Posted: March 5th, 2022

Cyber Risks in Organisations
ISMS

Cyber Risks in Organisations
ISMS Roadmap Implementation with ISO27001:13 for WhatWEB Company

1 Background
The success of a Social Medial Platform company depends on providing long-term reliable and secure service as well as development and expansion of the Apps services. Inevitably, the risk of litigation in all these areas is a real business issue. Data security and privacy are, therefore, a significant concern, and robust, effective measures are required to keep an organisations information watertight and to limit its exposure to legal action. As an invaluable source of sensitive social data, WhatWEB (WhatWEB is a fictitious private social media company that have a significant stake in social media platforms as they own a group companies.) is subject to the growing pressure to demonstrate good practice in information security. WhatWEB was already practicing its own privacy and data protection policies. However, by expansion of the services in the company, and moving from local users to global users, stipulated that WhatWEB should also be certificated to ISO27001, the global best practice standard for information security management. WhatWEB recognised that, as well as satisfying the immediate demands of this particular organisation, ISO27001 certification would be a source of reassurance to others. While the company already had externally audited policies, independent confirmation that WhatWEB maintained best practice information security could only add to its reputation, helping to attract more users and businesses.
2 Assessment Brief
You are a reputable consultancy firm (RMS) that has been tasked to provide an organisational roadmap for ISO27001 implementation for WhatWEB using project management principles as outlined in the Project Management Body of Knowledge. The roadmap introduced in this report should provide all the necessary processes to be considered when implementing the ISMS capable of being certified with ISO27001. The ISO 27001 standard specifies the requirements for an Information Security Management System (ISMS) while the Project Management Body of Knowledge (PMBOK) guide published by project Management Institute (PMI) defines a set of practices reducing the risk of a project failure. You should consider PMI guidelines to be followed by the organisation when ISMS implementation is found. The company is also advised to use Plan-Do-Check-Act (PDCA) in iterative processing in each different phase of development as opposed to traditional Waterfall methodology, which calls for the accreditation requirements to be defined upfront. The PDCA model can be used as a mean to control and record interactions between project management processes in the ISMS design and implementation due to their iterative nature. The interactions are usually identified based on their objectives, experience of the project manager (PM), the maturity of the organisation with regards to the project, cost and resources.
The company WhatWEB consists of 50 offices across the UK with around 250 employees and around 20 million users with records of Personally identifiable information (PII) or sensitive personal information (SPI) as data in various stages from rest to transit, processing and disposal. Half of the users are from UK and majority of rest are from US and China. WhatWEB keeps data in-house using it database shadowing technologies for data redundancy in the Cloud. However, due to demand in services and increase of number of users, they are planning to contract a Public SaaS Cloud to offer hosted services. There is no specific role in place on how employees should have access to the users’ data. In addition to this, a big data analysis software analyses all the users information and activities. Only the management and a few of employees have access to this software code and results. This software will stay in-house and must not be moved to the cloud because of the company strategy. Each office has 50 computers and 10 printers over three floors and three servers (one AAA server, file server and local dataset server) in two subnets without any virtual segmentation of the network (VLANs).
2.1 Assessment Tasks (Working Packages (WPs))
WP1: Develop a roadmap for ISO27001 implementation as a project managed and monitored by PMBOK guidelines. A key responsibility of the Project Manager (PM) allocated in this task from the company is to assure that all necessary documentation and implementation of controls are in place enabling the company to have certain portions (or the whole operational section) of their environment certified against ISO27001.
WP2: Define a clear scope statement that will help the company to identify what needs to be accomplished with a clear manifestation of constraints and characteristics of the task to be carried out. The project scope defined the project regarding the acceptance criteria, the expected outcome and its objectives, project assumptions, schedule milestones, Work Breakdown Structures (WBSs) and initially assigned risks. The functional deliverables to be considered for the ISMS are the security policy documents, risk and privacy impact assessment, ISMS scope document, risk treatment plan, Statement of Applicability (SoA), selection and implementation of controls. Particular focus must be placed on the identification of issues and potential solutions with regards to the threat landscape based on the limited information provided and technologies used in the company.
WP3: Derive a detailed Work Breakdown Structure for the project at hand. The WBS list the critical and non-critical tasks/functions for the project. For this company, the mechanism suggested is a decomposition for the WBS creation. A basic representation of the key identified tasks should be towards a deliverable-based WBS rather a task-specific. Effectively, the WBS will become the Gantt Chart for the milestones towards the certification stage. The Plan-Do-Check-Act (PDCA) can also be employed at this juncture to support the design of the ISMS, implementation, internal and external audit of it by the ISO27001:13 standard.
2.2 Further details and guidance
The submission should be a single report uploaded via Tabula ONLY. All necessary diagrams and documentation for each working package should be appended within the main report using appropriate sectioning and formatting. You should use 12pt Arial Font size and single spacing in your report. The structure and layout of sections and subsections is completely at your discretion given that you follow formal and standardised ways to represent information.
3 Deliverables
A single report incorporating at least the following sections:
1. Executive Homework help – Summary (150 words)
2. ISMS Roadmap (300 words excl. diagrams & tables)
3. ISMS functional requirements (500 words excl. diagrams & tables)
(HINTS: Clear evidence of risk assessment with appropriate risk tables (likelihood / impact) with threat ranking and risk treatment plans, PIA, SoA, scope, issues identified and solutions imposed)
4. Work Breakdown Structure (200 words excl. diagrams & tables)
5. Conclusion (150 words)
6. References
7. Appendices (as appropriate without a limit)
4 Marking Scheme
The marking scheme attached shows the clear grade distribution for each activity undertaken as part of the deliverables.

Table 1: Marking scheme for assessment

MARKING SCHEME FOR COURSEWORK 1
[40%]
Features Mark Actual Marks achieved
Executive Homework help – Summary 5%
ISO27001 Roadmap 25%
ISMS Functional Requirement
Risk assessment
Risk treatment
PIA
Scoping
SoA
Issues’ identification and solutions 35%
Work Breakdown Structure (WBS) 25%
Conclusion 5%
References 5%
TOTAL MARKS 100%

Order | Check Discount