Only necessary and licensed software and applications should be installed on the machines. If sensitive information such as industrial and trade secrets, intellectual property rights and findings of research activity finds its way to a competitor, the competitive position of the organization can be compromised, which can take substantial resources to recover. It is found that companies that have ISO audits and certification gain an improved risk based approach to information security management through an ongoing process of risk assessment and risk mitigation, which helps them to adequately prioritize the implementation of countermeasures, and strengthen their security posture through the ISO rigorous testing. It could be investigated how developments and models in the area of Business-IT Alignment can be used for alignment between the business and information security. In case of a breach of contract, the impact would be loss of business and revenue and threat to future business. Furthermore, scant research has been conducted on how successful or effective these education and training programs are on organisational awareness.

Every workstation should be kept updated with the latest operating system patches and updates. The standard has been in earlier versions foremost focusing on the protection of the confidentiality, integrity and availability of the information, but in the newer versions and in the current standard there is also focus on information from a business perspective, “Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize risk, maximize return on investments and business opportunities”. External consultants should work in collaboration with an internal team of representatives from the company’s major business units. What does a management standard mean? They would get in the way of the future growth of the organization. Thus the activities carried out to evaluate the effectiveness of the planned information security level ex-ante are performed after the information security implementation has taken place.

Information security should not be viewed as an IT issue only, but as an integral part of the organization. In this book Dejan Kosutic, an author and experienced information security consultant, is giving away all his practical know-how on successful ISO implementation. Statistics for this ePrint Item.


Figure 3 shows all of the options and responses according to reported votes. Search USQ thexis archive. Need to decide on a risk method and implement a risk assessment, select security controls and ensure that these are adequate to meet the security needs of organization.

ISO 27001 vs. ISO 27002

Probability sampling technique simple random sampling technique is used to determine the elements to who the survey questionnaire would be administered. ISACM will provide a better understanding of the level of information security awareness that exists in an organisation and where risks exist due to lower than desirable levels of awareness of information security controls.

Once you know and eliminate dependencies, you can focus on interfaces which include all endpoints within your network, such as your router, and high-level interfaces that include your people, processes and technology.

An example could be sub-contracting a part of the contracted work involving sharing of information without taking due clearance from all stakeholders concerned. Almost all of the participants agreed on four primary things that they would do differently, starting with increasing the awareness of the benefits of an Information Security Management System ISMSthen ensuring staff involvement from the inception to completion of the project, changing the risk assessment approach method, and finally reducing the reliance on external resources.

For example, when crossing a busy street it would be important to be aware of oncoming thfsis before crossing. Information is by and large the lifeline of the modern enterprise. The interviews were not structured to a great extent because our main goal was to carry out thesix questions with the interviewees, which could result in more discussions regarding the subject.

ISO is an effective protective system against information security incidents having critical consequences. The aim of the interview was to get valuable information related to the topic of the thesis and research questions. It was difficult to assess ido cost-effectiveness of the security controls due to unavailability of the relevant content. The confidence interval approach is used to determine the sample size.

Support Free Consultation Community.

ISO vs. ISO – What’s the difference?

Management review of the ISMS – management must review the suitability, adequacy sio effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes. A single cookie will be used in your browser to remember your preference not to be tracked.


Please fill out the fields below and one of our 270002 will contact you shortly. A pilot study on the questionnaire was carried out to adapt them to the local context.

ISO vs ISO Which Standard Is Best for Your Organization?

Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.

Below is a description of each recommendation.

iso 27002 thesis

So, it was hard to evaluate information security from an economic perspective. Instead of conducting economic evaluations to justify the selected information mitigation solutions, within the participated organizations solutions were selected based on expert judgment and intuition.

iso 27002 thesis

An example could be sub-contracting a part of the contracted work involving sharing of information without taking due clearance from all stakeholders concerned. However, organizations should meet some conditions to use the method and to evaluate information security from an economic perspective. This requires visible management commitment and individual ownership and responsibility, backed up with effective security education jso awareness.

As an individual level, the most common incident is that of identity theft; wherein the perpetrator gains access to unique identity characteristics of a person in order to assume that identity. Information is hhesis and large the lifeline of the modern enterprise. The course is made for beginners.

Involve business management in information security.

iso 27002 thesis

Information security has a cultural dimension also. In fact, the only prudent action would be to block every single possible channel through which floodwaters might enter and then to try to build the walls even higher, in case the floods were even worse than expected.

Business objectives can be derived from the company’s mission, strategic plan, and existing IT goals and may include: