Information Security Manual (ISMS)

Questions and Answers

According to the BOOMERANG Information Security Manual, what is the primary objective of the Information Security Management System (ISMS)?

• To delegate information security responsibilities solely to the ISMS Team.
• To focus exclusively on the technical aspects of information security.
• To eliminate all risks associated with information security within the organization.
• To provide a framework for implementing, maintaining, and improving information security. (correct)

Which of the following elements are within the scope of BOOMERANG's ISMS?

• All forms of information assets, underlying infrastructure, and BOOMERANG offices. (correct)
• Only the BOOMERANG offices.
• Customer facilities and information stored there.
• Only technological information assets.

Which of the following is the BEST description of Confidentiality in the context of BOOMERANG’s ISMS?

• Preserving authorized restrictions on information access and disclosure. (correct)
• Guaranteeing the accuracy and completeness of information.
• Ensuring timely and reliable access to information.
• Protecting information from modification or destruction.

According to the manual, what is BOOMERANG's primary business focus?

Providing outsourced voice and BPO services. (B)

Which role is responsible for overseeing and championing the information security program at BOOMERANG?

The Chief Executive Officer. (C)

In BOOMERANG, what is contained in the Risk Management framework?

The approach to risk, specifically approved and authorized by management. (B)

According to the manual, what is an effective adoption of information security best practice validated by?

External auditor. (D)

In the context of BOOMERANG's risk assessment process, what is the purpose of identifying assets?

To determine 'anything that has value to BOOMERANG' and is worthy of protection. (B)

During risk analysis, what does BOOMERANG use to describe the likelihood and impact of a risk?

A 5-point scale. (B)

If a risk is classified as 'HIGH' in BOOMERANG's risk management framework, what strategy should be applied:

Investing resources in mitigating residual risks or avoiding the risk where possible. (D)

What is the purpose of the Statement of Applicability (SoA) within BOOMERANG’s ISMS?

To define which controls from ANNEX A of ISO/IEC 27001:2013 are appropriate for implementation. (D)

What triggers the need to update the Statement of Applicability?

Recurring risk assessments and improvements in control implementation. (D)

What is the purpose of BOOMERANG's information asset classification policy?

To set the standard for protecting information assets from unauthorized access and disclosure. (B)

According to the manual, which of the following is considered 'Public' information?

Boomerang Website(s). (A)

What is the intended outcome of Information Security Awareness and Training?

To inform and motivate staff regarding information security obligations. (B)

According to the manual, what implies a basic level of understanding about a broad range of information security matters?

Awareness. (B)

What approach should be used when security awareness and training materials are presented?

Suit their intended audiences in terms of styles, formats, complexity, technical content, etc. (C)

According to the manual, the Operational manager / ISO Representative/ISMS Team is responsible for which of the following?

Running a security awareness and training program. (A)

Which of the following is a primary objective of measuring information security performance?

To show compliance with ISO/IEC 27001 Standard, contracts, SLAS,OLAs, etc. (C)

According to the manual, what is the purpose of the Plan-Do-Check-Act (PDCA) model within the ISMS?

To provide continuous improvement for information security. (B)

What action must be taken if non-conformities are identified within the ISMS?

The ICT Helpdesk captures the request for changes and evaluates impacts on IT systems. (B)

Which of the following is an uncertainty factor that creates risks?

Service provider relationships (C)

Which of the following is an external uncertainty factor?

Inherent environmental risks and reputational risk (D)

Which of the following is a method of risk Treatment

Avoidance (C)

What does acceptance technique recognize

Risks and controllability (C)

What does ISMS team define

Requirements for creating and updating documented information (B)

What will the top management Team promote

Risk based thinking and using process (D)

Which of the following is the definition of Impact?

Estimated on the confidentiality, integrity (A)

What does Business Continuity include

BOOMERANG business processes are not disrupted outside the set outage goals like the Recovery Plan (A)

All of these can be checked to determine whether the ISMS processes or controls are improved EXCEPT

None of the above (D)

BOOMERANG may use ISO/IEC 27000 to search for the terms and definition. Where can the term for Confidentiality be found?

ISO/IEC 27000 (C)

Which of the following is NOT considered ISMS Objectives?

To comply with external Security Standard. (D)

Which of the following is the Definition of threats?

Accidental events such as fire, floods or malicious attacks e.g. viruses, theft or sabotage. (C)

What to Establish?

All of the above. (D)

What are the main reasons for the selection of Information Security controls?

Legal requirements, Contractual Obligations. (A)

What does BOOMERANG associates share in the responsibility for?

Ensuring classification of all information assets. (B)

Select all the options below, which is under the classification of "Confidential Information".

Telemarketing and BPO information generated for client by BOOMERANG activities. (B), Confidential customer data and contracts. (C), Electronic transmissions from client and stakeholder. (D)

What are the goals defined to implement, in the Information Security Awareness and Training Charter?

All of the above. (D)

Flashcards

What is ISMS?

A framework for establishing, implementing, maintaining, and continually improving Information Security.

What does the scope of ISMS includes?

Records, digital data, business processes, ICT infrastructure, ICT services, and activities supporting the core business.

What are the purposes of ISMS?

The organization's needs, security controls, performance monitoring, and continual improvement.

What is Confidentiality?

It means preserving authorized restrictions on information access and disclosure.

What is Integrity?

Guarding against improper information modification or destruction.

What is Availability?

Ensuring timely and reliable access to and use of information.

What is a Risk Assessment?

A process that determines what information resources exist that require protection.

What are Control Activities?

The policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks.

What are Information Assets?

Definable pieces of information in any form, recorded or stored on any media.

What is Access Control?

The process of controlling access to systems, networks, and information.

What is ISO?

A standard-setting body composed of representatives from various national standards organizations.

What is Audit?

The process by which a subject area is independently reviewed and reported on.

What is ISMS audit?

An audit centered on the organization's Information Security Management System.

What is BOOMERANG's core business?

It consists of outsourced voice and business process (BPO) services.

What are the interfaces within the scope of the ISMS?

Core business processes, Boomerang employees and customers.

What is the purpose of the ISMS?

To align ISMS to business strategy and comply with laws and regulations.

What is the potential impact of an Information Security Incident?

Loss of client confidence, revenue, and inability to meet obligations.

What internal factors create uncertainty for BOOMERANG?

Service Provider relationships, significant organization changes.

What external factors create uncertainty for BOOMERANG?

Potential legislative changes and inherent environmental risks.

Who are the interested parties?

Suppliers, customers and employees

Customer requirements entail Boomerang to do what?

To offer services that protect information confidentiality, integrity, and availability.

What are the legal and regulatory requirements?

The Act No. 4 of 2013; the GDPR of EU 2016/679

What services does Boomerang provide?

outsourced voice and business process (BPO) services

What forms part of the BOOMERANG Policy Framework?

The Information Security Manual, Policies and Procedures based on ISO/IEC 27001.

What is information security?

A dynamic field with frequent changes to the risks.

What can achieves improving ISMS?

Internal and External Audit, Management Reviews, Control Assessments, security reviews, etc.

What describes the handling of nonconformities?

The Internal Audit Procedure Ref 9.2 Boomerang Quality Manual .

What has Management assigned the responsibility and authority for?

To conform to requirements of the ISO/IEC 27001 and reporting on performance.

What is the Chief Executive Officer responsible for?

Oversee the information security program and communicate incidents to all stakeholders.

What is Outsourced team responsibility?

Identify the legal, regulatory and contractual compliance requirements and analysis

What can information security address risks?

establishing the ISMS, preventing undesired effects and achieving continual improvement.

What is needed by the Boomerang?

The introduction of industry-standard good practice processes

What are the methods of Risk Identification?

Brainstorming workshops, Self-Assessments , and Internal and external audits

Identifying a Risk Owner

BOOMERANG shall attempt to identify the information security risks and also the IT asset owner

Study Notes

• BOOMERANG's Information Security Manual includes a table of contents that outlines the purpose, scope, references, context, leadership, planning and control, applicability, asset classification, awareness, and measurement processes.

Purpose of the ISMS Manual

• Describes BOOMERANG's Information Security Management System (ISMS) based on ISO/IEC 27001:2013, including its scope, objectives, activities, needs, deliverables, processes, procedures, and policies.
• The manual provides a framework for implementing, maintaining, and improving the ISMS.
• Top management delegates ISMS management to the BOOMERANG ISMS Team while retaining oversight
• The ISMS complies with ISO/IEC 27001:2013 and other legal/regulatory requirements.

Purposes of ISMS

• Understand organizational needs for information security.
• Implement security measures to manage incidents.
• Monitor ISMS performance.
• Improve information security through measurement.

Scope and Boundary

• The ISMS scope covers all BOOMERANG offices, information assets, and supporting technology.
• Applicable to records, digital data, business operations, ICT infrastructure and services by including customer acquisition, customer retention, customer lifecycle, and membership programs.
• Limited to BOOMERANG offices, excluding customer facilities.

References and Definitions

• Relevant documents include the ISMS Policy and ICT Policy, Boomerang Privacy Policy. ISO 9001 QMS
• Key standards such as ISO/IEC 27000, 27001, 27002, and 27005 are referenced.
• Confidentiality: Preserving information access restrictions including protecting privacy and proprietary information.
• Integrity: Guarding against improper modification or destruction, ensuring non-repudiation and authenticity.
• Availability: Ensuring timely and reliable access to information.
• Risk Assessment: Determining necessary information resource protection and identifying potential risks.
• Control Activities: Policies and procedures that reduce risks from the risk assessment.
• Information Assets: Pieces of information in any recognized form or media, considered valuable to BOOMERANG.
• Access Control: Managing access to systems, networks, and information based on business and security needs.
• ISO: International Organization for Standardization developing standards.
• Audit: Independent review and reporting on a subject area by competent auditors.
• ISMS Audit: Reviews the organization's Information Security Management System

Context of Organisation

• BOOMERANG was established in 2005 in Cape Town and offers outsourced voice, Business Process Outsourcing (BPO) to global clients.
• The company complies with FSCA requirements and international best practices.
• Core sectors are insurance, financial services, telecommunications, information technology, retailers, business services, membership, and leisure.
• The mission involves exceeding client expectations for quality call center and outsourcing services.
• Its vision is customer-focused, specializing in customer acquisition and retention.
• Core values include being target-driven, professional, respectful, and having integrity.

Organizational Structure

• The CEO and Top Management Team oversee BOOMERANG's performance, the organogram details specific roles and responsibilities within the company.
• Key roles highlighted: CEO, Business Development, HR, System Engineer, Finance Manager, Administration, Customer Services, and Operations - each overseen by specialist team leaders.

Organizational Objectives

• The ISMS aims to help BOOMERANG meet objectives and comply with policies and align the ISMS with business strategy and maintain it through ISO/IEC 27001 certification.
• Objectives also cover employee awareness, authorized system access, regulatory compliance, and business continuity.
• Potential impacts of security incidents: loss of reputation, revenue, inability to meet obligations, relationship damage, and lost opportunities.

Organizational Risk Management and Uncertainty

• Risk management framework is used to identify and mitigate risks, to protects their ability to maintain services and reputation.
• Internal uncertainty arises from service provider relationships.
• Significant organizational changes are a factor.
• Customer satisfaction is important.
• Assurance of information confidentiality, integrity, and availability is key

External Uncertainty Factors

• Potential legislative/regulatory changes such as POPI(Protection of Personal Information Act), GDPR(General Data Protection Regulation), and cybercrime bills.
• Inherent environmental risks and potential litigation are further considerations for BOOMERANG

Needs and Expectations of Interested Parties

• The document outlines relevant parties, legal, regulatory and contractual requirements to which BOOMERANG adheres.
• Interested parties include top management, suppliers, customers, employees, regulators and business functions.
• Customers expect exceptional service and data protection; employees expect protection of information and ICT expects ISMS framework.

Legal and Regulatory Requirements

• Vital for information security and business aim of compliance with the Protection of Personal Information Act of 2013, GDPR of EU 2016/679, Electronic Communications and Transmission Act of 2002, Draft Cybercrimes and cybersecurity Bill of 2015 and International Standards; ISO/IEC 27001 & ISO/IEC 27701.

Contractual Requirements

• Meeting these obligations, BOOMERANG ensures meeting business objectives through internal/external audits, purchasing agreements, support/maintenance (Service Level Agreements), software licenses, etc

Determining the Scope of the ISMS

• Core business is outsourced voice and BPO services supported by IT functions, with functions like finance, HR, processes such as telemarketing and IT processes, people, technologies: Websites including the Intranet, Help desk, Enterprise applications, IT and IT security operations, proprietary CRM system, voice recording, call campaign management, API and payment collection

Information Security Management System (ISMS)

• The Information Security Manual along with policies and procedures based on the ISO/IEC 27001 standard are part of the framework.
• Consideration has been given to internal/external factors, legal requirements, and contractual obligations.
• A BOOMERANG ISMS Policy (ISMS-POL-01) and supporting processes, standards, and procedures are used.
• Policies and procedures have been developed across areas and are considered in security planning, listed in section 3.1 as References.
• Information security is dynamic, leading to procedures to identify improvement opportunities through internal audits, management reviews, control assessments, etc.
• A Plan-Do-Check-Act (PDCA) cycle helps in ongoing improvement, refer section 8.8.
• Results of internal audits or management reviews are communicated to management and corrective actions are identified, The requirements, responsibilities, procedures for handling nonconformities are described in Ref 9.2 Boomerang Quality Manual & activities according to ISO/IEC 27001, Ref 9.3 Boomerang Quality Manual

Documented Information

• All BOOMERANG ISMS information is documented according to ISO/IEC 27001 standards, managed by the ISMS Team using guidance from BOOMERANG Quality Manual clause 7.5

Leadership

• Top Management provides organizational structure and responsibilities demonstrating leadership and promotes process approach and risk-based thinking
• The team improves the ISMS by evaluating the Information Security policy and objectives to demonstrate efficiency and maintains alignment.
• Management ensures responsibilities and authorities for information security, communicates structure (organogram and RACI chart) and assigns compliance to Standard ISO/IEC 27001 through reporting performance to top management

Roles and Responsibilities of Stakeholders:

• The Chief Executive Officer that will oversee and champion the program to communicate information security incidents.
• Operations Manager will coordinate activities and the outsourced IT management will implement requirements and management solutions.
• ICT that will manage services, HR that will implement security controls and Operation Manager, and the administration

Planning and Control:

• BOOMERANG considers information security and complies with internal factor and the law to adhere to action to address opportunity and risk.
• Prevent and reduce action of control through ISMS by improving integrate and evaluate

BOOMERANG approach to risk contained on Risk Management framework identified to assess risks and assess control objectives

Information Security Risk Assessment:

• Managing has always been a priority, but more gain to the application for ISMS standard to becoming proactive
• Adopting ISO/IEC 2700 to align with ISO standard, with risks that will effects objectives, safeguarded business, compliance and resource

Standard addressed to describe the section of the ISO/IEC Standard that will cover: Risk Assessment and Risk Treatment

• method of Brainstorming workshops, Questionnaires that will indicate identification
• Steps will include Asset, Risk inventory, asset register, threat to find malicious activities and capitalisation
• To classify identify assessment through Risk Management system (ISMS) and projects

Risk Analysis:

• numerical classification to identify the treatment of threats, likelihood and to determine what will place.
• 5 scale point to priority High, Medium, Low

Risk Acceptance Criteria

• Matrix chart classifies the risk, as green is acceptable, yellow is medium and the red areas are high which contain them from increasing

Risk Assessment Report

• Risk analysis will shows asset threats,vulnerablities, controls implementation, risk scores accepted
• And should be signed of by manager
• The impact determined and categorized that use High, Medium, LOW
• The relevant remedial actions are selected and apply and be evaluated to mitigate, accept, ignore with treatment to what has been implemented

Risk Treatment Plan

• The treatment is based on knowledge of surrounding such as business, regulations and issue
• The risk may range for Low, Medium and High
• That with will identify steps to action what to mitigate the acceptable

Decision on Acceptance that range from the level of risk.

• If level are more to high decision will result on the cost damage

Information Security Risk Treatment Options

• Acceptable(Low): Risk recognizing passive that the focus is to allow to happen with reducing
• Avoid (Low- Med): To avoid the possibility of risk, of which in changes will apply.
• Transfer (Med): the moving of risk to a contractor for specialist
• Reduce or Controlled (High): Is action that will reduce the risk that is the cycle

Statement of Applicability

• Security controls have to be documented in statement of manual with the changes authorization with ISMS being implemented
• To follow the the action apply plan based on ISO standards

Management Approval:

• Will be the process management that is kept informed on progress on what is being implemented with signature as approval
• Monitory success of control addressing to where performance indication report that has be produced

Regularly is augmented the risk items to keep through management

• The process in annual review and IT reviews to to date

Roles and Responsibility

• The team works on risk process to manages the teams shown on the RACI diagram

Chart that highlights team model with roles

• 1. Responsibility 2) Accountable 3) Consulted 4) Informed

Risk Management Process Diagram

• Highlighting each step is identify the risk in asset analysis
• There will require actions with all the issue to ensure that the ISMS system can achieve intended and reduce the control for proactive
• To achieved and improve to management risk.

Information Security Objectives Framework

• The business success to include policy objectives example integrity and availability
• • judging on to meet resources to operate maintain to define goal
• • The responsibility operating to have support to meet goal. The monitoring deploying.

Conclusions

• Risk assessment and treatment will be fundamental to reach IS/IEC standards
• Using this well will control activities

Statement of applicability is to define what controls to implement in the Annex and have the objectives

• That applies to employees to with users to implement controls in same

It then the reference is document and implementation with a timeline to reach improvement

Maintains :

• Update when improvement have to documented and recurring and effectiveness is achieved

It all part of justification of what is identified to assessed vulnerability

• To ensure that it also secure all data and is requirement to fulfil with mandate to the industry

It also part of the that they need contract

Best practice to mandate with risk as assessment to where what needs and it is assessed to make

• • Information asset class have unauthorized protected
• • It needs the standard

The section of document sets the used all associates are repossibility for the set

• • Manager should assign and what it is embedded to guide on secure measures to be followed

Scope covers 3 part information is trusted, and addressed

• • Public with no implications to the brand that everyone has
• • Proprietary approved that access and protected to that all people working

It is confidential for all the information that need authentication

• The secure file safe for every access

Information Security Awareness

• To inform and motivate to all staff to the obligation
• With policies and training regarding the system of information and practice

All employees are responsible that every has the same level of ethical

• The training consist of what they need with security to avoid danger with steps by managers

To comply on what is to be aware and provide security to those appropriate

• With compliance measures to make the check review to see the uptake and support

Need to obtain that they have all been support to know the roles and availability

• The person in-charge has the effective to do the actions that have to be followed

Every staff are responsible for following laws and policy

• • Internal and authority with feedback. Contact the operational Manager

Monitoring Measurement,

• Analysis is the resources tools with planning
• • It applies with ICT services artefacts
• • With section 9 and 10 section

Security should improve in business strategy

• That the control implements with people and with standard
• -The set standard measure to achieve

The control can be analysed

• With tools and process to look if effective to improve the action
• The process is to maintain action

Any nonconformities to find with changes that all is to follow risks