Information Security Management PDF

Summary

This document provides an overview of information security, management, and threats. It covers concepts of confidentiality, integrity, and availability. It includes a discussion about information security management principles, practices and threats.

Full Transcript

What is Information?

Information is data that has been processed into a meaningful form, such as reports,
documents, or databases, which is valuable to an organization and its stakeholders.

What is Security?

The protection of information assets from threats and vulnerabilities. It involves implementing
measures to safeguard the confidentiality, integrity, and availability of information.

What is Management?

Management is the process of planning, organizing, leading, and controlling resources to
achieve organizational goals. In Information Security Management, this involves overseeing the
protection of information assets and ensuring compliance with security policies and standards.

What does Information Security Management (ISM)?

Information Security Management (ISM) is the practice of managing and protecting information
assets to ensure their confidentiality, integrity, and availability. It includes the development and
implementation of policies, procedures, and controls to safeguard information from threats and
vulnerabilities.

Information Security Principles — CIA

Confidentiality: Ensuring that information is only accessible to authorized individuals.

Integrity: Ensuring that information is accurate and unaltered.

Availability: Ensuring that information is accessible when needed by authorized users.

Information Security Threats

Malware: Malicious software designed to harm or exploit systems.

Phishing: Fraudulent attempts to obtain sensitive information by posing as a trustworthy entity.

Insider Threats: Risks posed by individuals within an organization, such as employees or
contractors.

Physical Threats: Damage or theft of physical devices containing sensitive information.

Cyber Attacks: Unauthorized access or attacks on computer systems and networks.

The 6P of ISM principles

Policy Establishing guidelines and rules for information security.
People Ensuring that employees and stakeholders are aware of and adhere to
security policies.
Process Implementing procedures and workflows to manage information security.
Protection Applying technical and administrative controls to safeguard information.
Privacy Ensuring that personal and sensitive information is protected.
Performance Monitoring and evaluating the effectiveness of information security
measures.

1
Information security Program Framework (ISO/IEC 27004:2016 & NIST SP 800-55)

ISO/IEC 27004:2016 is a standard that provides guidelines for measuring the performance of
an Information Security Management System (ISMS).

Performance Measurement: Establishing metrics and indicators to evaluate the
performance of the ISMS.

Monitoring and Review: Regularly monitoring and reviewing the performance of
security controls to ensure they are effective.

Continuous Improvement: Using the results of performance measurements to make
continuous improvements to the ISMS.

NIST SP 800-55 is a publication from the National Institute of Standards and Technology (NIST)
that provides guidance on developing and implementing an information security program.
The main elements of this framework include:

Program Management: Establishing a structured approach to managing information
security within an organization.

Risk Management: Identifying, assessing, and mitigating risks to information assets.

Security Controls: Implementing appropriate security controls to protect information
assets.

Training and Awareness: Ensuring that employees and stakeholders are aware of and
understand their roles in maintaining information security.

Incident Response: Developing and implementing procedures for responding to
security incidents.

Continuous Monitoring: Continuously monitoring the effectiveness of security controls
and making necessary adjustments.

Both frameworks emphasize the importance of continuous improvement and regular
monitoring to ensure that information security measures remain effective over time.

What are KPI and Security Metrics? How important are these?

Key Performance Indicators (KPIs): These are measurable values that demonstrate
how effectively an organization is achieving its key business objectives. KPIs can include
metrics such as the number of security incidents, the time to detect and respond to
incidents, and the effectiveness of security controls.

Security Metrics: These are specific measurements used to assess the performance
and effectiveness of an organization's security measures. They help organizations track
progress, identify trends, and make informed decisions about security improvements.

KPIs and security metrics are crucial because they provide a way to quantify and evaluate the
success of an organization's information security efforts. They help identify areas that need
improvement, justify investments in security measures, and ensure compliance with regulatory
requirements.

2
Various Industry Standards for assessment control such as ISO/IEC 27001, NIST SP-800-53,
PCI DSS, HIPAA, PDPA, COBIT.

ISO/IEC 27001 is an international standard for information security management systems
(ISMS). It provides a framework for establishing, implementing, maintaining, and continually
improving an ISMS. The standard helps organizations manage the security of assets such as
financial information, intellectual property, employee details, and information entrusted by third
parties.

NIST Special Publication 800-53 (SP-800-53) is a comprehensive catalogue of security and
privacy controls for federal information systems and organizations. It provides guidelines to help
organizations protect their information systems against a wide range of threats. The latest
revision, SP-800-53 Rev. 5, includes updates to address emerging threats and technologies.

(PCI DSS) Payment Card Industry Data Security Standard is a set of security standards
designed to ensure that all companies that handle credit card information maintain a secure
environment. It was created by major credit card companies to reduce credit card fraud and
protect cardholder data.

(HIPAA) Health Insurance Portability and Accountability Act sets the standard for protecting
sensitive patient data. It requires healthcare providers, health plans, and healthcare
clearinghouses to implement security measures to protect patient information and ensure its
confidentiality, integrity, and availability.

(PDPA) Personal Data Protection Act is a data protection law in Singapore that governs the
collection, use, and disclosure of personal data by organizations. It aims to protect individuals'
personal data and ensure that organizations handle personal data responsibly.

COBIT (Control Objectives for Information and Related Technologies) is a framework for
managing and governing enterprise IT. It provides a comprehensive set of guidelines and best
practices for IT management and governance, helping organizations ensure that their IT
resources are aligned with their business goals.

3
CMMI vs COBIT

Aspect CMMI COBIT
Focus Process improvement in software IT governance and management
and service development
Maturity Levels Five levels: Initial, Managed, Maturity levels related to IT
Defined, Quantitatively Managed, governance
Optimizing
Domains Product and Service Control Objectives, Maturity Models,
Development, Service Process Descriptions, Management
Establishment, Management, Guidelines
Product and Service Acquisition
Advantages Improves processes, reduces Comprehensive IT governance
risks, increases efficiency framework, helps comply with
regulations
Disadvantages Can be complex to implement, May lack specific cybersecurity
requires significant resources components, resource-intensive
Application Suitable for organizations looking Ideal for organizations aiming to
to improve software development enhance IT governance and
processes management practices
CMMI is best for process improvement in software and service development, while COBIT is
ideal for IT governance and management. Both frameworks can complement each other,
depending on an organization's specific needs and goals.

GISAM — Global Information Security Assessment Methodology

1. Introduction: Establishing the assessment's purpose and scope aligns with the business
process of initiating and planning. It ensures that all stakeholders understand the goals and
expectations, setting the stage for a successful assessment.

2. Network Architecture Review: This activity corresponds to the business process of
analysing and designing. By reviewing the network architecture, the assessment team can
identify potential risks and ensure that the network design supports the organization's business
objectives.

3. Tour of Data Centre and Facilities: This aligns with the business process of monitoring and
controlling. Observing physical security controls and facilities helps ensure that the
organization's infrastructure is secure and capable of supporting business operations.

4. Control Review: This activity is part of the business process of implementing and
maintaining. Reviewing information security controls ensures that they are properly
implemented and maintained to protect the organization's assets and support business
continuity.

5. Control Validation: This corresponds to the business process of evaluating and improving.
By validating the effectiveness of security controls, the assessment team can identify areas for
improvement and ensure that the organization's security measures are robust and effective.

4
What is Information Security Baseline and why is it needed in setting up the Info Sec
Standard compliance?

An Information Security Baseline is a set of minimum-security controls required to safeguard
an IT system based on its needs for confidentiality, integrity, and availability. It serves as a
benchmark for evaluating the security posture of an organization's systems and processes.

Importance of Information Security Baseline in Setting Up Info Sec Standard Compliance:

1. Consistency: Establishing a baseline ensures that all systems and processes adhere to
a consistent set of security standards, making it easier to manage and monitor security
across the organization.

2. Benchmarking: It provides a reference point for measuring the effectiveness of security
controls and identifying areas that need improvement.

3. Compliance: Meeting industry standards and regulatory requirements often
necessitates having a defined baseline to ensure that all necessary security controls are
in place.

4. Risk Management: A baseline helps in identifying and mitigating potential security risks
by ensuring that fundamental security measures are implemented.

5. Efficiency: By having a baseline, organizations can streamline their security efforts,
focusing on maintaining and improving the established controls rather than starting
from scratch each time

5
 Aspect Clauses Controls
Definition High-level requirements outlining Specific measures or actions
the framework and structure implemented to manage and
mitigate risks.
Purpose Provide high level requirements Offer detailed, actionable
and structural guidance for the measures to address specific
ISMS. information security risks and
requirements.
Location Found in the main body of Detailed in Annex A of ISO 27001.
standards like ISO 27001.
Examples Scope, leadership, planning, Information security policies,
support, operation, performance access control, cryptography,
evaluation. physical security.
Scope Apply to the entire ISMS and its Specific to areas or processes
processes. within the ISMS.
Implementation Provide the foundation and Represent the actual
guidelines for implementation. implementation of the guidelines
provided by clauses.
Documentation Documented in the main body of Documented in detailed security
the ISMS documentation. policies, procedures, and records

6
7
 Organizational Control Annex 5

Annex Control Purpose
A.5.1 Information Security must be regularly review and update the information
Policies security policies if changes occur. To ensure their
continuing suitability, adequacy, and effectiveness.
A.5.2 Roles and Define and assign information security roles and
responsibilities responsibilities to ensure that all personnel are aware of
their duties and responsibilities in maintaining
information security.
A.5.3 Segregation duties Separate duties to prevent conflicts of interest and
reduce the risk of fraud or error by ensuring that no single
individual has control over all aspects of any critical
process.
A.5.4 Management Ensure that management takes responsibility for the
responsibilities information security policy and its implementation,
including providing the necessary resources and
support.
A.5.5 Contact with Authorities Establish and maintain contact with relevant authorities
to ensure compliance with legal and regulatory
requirements and to respond to incidents effectively.
A.5.6 Contact with Special Engage with special interest groups to stay informed
Interest Groups about emerging threats, trends, and best practices in
information security.
A.5.7 Threat Intelligence Collect and analyze threat intelligence to identify
potential threats and vulnerabilities and to inform the
organization's security measures.
A.5.8 Information Security in Integrate information security into project management
Project Management processes to ensure that security is considered
throughout the lifecycle of projects.
A.5.9 Inventory of Information Maintain an inventory of information and other
and Other Associated associated assets to ensure that they are properly
Assets managed and protected.
A.5.10 Acceptable Use of Define and communicate acceptable use policies for
Information and Other information and associated assets to ensure that they
Associated Assets are used appropriately and securely.

8
A.5.11 Return of Assets Establish procedures for the return of assets at the end
of their lifecycle to ensure that they are disposed of
securely.
A.5.12 Classification of Classify information based on its sensitivity and
Information criticality to ensure that it is appropriately protected.
A.5.13 Labelling Information Label information according to its classification to
ensure that it is handled correctly and securely.
A.5.14 Information Transfer Ensure the secure transfer of information within and
between organizations to prevent unauthorized access
or disclosure.
A.5.15 Access Control Limit access to information and information processing
facilities to authorized users, processes, or devices to
prevent unauthorized access.

A.5.16 Identity Management Manage identities and related access rights to ensure
that only authorized individuals can access information
and systems.
A.5.17 Authentication Ensure the secure management of authentication
Information information to verify the identity of users accessing
information and systems.
A.5.18 Access Right Define and manage access rights to ensure that users
have the appropriate level of access to information and
systems based on their roles and responsibilities.
A.5.19 Information Security in Manage information security risks associated with
Supplier Relationship suppliers to ensure that third-party services do not
compromise security.
A.5.20 Addressing Information Address information security requirements within
Security within Supplier supplier agreements to ensure that suppliers adhere to
Agreements the organization's security standards.
A.5.21 Managing Information Ensure the security of the ICT supply chain to protect
Security in ICT Supply information and systems from supply chain-related risks.
Chain
A.5.22 Monitoring, Review, and Monitor, review, and manage changes to supplier
Change Management of services to ensure ongoing compliance with information
Supplier Services security requirements.
A.5.23 Information Security for Ensure the security of information when using cloud
Use of Cloud Services services to protect data stored and processed in the
cloud.
A.5.24 Information Security Establish and maintain plans to detect, report, and
Incident Management respond to information security incidents to minimize
Planning and their impact.
Preparation
A.5.25 Assessment and Assess and make decisions on information security
Decision on Information events to determine appropriate actions and responses.
Security Events
A.5.26 Response to Respond to information security incidents to mitigate
Information Security their impact and restore normal operations.
Incidents
A.5.27 Learning from Learn from information security incidents to improve
Information Security future incident response and prevent recurrence.
Incidents

9
A.5.28 Collection of Evidence Collect and preserve evidence related to information
security incidents to support investigations and legal
actions.
A.5.29 Information Security Ensure the security of information during disruptions to
During Disruption maintain business continuity.
A.5.30 ICT Readiness for Ensure that ICT systems and services are ready to
Business Continuity support business continuity in the event of disruptions.

A.5.31 Identification of Legal, Identify and understand legal, statutory, regulatory, and
Statutory, Regulatory contractual requirements to ensure compliance and
and Contractual avoid legal issues.
Requirements
A.5.32 Intellectual Property Protect intellectual property rights to ensure that the
Rights organization's proprietary information and assets are
safeguarded.
A.5.33 Protection of Records Ensure the protection of records to maintain their
integrity, confidentiality, and availability.
A.5.34 Privacy and Protection Protect personal information to comply with privacy laws
of PII and safeguard individuals' data.
A.5.35 Independent Review of Conduct independent reviews of information security to
Information Security ensure that controls are effective and compliant with
standards.
A.5.36 Compliance with Ensure compliance with internal policies and external
Policies and Standards standards for information security to maintain a robust
for Information Security security posture.
A.5.37 Documented Operating Document operating procedures for information
Procedures processing facilities and make them available to
personnel who need them to ensure consistent and
secure operations.

10
11
 People Control Annex 6

27001:2022 version coded with A.6.1 until A.6.8
Purpose To ensure that an organization addresses information
security risks related to its workforce. This includes implementing
measures to manage the security of employees, contractors, and
other third parties throughout their lifecycle from recruitment to
termination.
Key elements Awareness training, roles responsibilities,
managing access, onboarding offboarding and third-party
security.

Annex Control Purpose
A.6.1 Screening Conduct screening of employees, contractors, and
third-party users to ensure they do not pose a security
risk to the organization.
A.6.2 Terms and Define and communicate the terms and conditions of
Conditions of employment to ensure that employees understand
Employment their responsibilities and obligations regarding
information security.
A.6.3 Information Security Provide information security awareness education and
Awareness training to employees to ensure they understand the
Education and importance of information security and how to protect
Training information assets.
A.6.4 Disciplinary Process Establish and implement a disciplinary process to
address violations of information security policies and
procedures.
A.6.5 Responsibility After Define responsibilities and procedures for handling
Termination or information security when an employee's employment
Change of is terminated or changed.
Employment
A.6.6 Confidentiality or Use confidentiality or non-disclosure agreements to
Non-Disclosure ensure that employees and third parties understand
Agreements and commit to protecting sensitive information.
A.6.7 Remote Working Establish policies and procedures for remote working
to ensure that information security is maintained when
employees work outside the organization's premises.
A.6.8 Information Security Implement a process for reporting information security
Event Reporting events to ensure that incidents are detected, reported,
and responded to promptly.

12
13
 Physical Control Annex 7

Annex Control Purpose
A.7.1 Physical Security Establish physical security perimeters to protect the
Perimeters organization's premises and assets from unauthorized
access.
A.7.2 Physical Entry Control physical entry to the organization's premises to
prevent unauthorized access.
A.7.3 Securing Offices, Secure offices, rooms, and facilities to protect
Rooms, and Facilities sensitive information and assets.
A.7.4 Physical Security Monitor physical security measures to detect and
Monitoring respond to security breaches.
A.7.5 Protecting Against Protect against physical and environmental threats to
Physical and ensure the continuity of operations.
Environmental Threats
A.7.6 Working in Secure Areas Ensure that only authorized personnel work in secure
areas to prevent unauthorized access to sensitive
information.
A.7.7 Clear Desk and Clear Implement clear desk and clear screen policies to
Screen protect sensitive information from unauthorized
access.
A.7.8 Equipment Siting and Ensure that equipment is sited and protected to
Protection prevent unauthorized access and damage.
A.7.9 Security of Assets Off- Protect assets when they are off premises to ensure
Premises their security during transport and storage.
A.7.10 Storage Media Manage storage media to ensure that sensitive
information is securely stored and protected.
A.7.11 Supporting Utilities Ensure the security of supporting utilities to prevent
disruptions to operations.
A.7.12 Cabling Security Protect cabling to prevent unauthorized access and
damage.
A.7.13 Equipment Maintenance Maintain equipment to ensure its security and
reliability.
A.7.14 Secure Disposal or Re- Ensure the secure disposal or re-use of equipment to
Use of Equipment prevent unauthorized access to sensitive information.

14
15
 Technological Control Annex 8

Annex Control Purpose
A.8.1 User Endpoint Ensure that user endpoint devices are secure to prevent
Devices unauthorized access and protect information.
A.8.2 Privileged Access Control and monitor privileged access rights to ensure
Rights that only authorized personnel have access to critical
systems and data.
A.8.3 Information Access Restrict access to information based on user roles and
Restriction responsibilities to ensure that sensitive information is
only accessible to authorized individuals.
A.8.4 Access to Source Control access to source code to prevent unauthorized
Code modifications and protect intellectual property.
A.8.5 Secure Implement secure authentication mechanisms to verify
Authentication the identity of users accessing systems and data.
A.8.6 Capacity Manage system capacity to ensure that resources are
Management used efficiently and securely.
A.8.7 Protecting Against Implement measures to protect against malware to
Malware prevent unauthorized access and damage to systems and
data.
A.8.8 Management of Identify and manage technical vulnerabilities to reduce
Technical the risk of security breaches.
Vulnerabilities
A.8.9 Configuration Manage system configurations to ensure that they are
Management secure and compliant with policies and standards.
A.8.10 Information Ensure that information is securely deleted when it is no
Deletion longer needed to prevent unauthorized access.
A.8.11 Data Masking Use data masking techniques to protect sensitive
information from unauthorized access.
A.8.12 Data Leakage Implement measures to prevent data leakage and protect
Prevention sensitive information.
A.8.13 Information Backup Ensure that information is backed up regularly to prevent
data loss in the event of a system failure or disaster.
A.8.14 Redundancy of Implement redundancy in information processing
Information facilities to ensure business continuity in the event of a
Processing Facilities failure.
A.8.15 Logging Maintain logs of system activities to monitor and
investigate security incidents.
A.8.16 Monitoring Activities Monitor system activities to detect and respond to
security incidents promptly.

16
A.8.17 Clock Ensure that system clocks are synchronized to maintain
Synchronization accurate time stamps for security logs and transactions.
A.8.18 Use of Privileged Control the use of privileged utility programs to prevent
Utility Program unauthorized access and changes to systems.
A.8.19 Installation of Ensure that software installation on operational systems
Software on is done securely to prevent vulnerabilities.
Operational
Systems
A.8.20 Networks Security Implement network security measures to protect against
unauthorized access and attacks.
A.8.21 Security of Network Ensure the security of network services to prevent
Services unauthorized access and disruptions.
A.8.22 Segregation of Segregate networks to prevent unauthorized access and
Networks limit the spread of security breaches.
A.8.23 Web Filtering Implement web filtering to prevent access to malicious
websites and protect against web-based threats.
A.8.24 Use of Cryptography Use cryptography to protect sensitive information during
storage and transmission.
A.8.25 Secure Implement a secure development life cycle to ensure that
Development Life security is integrated into the development process.
Cycle
A.8.26 Application Security Define and enforce application security requirements to
Requirements protect applications from vulnerabilities.
A.8.27 Secure Systems Apply secure systems architecture and engineering
Architecture and principles to design and build secure systems.
Engineering
Principles
A.8.28 Secure Coding Ensure that coding practices are secure to prevent
vulnerabilities in software.
A.8.29 Security Testing in Conduct security testing during development and
Development and acceptance to identify and fix vulnerabilities.
Acceptance
A.8.30 Outsourced Manage outsourced development to ensure that security
Development requirements are met.
A.8.31 Separation of Separate development, test, and production
Development, Test environments to prevent unauthorized access and
and Production changes.
Environments
A.8.32 Change Implement change management processes to ensure that
Management changes to systems are made securely.
A.8.33 Test Information Protect test information to prevent unauthorized access
and ensure the integrity of test results.
A.8.34 Protection of Protect information systems during audit testing to ensure
Information that security is maintained.
Systems During
Audit Testing

17
18
 student registration example, how to implement the ISO

1. Define Your Scope

The scope may include:
o Student registration web or desktop application.
o Databases storing personal information (e.g., name, ID, address, grades).
o Communication between students and the institution (e.g., emails,
portals).
o Devices and systems used by administrative staff for registration.

2. Identify Your Risks

Common risks in a student registration system include:

Unauthorized access to student data.
Data breaches or leaks.
System unavailability during peak registration periods.
Alteration of student records.
Lack of data backup.

3. Choose the Controls from Annex A

A.5 Organizational Controls

A.5.1 Information Security Policy: Develop and enforce a security policy for
student data management.
A.5.2 Roles and Responsibilities: Define and document roles (e.g., IT admin,
student registrar) and their responsibilities.

A.6 People Controls

19
 A.6.1 Screening: Conduct background checks on staff with access to sensitive
student data.
A.6.3 Awareness, Education, and Training: Train staff on information security
best practices, such as recognizing phishing emails.

A.7 Physical Controls

A.7.2 Physical Entry: Control physical entry to the organization's premises to prevent
unauthorized access.
A.7.6 Working in Secure Area: Ensure that only authorized personnel work in secure
areas to prevent unauthorized access to sensitive information

A.8 Technological Controls

A.8.5 Secure Authentication: Implement multi-factor authentication for system
login by students and staff.
A.8.12 Data Leakage Prevention (DLP): Monitor and restrict transfer of sensitive
student data outside the system.

4. Record the List of Controls on the Statement of Applicability (SoA)

Create a document listing the controls you’ve selected, their justification, and
implementation status.
Example for the student registration system:
o Control: A.8.5 Secure Authentication
▪ Justification: Prevent unauthorized access to student records.
▪ Status: Implemented using MFA.

5. Implement and Evidence the Controls

Evidence examples:
o Access logs showing use of MFA.
o Training records for staff awareness.
o Screenshots of encryption settings for database backups.
o Policies and incident response procedures.

Example Risks and Controls

RISK CONTROL IMPLEMENTATION
Unauthorized access to A.8.5 Secure Authentication Implemented using multi-
student data factor authentication (MFA)
for system login by students
and staff.
Data breaches or leaks A.8.12 Data Leakage Monitored and restricted
Prevention (DLP) transfer of sensitive student
data outside the system.

20
System unavailability during A.5.1 Information Security Developed and enforced a
peak registration periods Policy security policy for student
data management, including
system availability.
Alteration of student records A.5.2 Roles and Defined and documented
Responsibilities roles (e.g., IT admin, student
registrar) and their
responsibilities.
Lack of data backup A.6.3 Awareness, Education, Trained staff on information
and Training security best practices,
including data backup
procedures.

Grand Challenge (try do yourself)

21
Grand Challenge Question:

ABC Corporation is a mid-sized software development company that has recently
undergone significant expansion. To manage its growth, the company has integrated
various cloud services, increased its workforce, and started collaborating with multiple
external partners. However, the rapid expansion has introduced several information
security challenges, and the management is concerned about potential risks that could
impact the organization's reputation and operations.

The following are key aspects of the current situation at ABC Corporation:

 Policy Gaps: The information security policies are outdated and not well
communicated to the new employees.
 Role Confusion: There is a lack of clarity in information security roles and
responsibilities among staff, leading to inconsistent security practices.
 Segregation Issues: Due to increased workload, some employees have access to
multiple critical systems without proper segregation of duties.
 Project Security: New projects, including cloud service integrations, lack
sufficient information security considerations during the planning and
implementation phases.
 Asset Management: The inventory of information assets is incomplete and not
regularly updated, leading to potential oversight of critical assets.
 Access Control: The access control policies are inadequate, with employees
retaining access to systems even after changing roles within the company.
 Data Transfers: Sensitive information is frequently transferred between ABC
Corporation and its external partners without proper encryption or secure
communication protocols.

Identify three major risks associated with the current situation at ABC Corporation. For
each risk, suggest a relevant control from Annex A (A.5.1 to A.5.15) of ISO/IEC
27001:2022 to mitigate the risk.

1
The solutions for the identified risks in the scenario at ABC Corporation, along with
relevant controls from Annex A (A.5.1 to A.5.15) of ISO/IEC 27001:2022:

Risk 1: Policy Gaps

Identified Risk: The information security policies are outdated and not well
communicated to the new employees.
Suggested Control (A.5.1 - Information Security Policies):
 Solution: Update the information security policies to reflect current practices and
emerging threats. Ensure these policies are clearly documented and
communicated to all employees, including through training sessions and
accessible documentation.

Risk 2: Role Confusion

Identified Risk: Lack of clarity in information security roles and responsibilities among
staff, leading to inconsistent security practices.
Suggested Control (A.5.2 - Information Security Roles and Responsibilities):
 Solution: Clearly define and document information security roles and
responsibilities for all employees. Regularly review and update these roles as
needed and provide training to ensure everyone understands their responsibilities
in maintaining security.

Risk 3: Segregation Issues

Identified Risk: Employees have access to multiple critical systems without proper
segregation of duties.
Suggested Control (A.5.3 - Segregation of Duties):
 Solution: Implement a segregation of duties policy to ensure that critical tasks are
divided among multiple individuals to prevent unauthorized access and reduce
the risk of fraud. Review and adjust access controls periodically to maintain this
segregation.

Risk 4: Project Security

Identified Risk: New projects lack sufficient information security considerations
during planning and implementation.
Suggested Control (A.5.8 - Information Security in Project Management):
 Solution: Integrate information security requirements into the project
management lifecycle. Conduct security assessments during the planning phase
and implement appropriate security controls throughout the project to ensure
data protection.

2
Risk 5: Asset Management

Identified Risk: The inventory of information assets is incomplete and not regularly
updated.
Suggested Control (A.5.9 - Inventory of Information and Other Associated Assets):
 Solution: Develop and maintain a comprehensive inventory of all information
assets, regularly updating it to reflect changes. Assign ownership for each asset
to ensure accountability and proper management.

Risk 6: Access Control

Identified Risk: Inadequate access control policies, with employees retaining access
to systems after changing roles.
Suggested Control (A.5.15 - Access Control):
 Solution: Implement strict access control policies that grant access based on the
principle of least privilege. Regularly review access rights and promptly adjust or
revoke access when an employee's role changes.

Risk 7: Data Transfers

Identified Risk: Sensitive information is transferred without proper encryption or
secure communication protocols.
Suggested Control (A.5.14 - Information Transfer):
 Solution: Implement secure communication protocols and encryption methods
for transferring sensitive information. Establish clear guidelines and procedures
for data transfer to ensure the confidentiality and integrity of the information.

3
Grand Challenge Question 2:

BeliYa Corporation is a global e-commerce company that relies heavily on its supply
chain and cloud services to deliver products to customers. Recently, the company has
faced several disruptions due to cyberattacks and natural disasters, exposing
weaknesses in its information security management. The management is now focused
on improving its information security practices to mitigate these risks. The following are
key aspects of the current situation at BeliYa Corporation:

 Supplier Compliance Issues: Some suppliers have not been meeting the agreed-
upon security standards, leading to potential vulnerabilities in the supply chain.
 Lack of Monitoring of Supplier Services: The company does not regularly review or
monitor the security practices of its suppliers.
 Cloud Service Risks: The company uses multiple cloud service providers, but
there is a lack of consistent security measures and compliance monitoring.
 Incident Management: The company's incident response plans are outdated and
not well-practiced, leading to slow responses during disruptions.
 Evidence Collection: There are no formal procedures for collecting and preserving
evidence related to information security incidents.
 Business Continuity Planning: The company’s business continuity plans are
insufficiently detailed and not regularly tested, leaving the organization vulnerable
during disruptions.
 ICT Readiness: There are concerns about the readiness of the company's ICT
infrastructure to support business continuity efforts.

Identify three major risks associated with the current situation at BeliYa Corporation. For
each risk, suggest a relevant control from Annex A (A.5.21 to A.5.30) of ISO/IEC
27001:2022 to mitigate the risk.

4
To address the challenges faced by BeliYa Corporation, here are solutions for the
identified risks, with relevant controls from Annex A (A.5.21 to A.5.30) of ISO/IEC
27001:2022:

Supplier Compliance Issues

Solution: Implement strict security requirements for all suppliers and conduct regular
audits to ensure compliance.
Control (A.5.21 - Managing Information Security in the ICT Supply Chain): Establish
contracts that clearly define security responsibilities and expectations for all
suppliers, including subcontractors. Regularly review and monitor suppliers' security
practices to ensure they adhere to the agreed-upon standards.

Lack of Monitoring of Supplier Services

Solution: Implement continuous monitoring and review processes for supplier
services.
Control (A.5.22 - Monitoring, Review, and Change Management of Supplier Services):
Develop a formal process for monitoring and reviewing the security practices of
suppliers. Ensure that any changes in supplier services are managed and evaluated
for potential security impacts.

Cloud Service Risks

Solution: Conduct comprehensive risk assessments and implement consistent
security measures across all cloud service providers.
Control (A.5.23 - Information Security for Use of Cloud Services): Before adopting
new cloud services, perform thorough risk assessments. Implement robust data
protection measures, such as encryption and access controls, and regularly
monitor cloud service providers for compliance with security standards.

Incident Management

Solution: Develop and regularly update incident response plans, and ensure they are
well-practiced.
Control (A.5.24 - Information Security Incident Management Planning and
Preparation): Create detailed incident response plans and conduct regular training
and exercises to ensure all employees are prepared to respond promptly and
effectively to security incidents.

5
Evidence Collection

Solution: Establish formal procedures for collecting and preserving evidence related
to information security incidents.
Control (A.5.28 - Collection of Evidence): Develop clear guidelines and procedures for
evidence collection and preservation. Ensure that all personnel involved are trained
on these procedures to maintain the integrity and admissibility of the evidence.

Business Continuity Planning

Solution: Develop detailed business continuity and disaster recovery plans, and
regularly test them.
Control (A.5.30 - ICT Readiness for Business Continuity): Conduct regular business
impact analyses and allocate sufficient resources for ICT readiness. Perform periodic
testing and updates of business continuity plans to ensure they are effective and up to
date.

ICT Readiness

Solution: Ensure the company's ICT infrastructure is prepared to support business
continuity efforts.
Control (A.5.30 - ICT Readiness for Business Continuity): Develop and maintain
comprehensive ICT continuity plans that include detailed information security
measures. Regularly review and test these plans to ensure the infrastructure can
support ongoing operations during disruptions.

6
Grand Challenge Question:

TechGenix, a rapidly growing technology company, has been facing challenges in
managing its information security as it expands. The company handles sensitive
customer data, proprietary technology, and critical business information. Recently,
TechGenix experienced a data breach due to inadequate security controls, leading to a
loss of customer trust and financial impact. The management is now focused on
strengthening its information security measures to prevent future incidents.

The following are key aspects of the current situation at TechGenix:

 Asset Management Issues: The company lacks a comprehensive and regularly
updated inventory of information assets, leading to potential oversight of critical
assets and their protection.
 Access Control Weaknesses: Employees have excessive access to systems and
data, which is not adequately controlled or monitored.
 Data Encryption Gaps: Sensitive data, both in transit and at rest, is not consistently
encrypted, increasing the risk of unauthorized access and data breaches.
 User Authentication Problems: The company relies on weak authentication
methods, making it easier for unauthorized users to gain access to sensitive
information.
 Physical Security Shortcomings: Physical access to critical systems and data
storage areas is not adequately controlled, leading to potential unauthorized
physical access.
 Third-Party Risks: The company collaborates with multiple third-party vendors but
does not have robust processes in place to ensure their compliance with
information security standards.

Identify three major risks associated with the current situation at TechGenix. For each
risk, suggest a relevant control from Annex A (A.8.1 to A.8.25) of ISO/IEC 27001:2022 to
mitigate the risk.

7
Sample Solution for TechGenix

Risk 1: Asset Management Issues

 Associated Risk: Lack of a comprehensive and regularly updated inventory of
information assets could lead to potential oversight and inadequate protection of
critical assets.
 Suggested Control: Annex A 8.1 - Inventory of Assets: Develop and maintain a
comprehensive inventory of all information assets, ensuring it is regularly
updated. Assign ownership for each asset to ensure accountability and proper
management.

Risk 2: Access Control Weaknesses

 Associated Risk: Employees having excessive access to systems and data without
adequate control or monitoring can lead to unauthorized access and potential
data breaches.
 Suggested Control: Annex A 8.3 - Access Control Policy: Implement strict access
control policies based on the principle of least privilege. Regularly review and
adjust access rights to ensure employees only have access to the information
necessary for their roles. Use multi-factor authentication (MFA) to enhance
security.

Risk 3: Data Encryption Gaps

 Associated Risk: Sensitive data not being consistently encrypted increases the
risk of unauthorized access and data breaches.
 Suggested Control: Annex A 8.25 - Data Masking: Ensure that sensitive data, both
in transit and at rest, is encrypted using strong encryption methods. Implement
data masking techniques where appropriate to protect sensitive information while
allowing it to be used for development, testing, and analytics.

8
Grand Challenge Question:

EcoWare Solutions, a technology company specializing in eco-friendly software
development, has recently expanded its operations to a new office building. The
company houses sensitive client data, proprietary source code, and critical
infrastructure in this building. Despite its technological advancements, EcoWare
Solutions has faced several security incidents related to physical access and
environmental controls.

The following are key aspects of the current situation at EcoWare Solutions:

 Uncontrolled Physical Access: The new office building lacks robust physical
access controls, leading to unauthorized individuals being able to enter sensitive
areas.
 Poor Environmental Controls: The server room lacks adequate environmental
controls, such as temperature and humidity monitoring, which could lead to
equipment failure.
 Inadequate Surveillance: There is a lack of surveillance systems, making it
difficult to monitor and respond to unauthorized access or security breaches.
 Visitor Management: The company does not have a formal visitor management
system, resulting in untracked and uncontrolled access by visitors.
 Emergency Procedures: The company has not established clear emergency
procedures for physical security incidents, which can lead to confusion and
inefficiency during such events.

Identify three major risks associated with the current situation at EcoWare Solutions. For
each risk, suggest a relevant control from Annex A.7 (Physical Security) of ISO/IEC
27001:2022 to mitigate the risk.

9
Major Risks and Suggested Controls for EcoWare Solutions

Risk 1: Uncontrolled Physical Access
Associated Risk: Unauthorized individuals entering sensitive areas can lead to
data breaches, theft of proprietary information, and potential sabotage of critical
infrastructure.
Suggested Control: Annex A.7.1 or A.7.2 - Physical Security Perimeter: Implement
physical barriers such as secure doors, gates, and fencing to define and protect
secure areas. Use access control systems like keycards or biometric scanners to
restrict entry to authorized personnel only.

Risk 2: Poor Environmental Controls
Associated Risk: Lack of adequate environmental controls in the server room can
lead to equipment failure, data loss, and disruption of services due to temperature
and humidity fluctuations.
Suggested Control: Annex A.7.3 - Equipment Siting and Protection: Ensure that
server rooms and other critical areas are equipped with environmental controls
such as temperature and humidity monitors. Implement measures to maintain
optimal conditions and prevent equipment failure.

Risk 3: Inadequate Surveillance
Associated Risk: Without effective surveillance, it is challenging to monitor and
respond to unauthorized access or security breaches, increasing the risk of
undetected incidents.
Suggested Control: Annex A.7.4 - Surveillance: Install surveillance cameras and
monitoring systems in key areas to provide continuous oversight. Ensure that
surveillance footage is securely stored and regularly reviewed to detect and
respond to suspicious activities.

Risk 4: Visitor Management
Associated Risk: Untracked and uncontrolled access by visitors can lead to
unauthorized individuals gaining entry to sensitive areas, posing security risks.
Suggested Control: Annex A.7.5 - Physical Entry Controls: Implement a formal
visitor management system to track and control visitor access. This should
include visitor registration, issuance of visitor badges, and escorting visitors in
secure areas.

Risk 5: Emergency Procedures
Associated Risk: Lack of clear emergency procedures for physical security
incidents can result in confusion and inefficiency during such events, increasing
the impact of incidents.
Suggested Control: Annex A.7.14 - Protection Against External and Environmental
Threats: Develop and document emergency procedures for physical security
incidents. Conduct regular drills and training to ensure that all employees are
aware of and can effectively execute these procedures during emergencies.

10
Grand Challenge Question:

GreenTech Innovations, a leading firm in renewable energy solutions, has seen rapid
expansion in the past few years. The company's workforce has grown significantly,
with employees working across multiple locations, including remote and on-site teams.
GreenTech Innovations handles sensitive project data, proprietary technology, and
customer information. Despite its growth, the company has faced several security
challenges related to its human resources management.

The following are key aspects of the current situation at GreenTech Innovations:

 Insufficient Employee Training: Many employees lack adequate training in
information security practices, leading to inadvertent security breaches.
 Poor Onboarding and Offboarding Procedures: The company does not have
consistent procedures for onboarding new employees or offboarding departing
ones, resulting in potential security gaps.
 Inconsistent Access Management: There is a lack of standardized processes for
granting, reviewing, and revoking access rights, which may lead to unauthorized
access to sensitive information.
 Unclear Roles and Responsibilities: Employees are often uncertain about their
information security roles and responsibilities, leading to confusion and potential
security lapses.
 Third-Party Contractors: The company collaborates with third-party contractors,
but there is no formal process to ensure they adhere to GreenTech Innovations'
information security policies.

Identify three major risks associated with the current situation at GreenTech
Innovations. For each risk, suggest a relevant control from Annex A.6 (People
Security) of ISO/IEC 27001:2022 to mitigate the risk.

11
Major Risks and Suggested Controls for GreenTech Innovations

Risk 1: Insufficient Employee Training
Associated Risk: Lack of adequate training in information security practices can
lead to inadvertent security breaches and mishandling of sensitive data.
Suggested Control: Annex A.6.3 - Information Security Awareness, Education,
and Training: Implement a comprehensive information security training program
for all employees. Ensure that training is conducted regularly and covers the
latest security practices and policies.

Risk 2: Poor Onboarding and Offboarding Procedures
Associated Risk: Inconsistent onboarding and offboarding procedures can
result in security gaps, such as former employees retaining access to company
systems and data.
Suggested Control: Annex A.6.1 and A.6.5 - Secure Offboarding: Develop and
enforce standardized procedures for onboarding new employees and
offboarding departing ones. Ensure that access rights are promptly granted and
revoked as appropriate.

Risk 3: Inconsistent Access Management
Associated Risk: A lack of standardized processes for granting, reviewing, and
revoking access rights can lead to unauthorized access to sensitive information.
Suggested Control: Annex A.6.2 - User Access Management: Establish clear
and standardized processes for managing user access. Perform regular access
reviews to ensure that employees have appropriate access rights based on
their roles.

Risk 4: Unclear Roles and Responsibilities
Associated Risk: Employees being uncertain about their information security
roles and responsibilities can lead to confusion and potential security lapses.
Suggested Control: Annex A.6.2 - Roles and Responsibilities: Define and
communicate clear information security roles and responsibilities for all
employees. Ensure that these roles are understood and adhered to.

Risk 5: Third-Party Contractors
Associated Risk: Lack of formal processes to ensure third-party contractors
adhere to information security policies can introduce vulnerabilities.
Suggested Control: Annex A.6.6 - Security in Supplier Relationships: Implement
procedures to ensure that third-party contractors comply with the company's
information security policies. This can include contractual agreements and
regular security assessments.

12