error: Accidental data loss or misuse by staff due to a lack of awareness or training can compromise information security.
- Risk Management Framework
Acme Library will adopt the following risk management framework:
- Identify Risks: We will identify all potential threats and vulnerabilities to our information assets.
- Analyze and Evaluate Risks: We will assess the likelihood and potential impact of each risk.
- Treat Risks: We will implement appropriate controls to mitigate identified risks. This may involve preventive, detective, or corrective controls.
- Monitor and Review: We will continuously monitor the effectiveness of our controls and update our risk assessments as needed.
- Statement of Applicability
This ISMS policy and risk management framework apply to all staff, contractors, and volunteers who access or use Acme Library's information systems and resources.
Note: This is a high-level overview of an IT governance strategy using ISO 27001 for Acme Library. A full implementation would involve a more detailed risk assessment, identification of specific controls, and documentation of procedures.