Most organizations have a number of information security controls. However, without an information security management system...

 

Transcribed Image Text:

Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization. ISO/IEC 27001 requires that management: Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis. Note that ISO 27001 is designed to cover much more than just IT. What controls will be tested as part of certification to ISO 27001 is dependent on the certification auditor. This can include any controls that the organization has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively. Lab Exercise 3: You are working for a multi-national bank as an Information Security auditor your task is to provide the ISMS requirements and meet organizations security goals 1. Demonstrate your Business. 2. Develop a report to establish ISMS in your organization. 3. Develop the Statement of Applicability (ISO27001) for your organization. Note: Your lab should clearly address the business requirements and benefits of ISMS. Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization. ISO/IEC 27001 requires that management: Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis. Note that ISO 27001 is designed to cover much more than just IT. What controls will be tested as part of certification to ISO 27001 is dependent on the certification auditor. This can include any controls that the organization has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively. Lab Exercise 3: You are working for a multi-national bank as an Information Security auditor your task is to provide the ISMS requirements and meet organizations security goals 1. Demonstrate your Business. 2. Develop a report to establish ISMS in your organization. 3. Develop the Statement of Applicability (ISO27001) for your organization. Note: Your lab should clearly address the business requirements and benefits of ISMS.

Answer rating: 100% (QA)

It appears that you have been provided with a task as part of an Information Security ... View the full answer