Information Security Management System referred to as ISO 27001 is a management framework implemented and practiced to reduce the information security incidents, disasters and possible major failures which may have impact on the critical business processes. The implementation of this management system provides an assurance of conformity to the customer as well as business that the potential impact of these incidents can lead to information security breaches impacting the confidentiality, integrity and availability of information.
The below mentioned case study is not an imaginative scenario but a real case study of an ISMS consulting to implement ISO 27001:2015 in one of the top retail organizations and subsequently help them with the certification process.
The organization where this assignment was initiated is one of the leading retail organizations which has grown enormously and has subsequently increased their customer database which also required the information to be managed more securely and hence came the requirement of introducing information security systems within the organization. The initial meeting was scheduled to discuss the scope of certification and to ensure the same a project plan was prepared with activities listed down and responsibilities assigned. Before listing down the activities and allocating responsibilities to people we decided to conduct an as is analysis to understand the current maturity level of the business and this also helped us showcasing a true picture of time lines and cost that will be involved during the compete initiative.
The activities which were identified post the as is analysis were to create a project plan with all the activities listed down with the timelines and responsibilities. The ISMS committee had to be
Identified from the organization so that every department would have an accountable person. The ISMS committee also needed to be trained upon ISMS to ensure that they are aware of their deliverable. The approach of risk identification and risk management had also to be defined and designed. The risk management could either be done independently or by taking inferences from the asset register which also needs to be created that will have the details of all the information assets which are being used by the departments within the scope of ISO 27001:2015. The risk register was initially created at the department level and later on consolidated to create organization level risk register, basis the risk value and risk category a mitigation plan was discussed and decided to be implemented. Once the risk management strategy had been completed, the implementation activity started. Post the implementation we traced the same with the controls defined in the standard and prepared the statement of applicability.
Post this the internal audit was planned and executed, identified gaps were closed and external audit was planned and subsequently executed. Post the successful external audit certificate for ISO 27001:2015 was granted to the organization.
About the Author
Advance Innovation Group provides several levels of online Six Sigma like Kaizen training and certification program, PMP training, ISO training, AGILE, SCRUM, Lean, ITIL across India.. Advance Innovation Group also provides corporate consulting to different organizations. In today’s world “e-commerce” is very successful because it is an easy and effective way to connect with people, sharing your thoughts, enhance the knowledge, find opportunities and spread the business. In the fast-growing technology-oriented market, the internet is the platform where we can effortlessly reach out to people and share the thoughts and ideas. Due to the internet is very easily accessible nowadays, you can connect with the audience anytime and from anywhere.