Implementation of ISO 27k1

NATIONAL LAW INSTITUTE UNIVERSITY, BHOPAL
(M.P.)
RAJIV GANDHI NATIONAL CYBER LAW CENTRE
A
Dissertation
On
“Implementation of ISO 27001:2013 in Banking Industry”
SUBMITTED IN PARTIAL FULFILLMENT OF THE
REQUIREMENT
FOR THE AWARD OF THE DEGREE
MASTER OF SCIENCE
In
CYBER LAW AND INFORMATION SECURITY
Under the Supervision of
Dr. Astitwa Bhargava
By
Ayushm Dubey
Enrolment no. MS00241
Roll no. 2016 MSCLIS 01
April, 2018
ACKNOWLEDGEMENT
I would first like to thank my supervisor Dr. Astitwa Bhargava under whose supervision this
dissertation has been carried out, the door to Dr. Astitwa Bhargava’s office was always open
whenever I ran into a trouble spot or had a question about my research or writing. He
consistently allowed this dissertation to be my own work, but steered me in the right the
direction whenever he thought I needed it.
I am also highly grateful to Prof. (Dr.) Mukesh Shrivastava, (Acting Director), and also want
to express my sincere thanks and salutation to all the faculty members of The National Law
Institute University, Bhopal for their kind co-operation and interest in the completion of this
study.
My heartily thanks to library staff of National Law Institute University, Bhopal for the kind co-
operation.
I express innermost gratitude towards my parents without whose love, blessings, guidance and
support it would have not been possible for me to complete this work. I am also thankful to my
friends and all those who have helped directly or indirectly in completion of dissertation work.
Ayushm Dubey
i
RGNCLC, NLIU, BHOPAL
CERTIFICATE
This is to certify that the dissertation entitled “Implementation of ISO 27001:2013 in Banking
Industry” has been done by ‘Ayushm Dubey’, Enrolment No. MS-00241, Roll No.2016-
MSCLIS-01 under my supervision in partial fulfilment of the requirement for the award of the
Degree of Master of Science in Cyber Law and Information Security of the National Law
Institute University, Bhopal (M.P.), India.
To the best of my Knowledge, the Dissertation embodies the work of the candidate with
convincing suggestions.
Date: Dr. Astitwa Bhargava

Place: Faculty, RGNCLC
National Law Institute University, Bhopal
ii
DECLARATION
I declare that the dissertation entitled “Implementation of ISO 27001:2013 in Banking

Industry” is the outcome of my research conducted under the supervision of Dr. Astitwa
Bhargava at the National Law Institute University, Bhopal (M.P.) India.
I further declare that to the best of my knowledge the dissertation does not contain any part of
any work which has been submitted for the award of any degree either in this University or any
other university without proper citation.
Date: Ayushm Dubey

Place: Enrolment No. - MS-00241
Roll No. - 2016-MSCLIS-01
iii
Table of Contents
ACKNOWLEDGEMENT ............................................................................................................. i
CERTIFICATE ............................................................................................................................. ii
DECLARATION.......................................................................................................................... iii
LIST OF FIGURES ................................................................................................................... viii
LIST OF ABBREVIATIONS ................................................................................................... viii
Chapter.1 – Introduction ............................................................................................................. 1
1.1. Introduction .......................................................................................................................... 2
1.2. Gestalt of ISO 27001:2013................................................................................................... 4
1.3. Information Security and ISO/IEC 27001:2013................................................................... 6
1.3.1. Approach to Information Security ................................................................................. 6
1.4. Need to implement an ISMS ................................................................................................ 7
1.5. Benefits of an ISMS ............................................................................................................. 9
1.5.1. Improved understanding of business aspects................................................................. 9
1.5.2. Reductions in security breaches and/or claims .............................................................. 9
1.5.3. Reductions in adverse publicity..................................................................................... 9
1.5.4. Improved insurance liability rating................................................................................ 9
1.5.5. Identify critical assets via the Business Risk Assessment ............................................. 9
1.5.6. Ensure that “knowledge capital” will be “stored” in a business management system .. 9
1.5.7. Be a confidence factor internally as well as externally ............................................... 10
1.5.8. Systematic approach .................................................................................................... 10
1.5.9. Provide a structure for continuous improvement ........................................................ 10
1.5.10. Enhance the knowledge and importance of security-related issues at the management
level ....................................................................................................................................... 10
1.5.11. Advantages from Certification of ISMS .................................................................... 10
1.6. Review of Literature........................................................................................................... 11
1.6.1. Books/E-Books ............................................................................................................ 11
1.6.2. Research Papers/ Articles/ Journals ............................................................................. 12
1.6.3. Standards ..................................................................................................................... 13
1.7. Statement of Problem ......................................................................................................... 14
1.8. Research Questions ............................................................................................................ 14
1.9. Objectives of the Study ...................................................................................................... 15
iv
1.10. Research Methodology..................................................................................................... 15
1.11. Research Tools ................................................................................................................. 15
Chapter.2 - Overview of ISO/IEC 27001:2013 ......................................................................... 16
2.1. Understanding ISO/IEC 27001:2013 ................................................................................. 17
2.2. Mandatory Clauses of ISO/IES 27001:2013 ...................................................................... 18
2.3. Domains of ISO/IEC 27001:2013 ...................................................................................... 24
2.3.1. Context of the organization ......................................................................................... 25
2.3.2. Leadership and Commitment....................................................................................... 27
2.3.3. IS Objectives................................................................................................................ 28
2.3.4. IS Policy ...................................................................................................................... 28
2.3.5. Roles, Responsibilities and Competencies .................................................................. 28
2.3.6. Risk Management ........................................................................................................ 29
2.3.7. Performance Monitoring & KPIs ................................................................................ 34
2.3.8. Documentation............................................................................................................. 35
2.3.9. Communication ........................................................................................................... 37
2.3.10. Competence and Awareness ...................................................................................... 38
2.3.11. Supplier Relationships ............................................................................................... 39
2.3.12. Internal Audit ............................................................................................................. 40
2.3.13. Incident Management ................................................................................................ 41
2.3.14. Continuous Improvement .......................................................................................... 41
2.4. Controls of Annexure A of ISO/IEC 27001:2013 .............................................................. 42
2.5. ISO/IEC 27002:2013 .......................................................................................................... 44
2.5.1. ISO 27001 vs. ISO 27002 ............................................................................................ 44
2.6. ISMS in Banking Industry.................................................................................................. 45
2.7. RBI Guidelines for Banks on Cyber Security .................................................................... 48
2.8. Badge on the wall debate ................................................................................................... 49
Chapter.3- Implementation of ISO/IEC 27001:2013 in a Bank ............................................. 51
3.1. Hypothetical Bank Environment ........................................................................................ 52
3.1.1. Focus at Department of IT, ABC Bank ....................................................................... 53
3.1.2. Other Implementations ................................................................................................ 54
3.1.3. Departments of ABC Bank .......................................................................................... 55
3.2. Implementation of ISO/IEC 27001:2013 in ABC Bank .................................................... 56
v
3.2.1. Scope: .......................................................................................................................... 56
3.2.2. Purpose: ....................................................................................................................... 57
3.2.3. Context of the ABC Bank:........................................................................................... 57
3.2.4. Asset Inventory: ........................................................................................................... 57
3.2.5. Risk Assessment & Treatment Methodology: ............................................................. 60
3.2.6. Risk Matrix .................................................................................................................. 61
3.2.7. Risk Assessment .......................................................................................................... 62
3.2.8. SOA ............................................................................................................................. 69
3.2.9. Information Security Policies of ABC Bank: .............................................................. 72
3.2.10. Risk Treatment .......................................................................................................... 73
3.2.11. Monitoring and evaluation......................................................................................... 74
3.2.12. Internal Audit ............................................................................................................. 74
Chapter.4- ISO/IEC 27001: 2013 Implementation Issues and Challenges. ........................... 75
4.1. Expectations with ISMS (ISO/IEC 27001:2013) Implementation. .................................... 76
4.1.1. Risks and losses will be minimized ............................................................................. 76
4.1.2. Compliance to rules, legislation, company standards and practices............................ 76
4.1.3. Improved safety ........................................................................................................... 76
4.1.4. Reliable operations ...................................................................................................... 76
4.1.5. Business continuity ...................................................................................................... 77
4.2. ISMS Implementation Issues & Challenges ...................................................................... 77
4.2.1. Fear / Resistance to change ......................................................................................... 77
4.2.2. Increased cost .............................................................................................................. 78
4.2.3. Inadequate knowledge as to approach ......................................................................... 78
4.2.4. Seemingly huge task .................................................................................................... 78
Chapter.5 - Conclusion and Suggestions .................................................................................. 79
5.1. Conclusion.......................................................................................................................... 80
5.2. Suggestions......................................................................................................................... 81
5.2.1. Parallel design of ISMS and Information System ....................................................... 81
5.2.2. Dedicated Clause for Securing the Sensitive Personal Information ............................ 81
5.2.3. Critical Success Factors ............................................................................................... 81
5.2.4. Complete PDCA Cycle ................................................................................................ 81
BIBLIOGRAPHY ....................................................................................................................... 82
vi
ANNEXURE ................................................................................................................................ 85
A.1. Information Security Organization Policy for ABC Bank ................................................ 86
A.1.1. Purpose ....................................................................................................................... 88
A.1.2. Scope........................................................................................................................... 88
A.1.3.Policy Maintenance ..................................................................................................... 88
A.1.4.Definitions ................................................................................................................... 89
A.1.5.Policy Assumptions ..................................................................................................... 89
A.1.6.Policy Statements......................................................................................................... 89
A.1.7.Mission and Vision ...................................................................................................... 89
A.1.8.Organization of Information Security .......................................................................... 90
A.1.9.Related Information Security Policies ......................................................................... 92
A.1.10.Compliance Monitoring ............................................................................................. 92
A.1.11.Custodians.................................................................................................................. 92
vii
LIST OF FIGURES
FIGURE.1.1. Potential of ISMS………………..……………………….…………….……..…..07
FIGURE.2.1.Domains of ISMS in accordance with ISO/IEC 27001:2013……...…………....…24
FIGURE.2.2. Risk treatment options in accordance with ISO/IEC 27005:2011…………….…..32
FIGURE.2.3. Developing a communication plan…………………….…….………………..…..36
FIGURE.2.4. Incorporating the ISMS into Bank’s Processes………….……………..…..……46
FIGURE 3.1. Risk Assessment & Treatment of an Asset……………………………………....68
LIST OF ABBREVIATIONS
 APT- Advanced persistent threat

 ACL- Access Control List
 AP- Access Point
 ASP- Application Service Provider
 CIA- Confidentiality, Integrity, Availability
 IEC- International Electro technical committee
 ISMS- Information Security Management System
 ISO- International Standardization Organization
 IT- Information Technology
 JTC – Joint Technical Committee
 RBI- Reserve Bank of India
viii
Implementation of ISO 27001:2013 in Banking Industry
Chapter.1 – Introduction
Page | 1
Chapter.1 - Introduction
Key Points Discussed In This Chapter
 Introduction
 Gestalt of ISO/IEC 27001:2013
 Information Security and ISO/IEC 27001:2013
 Need to implement an ISMS
 Benefits of an ISMS
 Review of Literature
 Statement of Problem
 Research Questions
 Research Objectives
 Research Methodology
 Research Tools
1.1. Introduction
Nowadays, almost every organization is dealing with information technology (IT) whether it is
educational, commercial, banking or non-profit organization. So to manage and secure the
information and the technology is the most important thing for an organization. To perform the
management and provide the protection to the information ISO 27001:2013 is very vital standard
it not only deals with these but also provides many benefits to an organization like- creating trust
among stakeholders1, maintaining confidential information secure, provides confidence to
customers and stakeholders, enables an organization to securely the exchange of information,
fulfils the requirement of meeting obligations, provides flexibility to comply other regulations,
establish market reputation and takes an organization one step ahead in competition, increases
the client satisfaction that leads to loyalty of the clients.
In India the Regulating and Governing body of Banking Industries Reserve Bank of India (RBI)
announced the creation of a Working Group on Information Security, Electronic Banking,
Technology Risk Management and Tackling Cyber Fraud in April, 2010. The Group was set up
under the Chairmanship of the Executive Director Shri.G.Gopalakrishna. The Group delved into
various issues arising out of the use of Information Technology in banks and made its
1
A stakeholder means person or organization that can affect, be affected by, or perceive themselves to be affected
by a decision or activity. Defined in Clause 2.13 of ISO/IEC 31000:2009.
Page | 2
recommendations in nine broad areas. These areas are IT Governance, Information Security, IS
Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity Planning,
Customer Awareness programs and Legal issues. In the report given by the Working Group it is
mentioned that “the Commercial banks should implement ISO 27001 based Information Security
Management System (ISMS) best practices to protecting their critical functions. Additionally,
other reputed security/IT control frameworks may also be considered by banks”.2This can be
considered as one of the direction by the regulating authority for implementing ISMS to all
banks of India.
ISO/IEC 27001:2013 is an information security standard that was published on the

25thSeptember 2013. It supersedes ISO/IEC 27001:2005, and is published by the International
Organization for Standardization (ISO)3 and the International Electro technical Commission
(IEC)4 under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for
an information security management system (ISMS). Organizations which meet the standard
may be certified compliant by an independent and accredited certification body on successful
completion of a formal compliance audit.
ISO (International Organization for Standardization) and IEC (International Electro technical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.
Other international organizations, governmental and non-governmental, in liaison with ISO and
IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
The information security management system maintains the confidentiality5, integrity6 and
availability7 of information by applying a risk management process8 and provides trust to the
2
Available at https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WREB210111_ES.pdf Accessed on
01/11/2017.
3.
The International Organization for Standardization is an international standard-setting body composed of
representatives from various national standards organizations Available at https://www.iso.org/ Accessed On
01/11/2017.
4.
The International Electro technical Commission (IEC) is a not-for-profit, quasi-governmental organization,
founded in 1906. The International Electro technical Commission is the leading global organization that publishes
consensus-based International Standards and manages conformity assessment systems for electric and electronic
products, systems and services, collectively known as electro technology. Available at
http://www.iec.ch/about/activities/?ref=menu Accessed on 1/11/2017.
5
Confidentiality is a property that information is not made available or disclosed to unauthorized individuals,
entities or processes. Defined in Clause 2.12 of ISO/IEC 27000:2016.
6
Integrity is the property of accuracy and completeness. Defined in Clause 2.40 of ISO/IEC 27000:2016.
7
Availability means Property of being accessible and usable upon demand by an authorized entity. Defined in
Clause 2.9 of ISO/IEC 27000:2016.
8
Risk management is defined as “Coordinated activities to direct and control an organization with regard to risk.”
Defined in Clause 2.2 of ISO/IEC 31000:2009.
Page | 3
interested parties that risks are adequately managed. It is important that the information security
management should be integrated with the organization’s processes and overall management
structure and that information security is considered in the design of processes, information
systems, and controls. It is expected that an information security management system
implementation should be based on the needs of the organization. This International Standard
can be used by internal and external parties to assess the organization’s ability to meet the
organization’s own information security requirements.
ISO/IEC 27001:2013 is a security standard that formally specifies an Information Security

Management System (ISMS) that is intended to bring information security under explicit
management control. As a formal specification, it mandates requirements that define how to
implement, monitor, maintain and continually improve the ISMS. It also prescribes a set of best
practices that include documentation requirements, divisions of responsibility, availability,
access control, security, auditing, corrective and preventive measures. Certification to the
ISO/IEC 27001:2013 helps organizations to comply with numerous regulatory and legal
requirements that relate to the security of information.
The research report will explain the effective implementation of ISO 27001:2013 in Banking
organization by following all the requirements and appropriate controls of ISO 27001:2013 to
establish a holistic information security management system in banking industry and the report
will give the light into the drawback of the standard which encourages a Banking organization to
follow other similar Information Security standard to deal with those lacunas. The report will
provide the solution of drawback and provide the assistance in implementation of the ISO
27001:2013 in banking organization.
1.2. Gestalt of ISO 27001:2013

ISO/IEC 27001:2013 is an information security management standard. It defines a set of
information security management requirements. The official complete name of this standard is
ISO/IEC 27001:2013 Information technology - Security techniques - Information security
management systems - Requirements. These requirements can be found in the following seven
mandatory clauses:
I. Context Establishment
II. Leadership
III. Planning
IV. Support
V. Operations
VI. Performance Evaluation
VII. Improvement
I. Context Establishment: This clause defines understanding the organization and its context
before establishing its information security management system (ISMS). It talks about
identifying the issues that are relevant to an organization's purpose and to consider the influences
these issues that could have bearing on the outcomes and objectives that its ISMS needs to
Page | 4
achieve. First an organization need to understand it’s approach to governance9, its capabilities, its
contracts, its culture, , its stakeholders, its environmental conditions, its interested parties10and its
legal obligations before developing its ISMS. So that when they design ISMS it should be able to
tackle all these influence. After considering all these issues Scope of ISMS is established and
then begins development of ISMS.
II. Leadership: This Clause suggests organization's top management to provide leadership and
commitment for its ISMS by showing the support for it, top management should make sure that
every people of the organization understands the importance of the ISMS, by assigning
responsibility and authority for it, and by establishing an information security policy.
III. Planning: Planning clause used to identify the risks11 and opportunities that could influence
the effectiveness of an organization's ISMS or disrupt its operation and then to figure out what
they need to do to address these risks and opportunities. It also suggest to assess the
organization’s information security risks, to select risk treatment12 options, to choose the
information security13 controls14 that are needed to implement these options, and to formulate a
risk treatment plan. Finally, it asks organization to establish information security objectives 15 at
all relevant levels and for all relevant functions within the organization and to develop plans to
achieve these objectives.
IV. Support: It states that the complying organization should support its ISMS by providing
resources. It tells to ensure the competence16 of the people who have an impact on organization's
security and to ensure that they are aware of their responsibilities. It then suggests figuring out
how extensive and detailed organization’s ISMS documents and records need to be. An
organization need to include all necessary documents and records and to manage and control
their creation and modification.
V. Operations: This clause Suggests to establish the processes that organization needs in order
to meet its information security requirements, to carry out the actions needed to address its
information security risks and opportunities, and to implement the plans needed to achieve its
information security objectives. Regular information security risk assessments17 should be
9
Governance means “A system by which an organization’s information security activities are directed and
controlled”. Defined in Clause 2.28 of ISO/IEC 27000:2016.
10
Interested party is defined as “A person or organization that can affect, be affected by, or perceive themselves to
be affected by a decision or activity”. Defined in Clause 2.41 of ISO/IEC 27000:2016.
11
Risk is defined as “effect of uncertainty on objectives”. Defined in Clause 2.1 of ISO/IEC 31000:2009.
12
Risk treatment is defined as “Process to modify risk” or “Avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk”. Defined in Clause 2.25 of ISO/IEC 31000:2009.
13
Information Security is defined as Preservation of Confidentiality, Integrity, and Availability of information.
14
Control is defined as “Measure that is modifying risk”. Defined in Clause 2.16 of ISO/IEC 27000:2016.
15
Objective is defined as “Result to be achieved”. Defined in clause 2.56 of ISO/IEC 27000:2016.
16
Competence is defined as “Ability to apply knowledge and skills to achieve intended results”. Defined in Clause
2.11 of ISO/IEC 27000:2016.
17
Risk assessment is defined as “Overall process risk identification, risk analysis and risk evaluation”. Defined in
ISO/IEC 27005:2011.
Page | 5
performed, to prioritize the risks, and to maintain a record of risk assessment results. Finally,
organization needs to implement information security risk treatment plans and to maintain a
record of risk treatment results.
VI. Performance Evaluation: It states that an organization needs to monitor18, measure19,

analyse, audit20, and evaluate its ISMS and to review its suitability, adequacy, and effectiveness
at planned intervals.
VIII. Improvement: This clause states an organization to identify nonconformities21, to take

corrective actions22, and to enhance the suitability, adequacy, and effectiveness of your
organization's ISMS.
1.3. Information Security and ISO/IEC 27001:2013

Effective information security is defined in the standard as the “preservation of confidentiality,
integrity and availability of the information. It can’t be achieved through technological means
alone and should never be implemented in a way that is either out of line with organization’s
approach to risk or which undermines or creates difficulties for its business operations.
1.3.1. Approach to Information Security

The ISMS includes organizational structure, policies, planning activities, responsibilities,
practices, procedures, processes and resources and is a structured, coherent management
approach to information security. It should be designed to ensure the effective interaction of the
three key attributes of information security:
 Process (or Procedure);

 Technology;
 Behaviour.
The decision to develop an ISMS should be strategic business decision. It should be debated,
agreed and driven by the organization’s board of directors or equivalent top management group.
The design and implementation of ISMS should be directly influenced by the organization’s
need and objectives, security requirements, the process employed and the size and structure of
the organization.
18
Monitoring is defined as “To determine the status of a system, a process or an activity”. Defined in Clause 2.52 of
ISO/IEC 27000:2016.
19
Measure is defined as “Variable to which a value is assigned as the result of measurement”. Defined in Clause
2.47 of ISO/IEC 27000:2016.
20
Audit is defined as “A systematic, independent and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which audit criteria are fulfilled”. Defined in Clause 2.5 of
ISO/IEC 27000:2016.
21
Non-Conformity is defined as “non-fulfillment of a requirement”. Defined in Clause 2.53 of ISO/IEC
27000:2016.
22
Corrective action is defined as “Action to eliminate the cause of non-conformity and to prevent recurrence”.
Page | 6
ISO 27001:2013 is not a one size fits all solution to an organizations information security
management needs. It should not interfere with the growth and development of the business.
According to ISO 27001:2013:
 The ISMS will be scaled in accordance with the needs of the organization.
 A simple situation requires a simple ISMS solution;
 The ISMS is expected to change over time;
 The standard is meant to be useful model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an ISMS.
It is a model that can be applied anywhere in the world, and understood anywhere in the world. It
is also technology neutral and can be implemented in any hardware or software environment.
1.4. Need to implement an ISMS
CUSTOMER
CONFIDENCE
INTERNAL COMPLAINCE
EFFECTIVENES
S
ISMS &
REGULATION
EXTERNAL
SECURITY
RISKS
FIGURE.1.1. Potential of ISMS23
There are broadly four reasons for an organization to implement an ISMS, these are:
 Strategic: a government or parent company requirement, or a strategic board decision to

better manage its information security within the context of its overall business risks.
 Customer confidence: The need to demonstrate one or more customers that the
organization complies with information security management best practice, or the
opportunity to gain competitive edge, in customer and supplier relationships, over its
competitors;
 Regulatory: The desire to meet various statutory and regulatory requirements particularly
around computer misuse, data protection and personal privacy;
23
Available at Alan Calder, Implementing Information Security Based on ISO 27001/ ISO 27002- A management
Guide, Van Haren Publishing, Second Edition, 2009, ISBN 978- 90 8753- 540- 7. At page no.5
Page | 7
 Internal effectiveness: The desire to manage information or more effectively within the
organization.
While all four reasons for adopting the ISMS are good ones, it must be remembered that having
an ISO 27001 complaint ISMS will not automatically “in itself” confer immunity from legal
obligations. The organization will have to ensure that it understands the range of legislation and
regulation with it must comply, ensure that these requirements are reflected in the ISMS as it is
developed and implemented, and then ensure that the ISMS works as designed. In the above
section the reasons for implementing ISMS in an organization now let us see the reasons for
implementing ISMS accordance with ISO 27001:2013, these are:
 It provides the assurance to compliance with a range of regulatory requirements like

HIPAA24, FISMA25, GLBA26, etc.27
 It establishes general controls required for SOX28, SSAE 16 type audits29
 It is globally recognized as a standard for ISMS
 It applicable to all organizations regardless of size, type or nature
 It provides continual assessment and helps to keep security controls effective
 Increased customer confidence
Enables an organization’s ability to quickly detect and isolate any security breach30
24
HIPPA is USA based act which stand as The Health Insurance Portability and Accountability Act established a
national standard to be used in all doctors' offices, hospitals and other businesses where personal medical
information is stored. It is a Regulation designed to protect personal information and data collected and stored in
medical records. Available at www.businessdictionary.com/definition/HIPPA-privacy-rule.html. Accessed on
25/02/2018
25
The Federal Information Security Management Act (FISMA) is United States legislation that defines a
comprehensive framework to protect government information, operations and assets against natural or man-made
threats. FISMA was signed into law part of the Electronic Government Act of 2002. Available at
searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act. Accessed on 25/02/2018
26
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is
a United States federal law that requires financial institutions to explain how they share and protect their
customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers
how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their
personal data not be shared with third parties, and apply specific protections to customers’ private data in
accordance with a written information security plan created by the institution. Available at
https://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-
bliley-act. Accessed on 25/02/2018.
27
Available at Edward Humphrise (2016). Implementing the ISO/IEC 27001 ISMS Standard. 2nd ed. UK: Artech
House. 10-85. ISBN 13:978-1-60807-930-8.
28
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general
public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate
disclosures. The act sets deadlines for compliance and publishes rules on requirements. Congressmen Paul Sarbanes
and Michael Oxley drafted the act with the goal of improving corporate governance and accountability, in light of
the financial scandals that occurred at Enron, WorldCom, and Tyco, among others. Available at
https://digitalguardian.com/blog/what-sox-compliance. Accessed on 25/02/2018
29
SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by
the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for
redefining and updating how service companies report on compliance controls. Available at
searchcloudsecurity.techtarget.com/definition/SSAE-16. Accessed on 25/02/2018
Page | 8
1.5. Benefits of an ISMS

There are various benefits associated with a comprehensive ISMS implementation. The
following diagram highlights some of the benefits of ISMS as listed out as:
1.5.1. Improved understanding of business aspects

Most of the organizations agree the notion that their understanding on their business process
functions and resource requirements have increased with ISMS implementation. This is because
in ISMS, there is a need for a detailed study on the business processes in organizations to
determine the assets involved and the different types of risks associated with the assets. This is
highly beneficial as not only the organization will have a deeper understanding on its business
processes, but it will also enable them identify the exact number of assets needed to run the
business processes and thus make the necessary adjustments to improve its performance.
1.5.2. Reductions in security breaches and/or claims

A proper and comprehensive ISMS implementation can significantly reduce the number of
security breaches and/or claims in organizations. This is one of the major selling points of
implementing ISMS and organizations that are serious in attempting to put a stop to unwanted
and costly security breaches are encouraged to take a deep look in taking up the option.
1.5.3. Reductions in adverse publicity

A successful ISMS implementation will assist to put stop to malicious rumors regarding the state
of organizational security. The pilot program participants agree that with a comprehensive ISMS
implementation, they are much more able to defend the organizations integrity from being
compromised by ill-intended parties.
1.5.4. Improved insurance liability rating

By demonstrating that there are sufficient controls to prevent against security breaches against
critical information, ISMS have managed to assist organizations in improving their insurance
liability ratings.
1.5.5. Identify critical assets via the Business Risk Assessment

Risk assessment is one of the major components in ISMS because through this process, not only
that all the assets in the organization will be identified, the different types of threat, vulnerability
and risk to those assets will also be determined and thus appropriate controls can be implemented
to mitigate those risks. All the participating organizations agree that risk assessment is very
beneficial to them and have assisted them in securing their organizations better.
1.5.6. Ensure that “knowledge capital” will be “stored” in a business management system
Since one of the focuses of ISMS is on the concept of availability, it encourages organizations to
develop a knowledge database where they would be able to tap on the needed expertise in
situations where certain personnel or system are deemed to be unavailable.
30
A security breach is any incident that results in unauthorized access of data, applications, services, networks
and/or devices by bypassing their underlying security mechanisms. A security breach is also known as
a security violation. Available at https://www.techopedia.com/definition/29060/security-breach. Accessed on
25/02/2018
Page | 9
1.5.7. Be a confidence factor internally as well as externally

Not only employees will feel more confident in performing their assigned tasks in a secure
business environment, third parties including clients and service providers will also feel more
secure doing work with an organization that places extra emphasis on securing information. We
noted that this is so, especially in the organizations that have managed to successfully implement
ISMS either for compliance and/or certification purposes.
1.5.8. Systematic approach

ISMS provide a systematic way for organizations to manage their information security setup
through the implementation of the PDCA model that it adopts. The pilot programme participants
agree that ISMS enables them to manage and secure their information effectively as well as
systematically.
1.5.9. Provide a structure for continuous improvement

With the use of the PDCA model, ISMS will ensure that the framework to enable organizations
to continuously improve their information security management setup is in place. Again, this
view is shared unanimously by all the participating organizations.
1.5.10. Enhance the knowledge and importance of security-related issues at the

management level
ISMS requires the management team's participation in the entire ISMS process cycle and thus it
will automatically enhance their awareness and knowledge on the importance of security-related
issues in the organizations. The participants agree that with awareness and much more
involvement on the ISMS project at the management level, they are able to implement ISMS
more effectively.
1.5.11. Advantages from Certification of ISMS

Those organizations who wish to get a certification of “ISO/IEC 27001:2013 ISMS complied
firm” they need to comply with all the mandatory clause and controls mentioned in ISO/IEC
27001:2013. The certification can add several advantages, like:
• Provide a structured way of managing information security within an organization
• Provide an independent assessment of an organization’s conformity to the best practices agreed

by a community of experts for ISMS.
• Provide evidence and assurance that an organization has complied with the standards
requirement.
• Enhance information security governance within the organization.
• Enhance the organization’s global positioning and reputation.
• Increase the level of information security in the organization.
Page | 10
1.6. Review of Literature
1.6.1. Books/E-Books
 Shon Harris, All in One CISSP Exam Guide, McGraw-Hill Companies Publications,
Eighth Edition 2016, ISBN 978-0-07-178173-2
This book provides the guidance for Certified Information System Security Professional
so it covers almost all domains of Information Security, for this research researcher
preferred the Chapter 2 of this book titled “Information Security Governance and Risk
Management” in this chapter the author elaborates all the regulatory frameworks for
information security and what are the major points of concern while implementing such
standard in an organization.
 Alan Calder, Implementing Information Security Based on ISO 27001/ ISO 27002-
A management Guide, Van Haren Publishing, Second Edition, 2009, ISBN 978- 90
8753- 540- 7.
This Management Guide provides the overview of two International Information Security
Standard ISO 27001/ ISO 27002. This standard provides a basis for implementing
Information Security controls to meet an organizations own business requirements as
well as a set of controls for business relationship with other parties. This guide provide an
Introduction and overview to both the standards, background to the current version of
standards and Links to other standards such as ISO 9001, BS25999 and ISO 20000 links
to frameworks such as COBIT and ITIL above all this handy book describes how ISO
27001 and ISO 27002 interact to guide organization in the development of best practices
for Information Security Management System.
 Steve Watkins and Alan Calder, IT Governance: An International Guide to Data

Security and ISO 27001/ ISO 27002, Kogan Publisher, Sixth Edition 2015, ISBN
978- 0- 7494- 7405- 8
This guide provides the detailed overview of the development of IT Governance which
recognizes the convergence between business practice and IT management makes it
essential for managers at all levels and in organizations of all sizes to understand how to
best deal with the information security risk. The 2015 edition is the sixth edition of the
guide which is full updated to take account of the latest regulatory and technological
developments including the creation of the international board for IT Governance
qualifications.
 Anthony Tarantino (2012). Governance, Risk and Compliance Handbook:

Technology, Finance, Environmental and International Guidance and Best
Practices. Sixth Edition, John Wiley & Sons Inc. ISBN 978-0-470-09589-8.
This book providing a comprehensive framework for a sustainable governance model,
and how to leverage it in competing global markets, Governance, Risk and Compliance
Page | 11
handbook presents a readable overview to the political, regulatory, technical, people and
process considerations in complying with an ever more demanding regulatory
environment and achievement of good corporate governance. Offering an international
overview, this book features contributions from sixty four industry experts from fifteen
countries.
1.6.2. Research Papers/ Articles/ Journals

 Ja’far Alqatawna. (2016). The Challenge of Implementing Information Security
Standards in Small and Medium e-Business Enterprises. Journal of Software
Engineering and Applications, ISSN 883-890
(https://file.scirp.org/pdf/JSEA_2014092411510528.pdf).
This research paper gives brief analysis of challenges faced by any SME organisation
during the implementation of any Information Security Management System. The paper
briefly analyses the different evaluation standard like Common Criteria and various
Information Management System. With the help of this paper researcher can easily
analyse the issues faced by any SME while implementing any ISMS.
 Placido Rodal Castro, Implementation Plan for an ISMS according to ISO/IEC

27001:2013, 2016.
It is a thesis presented to fulfil the partial requirement of PG degree at University of
Oberta Catalonia is an Internet cantered Open University based in Barcelona, Spain.
Presented by a student Placido Rodal Castro. Researcher reviewed this thesis for getting
the concept of planning for implementation of ISMS. It is Creative Commons licensed
document which carries the Creative Commons Attribution by, Non-commercial, Non-
derivative 3.0 version of license which allows me to produce the work as whole or some
part of it as it is by giving the citation to it. The main objective of this thesis is to define
the implementation plan for ISMS (Information security management system) according
to ISO/IEC 27001:2013. This thesis elaborates the components of ISMS includes all the
policies, procedures, plans, processes, practices, roles, responsibilities, resources, and
structures that are used to protect and preserve the information and assets of the
company. This thesis helps me to understand the concept of drafting the policies while
implementing the standard into any organisation.
 Gerhard Funk. (2016). A practical guideline for implementing an ISMS in

accordance with the international standard ISO/IEC 27001:2013. Implementation
Guideline ISO/IEC 27001:2013. Germany Chapter.
It is an Implementation guideline which is being published by ISACA (previously known
as Information Systems Audit and Control Association) which is a globally recognised
organisation for developing Information Technology related standards and guidelines. In
the mentioned guideline the best practice of implementing the ISMS under the
Page | 12
accordance of ISO/IEC 27001:2013 in an organization is being elaborated in a best

manner. The guideline is being authored by a team of authors which consist of Gerhard
Funk (CISA, CISM), independent consultant, Julia Hermann (CISSP, CISM), Giesecke
& Devrient GmbH, Angelika Holl (CISA, CISM), Unicredit Bank AG, Nikolay Jeliazkov
(CISA, CISM), Union Investment, Oliver Knörle (CISA, CISM), Boban Krsic (CISA,
CISM, CISSP, CRISC), DENIC eG. Nico Müller, BridgingIT GmbH, Jan Oetting (CISA,
CISSP), Consileon Business Consultancy GmbH, Jan Rozek, Andrea Rupprich (CISA,
CISM), usd AG, Dr. Tim Sattler (CISA, CISM, CRISC, CGEIT, CISSP), Jungheinrich
AG, Michael Schmid (CISM), Hubert Burda Media, Holger Schrader (CISM, CRISC).
1.6.3. Standards
 ISO/IEC 27000:2016 Information Technology- Security Techniques- Information
Security Management Systems- Overview and Vocabulary.
It is a widely accepted international standard used for developing the understanding for
Information Security Management System (ISMS) and it is basically provides the
definition, overview and importance of an ISMS. For implementing ISO/IEC 27001:2013
in any organisation firstly we need to understand its terms and definitions and as stated in
clause 3 of the standard “For the purposes of this document (ISO/IEC 27701:2013), the
terms and definitions given in ISO/IEC 27000 apply” the latest version of ISO/IEC 27000
is 27000:2016. This standard helps researcher to understand definitions of basic terms
like Audit, Availability, Confidentiality, Integrity etc. and for further research I will refer
this standard for defining any terms and for getting the key concepts of an ISMS.

Security Management Systems- Requirements.
An ISMS is a systematic approach to managing sensitive company information so that it
remains secure. It includes people, processes and IT systems by applying a risk
management process. It can help small, medium and large businesses in any sector keep
information assets secure. ISO/IEC 27001:2013 specifies the requirements for
establishing, implementing, maintaining and continually improving an information
security management system within the context of the organization. It also includes
requirements for the assessment and treatment of information security risks tailored to the
needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic
and are intended to be applicable to all organizations, regardless of type, size or nature.
 ISO/IEC 27002:2013 Information Technology - Security Techniques Code of

Practice for Information Security Controls
The Information Security standard ISO/IEC 27002:2013 is the “Code of Practice for
Information Security Controls”. First it was published by the International Organization
for Standardization (ISO) and by the International Electro Technical Commission (IEC)
in December 2000 as ISO 17799. Today, ISO/IEC 27002 is part of the ISO27XXX series.
Page | 13
The document provides best practice recommendations and guidance for organizations
selecting and implementing information security controls within the process of initiating,
implementing and maintaining an Information Security Management System (ISMS).
ISO/IEC 27002 applies to all types and sizes of organizations, including public and
private sectors, commercial and non-profit that collect, process, store and transmit
information in many forms including electronic, physical and verbal. This standard
should be used as a reference for the consideration of controls within the process of
implementing an Information Security Management System based on ISO/IEC 27001, it
implements commonly accepted information security controls, and develops the
organization’s own information security management guidelines.
 ISO/IEC 27003:2017 Information technology - Security techniques - Information

security management systems – Guidance
ISO/IEC 27003 provides guidance for those implementing the ISO27000 standards,
covering the management system aspects in particular. Its scope is simply to “provide
explanation and guidance on ISO/IEC 27001:2013.” As a result of ISO’s intent to make
all the management systems standards consistent in structure and form, and in order for it
to be usable for ISMS certification purposes, the language of ISO/IEC 27001:2013 is
inevitably rather formal, curt and stilted. ISO/IEC 27003 offers pragmatic explanation
with plain-speaking advice and guidance for implementers of ‘27001. The standard was
initially published in 2010, advising on how to plan an ISMS implementation project.
The standard was substantially revised and re-issued in April 2017. It now reflects and
explains the structure and sequence of ISO/IEC 27001:2013. It no longer anticipates a
particular ISMS implementation project structure or approach.
1.7. Statement of Problem

ISO/IEC 27001:2013 is solely not capable to provide appropriate information security to a
banking organization as it does not provide detailed procedure for secure processing, storage,
transmission of personal sensitive information due to which the banking industries are required
to also comply with the other similar information security standards like PCI DSS.
1.8. Research Questions

 What is ISO/IEC 27001:2013 and its implementation?
 How ISO/IEC 27001:2013 helps the banking industry to manage their information
security?
 What are the issues and challenges faced by an implementer while implementing
ISO/IEC 27001:2013 in banking industry?
 What are the lacunae in the existing ISO 27001:2013 standard?
 What could be the suggestive improvements in the ISO/IEC 27001:2013 for an effective
implementation of ISMS in a bank?
Page | 14
1.9. Objectives of the Study

 To study and understand the ISO 27001:2013.
 To obtain a simple and holistic approach for the implementation of ISO/IEC 27001:2013
in banking industry.
 To fulfil all information security requirements of a bank by complying only single
standard i.e., ISO/IEC 27001:2013.
 To identify a specific controls to secure the transition and storage of sensitive data (Debit
& Credit Card Information) in ISO/IEC 27001:2013.
 To suggest changes for the improvement of ISO/IEC 27001:2013.
1.10. Research Methodology

The Doctrinal method is adopted.
1.11. Research Tools

This research study includes various Journals, Research papers, Books, Frameworks, Legal
statute, Rules, and other electronic materials available at hand. Observations and study from
different statute books, journals and articles will be referred. Internet resources will be relied as
secondary sources.
Page | 15
Chapter.2 - Overview of ISO/IEC 27001:2013
Page | 16
Chapter.2- Overview of ISO/IEC 27001:2013
Key Points Discussed In This Chapter
 Understanding ISO/IEC 27001:2013

 Mandatory Clauses of ISO/IEC 27001:2013
 Domains of ISO/IEC 27001:2013
 Controls of Annexure A of ISO/IEC 27001:2013
 ISO/IEC 27002:2013
 ISMS in Banking Industry
 RBI on ISMS
 Badge on the wall debate
2.1. Understanding ISO/IEC 27001:2013

The ISO/IEC 27001:2013 is a British standard which supersedes ISO/IEC 27001:2005/ BS7799-
2:200531 . The 27001:2013 is the standard which is being used by any business organization
which is specifically deals with Information Technology or specifically performs the
transmission or storage of its business information in digital form in achieving the holistic
approach of Information Security Management System (ISMS). ISO/IEC 27001 is the
international standard for information security management. It outlines how to put in place an
independently assessed and certified information security management system. This allows you
to more effectively secure all financial and confidential data, so minimizing the likelihood of it
being accessed illegally or without permission.32
27001:2013 is a generic Information Security Management System standard. It can be used by

any organization, doesn’t matter what size it is or what it does. The purpose of 27k1:2013 is to
help organizations to establish and maintain an information security management system
(ISMS). An ISM is asset of interrelated elements that organizations use to manage and control
information security and to protect, preserve the confidentiality, integrity and availability of
information. These elements include all of the policies, procedures, processes, plans, practices,
roles, responsibilities, resources and structures that are used to manage security risks and to
protect information. Meanwhile, 27k1:2013 says that an organization must meet every single
requirement (Clause no. 04 to Clause No. 10) which is depend on the organization’s objectives,
31
ISO/IEC 27001:2005 is an older version of ISO/IEC 27001:2013 which is now withdrawn by ISO.
32
Available at https://www.bsigroup.com/en-IN/ISOIEC-27001-Information-Security/Introduction-to-ISOIEC-
27001. Accessed on 24/02/2018
Page | 17
its unique information security risks and requirements, the needs and expectations of interested
parties. It will also be influenced by its inherent complexity and its corporate context.33
ISO/IEC 27001:2013 is designed to be used for certification purposes. Once an organization

have established an ISMS that meets the requirement of 27k1:2013 and deals with organization’s
unique risks, then the respective organization can ask a registrar (certification body) to audit their
system. If the organization pass the audit, then the registrar will issue an official certificate that
states organization’s ISMS meets the requirements of 27k1:2013 requirements. While 27k1:2013
is specifically designed to be used for certification purposes, organization don’t have to become
certified. Organization can be in compliance without being formally registered by an accredited
certification body. Organization can self-audit there ISMS and then announce to the world that
they complies with the ISO/IEC 27001:2013 by doing that their compliance claim may have
more credibility if an independent certification body or registrar has audited their ISMS and
agrees with their claim.34
The 2005 version of the standard heavily employed the PDCA, Plan-Do-Check-Act model to
structure the processes, and reflect the principles set out in the OECG guidelines. However, the
latest, 2013 version, places more emphasis on measuring and evaluating how well an
organisation's ISMS is performing. A section on outsourcing was also added with this release,
and additional attention was paid to the organisational context of information security.35
2.2. Mandatory Clauses of ISO/IES 27001:2013

The content of this section will follow the same order and numbering of the following clauses
required to certify an ISMS against ISO 27001:2013 as they mentioned in standard:
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
4. Context of the organization

4.1 Understanding the organization and its context
This clause requires the organization36 to determine all internal and external issues that may be
relevant to its business purposes and to the achievement of the objectives of the ISMS itself.
4.2 Understanding the needs and expectations of interested parties

The standard requires the organization to assess who the interest parties are in terms of its ISMS,
what their needs and expectations may be, which legal and regulatory requirements, as well as
33
Available at http://www.praxiom.com/iso-27001-intro.html. Accessed on 24/02/2017
34
Id
35
Available at https://dqsus.com/certification/iso-27001. Accessed on 24/02/2018.
36
Organization is defined as “Person or group of people that has its own functions with responsibilities, authorities
and relationships to achieve its objective”. Available at Clause 2.57 of ISO/IEC 27000:2016.
Page | 18
contractual obligations, are applicable, and consequently, if any of these should become
compliance obligations.
4.3 Determining the scope of the Information Security Management System

The scope and boundaries and applicability of the ISMS must be examined and defined
considering the internal and external issues, interested parties requirements, as well as the
existing interfaces and dependencies between the organization’s activities and those performed
by other organizations. The scope must be kept as “documented information37.”
4.4 Information Security Management System

The standard indicates that an ISMS should be established and operated and, by using interacting
processes, be controlled and continuously improved.38
5. Leadership
5.1 Leadership and commitment
Top management39 and line managers with relevant roles in the organization must demonstrate
genuine effort to engage people in the support of the ISMS. This clause provides many items of
top management commitment with enhanced levels of leadership, involvement, and cooperation
in the operation of the ISMS, by ensuring aspects like:
 Information security policy and objectives’ alignment with each other, and with the
strategic policies and overall direction of the business;
 Information security activities’ integration with other business systems where applicable;
 Provision for resources so the ISMS can be operated efficiently;
 Understanding of the importance of information security management and compliance
with ISMS requirements;
 Achievement of ISMS objectives;
 Definition of information security responsibilities to people within the ISMS, and their
correct support, training, and guidance to complete their tasks effectively;
 Support of the ISMS during all its life cycle, considering a PDCA approach and continual
improvement.40
5.2 Policy
Top management has the responsibility to establish an information security policy, which is
aligned with the organization’s purposes and provides a framework for setting information
security objectives, including a commitment to fulfill applicable requirements and the continual
37
Documented Information is defined as “Information required be controlling and maintaining by an organization
and the medium on which it is contained”. Available at Clause 2.23 of ISO/IEC 27000:2016.
38
Available at https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation. Accessed
on 24/02/2018
39
Top Management is defined as “Person or group of people who directs and controls an organization at the highest
level”. Available at Clause no. 2.84 of ISO/IEC 27000:2016.
40
Available at https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation. Accessed
on 24/02/2018
Page | 19
improvement41 of the ISMS. The information security policy must be maintained as documented
information, be communicated within the organization, and be available to all interested parties.
5.3 Organizational roles, responsibilities and authorities

The standard states that it is the responsibility of top management to ensure that roles,
responsibilities, and authorities are delegated and communicated effectively. The responsibility
shall also be assigned to ensure that the ISMS meet the terms of the ISO 27001:2013 standard
itself, and that the ISMS performance can be accurately reported to top management. 42
6. Planning
6.1 Actions to address risks and opportunities
6.1.1 General
This clause seeks to cover the “preventive action”43 stated in ISO 27001:2013. The organization
must plan actions to handle risks and opportunities relevant to the context of the organization
(section 4.1) and the needs and expectations of interested parties (section 4.2), as a way to ensure
that the ISMS can achieve its intended outcomes and results, prevent or mitigate undesired
consequences, and continually improve. These actions must consider their integration with ISMS
activities, as well as how effectiveness should be evaluated.
6.1.2 Information security risk assessment

The organization must define and apply an information security risk assessment process with
defined information security risk and acceptance44 criteria, as well as criteria to perform such
assessments45, so repeated assessments produce consistent, valid, and comparable results. The
risk assessment process must include risk identification, analyses, and evaluation, and the
process must be kept as documented information.
6.1.3 Information security risk treatment

The organization must define and apply an information security risk treatment process to select
proper risk treatment options and controls. The selected controls must consider, but not be
limited to, controls described in Annex A. The main results of the risk treatment process are the
statement of applicability, and the risk treatment plan, which must be approved by the risk
owners. The information security risk treatment process must be kept as documented
information.
41
Continual Improvement is defined as “Recurring activity to enhanced performance”. Defined in Clause 2.15 of
ISO/IEC 27000:2016.
42
Available at http://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001.
Accessed on 24/02/2018
43
Preventive action is performed to eliminate potential event that can create nonconformity. While talking about
preventive action, we must remember that the nonconformity has not taken place yet and it is a preventive action of
identifying and eliminating the cause of nonconformity.
44
Risk Acceptance is defined as “Informed decision to take a particular Risk”. Defined in Clause no. 2.69 of
ISO/IEC 27000:2016
45
Risk Assessment is defined as “Overall process of risk identification, risk analysis and risk evaluation” Defined in
Clause no. 2.71 of ISO/IEC 27000:2016
Page | 20
6.1.4 Information security objectives and plans to achieve them

Information security objectives should be established and communicated at appropriate levels
and functions, having considered the alignment with the information security policy, the
possibility of measurement, and the applicable information security requirements, and results
from risk assessment and risk treatment.
The objectives must be updated when deemed necessary. They must be thought of in terms of
what needs to be done, when it needs to be done by, what resources are required to achieve them,
who is responsible for the objectives, and how results are to be evaluated, to ensure that
objectives are being achieved and can be updated when circumstances require. Again, it is
mandatory that documented information is kept outlining the information security objectives.
7. Support
7.1 Resources
In this clause, the standard states that resources required by the ISMS to achieve the stated
objectives and show continual improvement must be defined and made available by the
organization.
7.2 Competence
The competence46 of people given responsibility for the ISMS who work under the
organization’s control must meet the terms of the ISO 27001:2013 standard, to ensure that their
performance47 does not negatively affect the ISMS. Competence can be demonstrated by
experience, training, and/or education regarding the assumed tasks. When the competence is not
enough, training must be identified and delivered, as well as measured to ensure that the required
level of competence was achieved. This is also another aspect of the standard that must be kept
as documented information for the ISMS.
7.3 Awareness
Awareness is closely related to competence in the standard. People who work under the
organization’s control must be made aware of the information security policy and its contents,
what their personal performance means to the ISMS and its objectives, and what the implications
of nonconformities may be to the ISMS.
7.4 Communication
Internal and external communication deemed relevant to the ISMS must be determined, as well
as the processes by which they must be affected, considering what needs to be communicated, by
whom, when it should be done, and who needs to receive the communication.
46
Competence is defined as “Ability to apply knowledge and skills to achieve intended results”. Available at Clause
No. 2.11 of ISO/IEC 27000:2016.
47
Performance is defined as “Management of activities, processes, products (including services), systems or
organizations. Available at Note 2 of Clause no. 2.59 of ISO 27000:2016.
Page | 21
7.5 Documented information

7.5.1 General
“Documented information,” which you will see mentioned several times during this white paper,
now covers both the “documents” and “records” concepts seen in the previous revision of the
ISO 27001 standard.
This change was designed to facilitate the management of documents and records required by the
standard, as well as those viewed as critical by the organization to the ISMS and its operation. It
should also be noted that the amount and coverage of documented information that an
organization requires will differ, according to its size, activities, products, services, complexity
of processes and their interrelations, and people’s competence.
7.5.2 Creating and updating

The standard requires that documented information created or updated in the scope of the ISMS
must be properly identified and described, also considering its content presentation, and media
used. All documented information must go under proper review48 and approval procedures to
ensure they are fit for purpose.
7.5.3 Control of documented information

The standard states that documented information required by the ISMS, and the standard itself,
either from internal or external origin, must be available and fit for use where and when needed,
and reasonably protected against damage or loss of integrity and identity. For the proper control
of documented information, the organization must consider the provision of processes regarding
the distribution, retention, access, usage, retrieval, preservation and storage, control49, and
disposition.
8. Operation
8.1 Operational planning and control
To ensure that risks50 and opportunities are treated properly (clause 6.1), security objectives are
achieved (clause 6.2), and information security requirements are met, an ISMS must plan,
implement, and control its processes, as well as identify and control any relevant outsourced51
processes, and retain documented information deemed as necessary to provide confidence that
the process are being performed and achieving their results as planned. Being focused on
keeping the information secure, the ISMS also should consider in its planning and control the
monitoring of planned changes, and impact analysis of unexpected changes, to be able to take
actions to mitigate adverse effects if necessary.52
48
Review is defined as “activity undertaken to determine the suitability, adequacy and effectiveness of the subject
matter to achieve established objectives”. Available at Clause 2.65 of ISO/IEC 27000:2016.
49
Control is defined as “Measure that is modifying risk”. Available at Clause No. 2.68 of ISO/IEC 27000:2016.
50
Risk is defined as “Effect of uncertainty on objectives”. Available at Clause 2.68 of ISO/IEC 27000:2016.
51
Outsource is defined as “Make an arrangement where an external organization performs part of an organization’s
function or process”. Available at Clause 2.58 of ISO/IEC 27000:2016.
52
Page | 22
8.2 Information security risk assessment

The standard requires risk assessments53 to be performed at planned intervals or according to the
criteria defined in clause 6.1.2 (a). The resulting information must be kept as documented
information.
8.3 Information security risk treatment

The standard requires risk treatment54 plans to be implemented, retaining the resulting
information as documented information.
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
The organization not only has to establish and evaluate performance metrics regarding the
effectiveness and efficiency of processes, procedures, and functions that protect information, but
should also consider metrics for the ISMS performance, regarding compliance with the standard,
preventive actions in response to adverse trends, and the degree by which the information
security policy, objectives, and goals are being achieved.
The methods established should take into consideration what needs to be monitored and
measured, how to ensure the accuracy of results, and at what frequency to perform the
monitoring, measurement, analysis, and evaluation of ISMS data and results. It should also be
noted that performance results should be properly retained as evidence of compliance and as a
source to facilitate subsequent corrective actions.
9.2 Internal audit

Internal audits should be performed at planned intervals, considering the processes’ relevance
and results of previous audits, to ensure effective implementation and maintenance, as well as
compliance with the standard’s requirements and any requirements defined by the organization
itself. Criteria and scope for each audit must be defined.
Auditors should be independent and have no conflict of interest over the audit subject. Auditors
also must report the audit results to relevant management, and ensure that non-conformities are
subject to the responsible managers, who in turn must ensure that any corrective measures
needed are implemented in a timely manner. Finally, the auditor must also verify the
effectiveness of corrective actions taken.
9.3 Management review

The management review exists so that the ISMS can be kept continuously suitable, adequate, and
effective to support the information security. It must be performed at planned intervals, in a
strategic manner and at the top management level, covering the required aspects all at once or by
parts, in a way that is best suitable to business needs.
53
Risk Assessment is defined as “Overall process of risk identification, risk analysis and risk evaluation”. Available
at Clause no. 2.71 of ISO/IEC 27000:2016.
54
Risk Treatment is defined as “Process to modify Risk”. Available at Clause no. 2.79 of ISO/IEC 27000:2016.
Page | 23
The status of actions defined in previous reviews, significant internal and external factors that
may impact the ISMS, information security performance, and opportunities for improvement
should be reviewed by top management, so relevant adjustments and improvement opportunities
can be implemented.
The management review is the most relevant function to the continuity of an ISMS, because of
the top management’s direct involvement, and all details and data from the management review
must be documented and recorded to ensure that the ISMS can follow the specific requirements
and general strategic direction for the organization detailed there.
10. Improvement
10.1 Nonconformity and corrective action
Outputs from management reviews, internal audits, and compliance and performance evaluation
should all be used to form the basis for nonconformities and corrective actions55. Once identified,
a nonconformity or corrective action should trigger, if considered relevant, proper and systematic
responses to mitigate its consequences and eliminate root causes, by updating processes and
procedures, to avoid recurrence. The effectiveness of actions taken must be evaluated and
documented, along with the originally reported information about the nonconformity / corrective
action and the results achieved.
10.2 Continual improvement

Continual improvement56 is a key aspect of the ISMS in the effort to achieve and maintain the
suitability, adequacy, and effectiveness of the information security as it relates to the
organizations’ objectives.
2.3. Domains of ISO/IEC 27001:2013

The relevant subject areas of an ISMS in accordance with ISO/IEC 27001:2013 are described as
‘core components’ or ‘building blocks’ or ‘domains’ that have proven relevant and necessary in
the organization. Against this backdrop, content from the affected clauses of the standard has
been restructured and summarized in individual key subjects. According to the authors, the
standard can essentially be broken down into the 14 components explained in the following.
These components, taken together, comprise an organization’s ISMS:
1. Context of the Organization

2. Leadership and Commitment
3. IS Objectives
4. IS Policy
5. Roles, Responsibilities and Competencies
6. Risk Management
7. Performance Monitoring & KPIs
8. Documentation
55
Corrective Action is defined as “action to eliminate the cause of a non-conformity and to prevent recurrence.
Available at Clause 2.19 of ISO/IEC 27000:2016.
56
Continual Improvement is defined as “Recurring activity to enhance performance”. Available at Clause no. 2.15
of ISO/IEC 27000:2016.
Page | 24
9. Communication
10. Competence and Awareness
11. Supplier Relationships
12. Internal Audit
13. Incident Management
14. Continuous Improvement
FIGURE.2.1. Domains of ISMS in accordance with ISO/IEC 27001:2013.57
2.3.1. Context of the organization

During the implementation of an ISMS, one of the first tasks is determining the accurate scope of
the management system and the analysis of the requirements and the situation of the organization
and its stakeholders.
Determining the scope

In accordance with the standard, the scope must be documented and, in addition to the processes
and divisions covered by the ISMS, it should also include the results of the analysis of the
requirements and situation.
 The scope document is primarily intended for the stakeholders of the management
system, and if they request it, it should be provided to them. It is the only way that
stakeholders (such as customers) can verify whether the ISMS cover the processes,
infrastructure, subjects or requirements relevant to them.
 In practice, when organizations receive inquiries on this subject, they often refer to
ISO/IEC-27001:2013 certificates that they hold, which, upon closer inspection, turn out
to be irrelevant to or insufficient for the inquiry, because the process in question is not
57
Available at Gerhard Funk. (2016). A practical guideline for implementing an ISMS in accordance with the
international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Germany Chapter,
Page 11.
Page | 25
covered or only partially covered by the ISMS. To avoid any unpleasant and unintended
surprises, the scope document and/or a precise description of the scope should be
requested in addition to the certificate.
 Another important document regarding the scope of an ISMS is the statement of
applicability (SoA) required by the standard. The SoA includes explanations of the decis-
ions to implement the controls in Annex A – i.e., whether the control in question is used
within the ISMS or not, including an appropriate justification.
 A rough outline of the scope is usually provided in the information security policy.
Unlike the scope document, the security policy and the SoA are generally categorized as
internal documents and should not be passed on to external parties. However, as
previously mentioned, close attention must be paid to the precise definition of the scope
and the content of the SoA in the context of service provider relationships and, if
applicable, service provider audits.58
Situation Analysis
The purpose of the situation analysis is to place the ISMS into the overall environment based on
its scope. In addition to the organizational and technical relations relevant to the ISMS, it should
also include conditions that are typical for the respective industry or location. This must include
the internal context, such as other management systems (ISO 9001:2015, ISO 22301:2012, etc.),
as well as how it relates to other important departments such as risk management, human
resources, data protection, audit and legal - if this is not already part of the existing scope. It
must also include the external context, such as important suppliers and service providers,
strategic partners, and any other relevant organizations.
Requirement Analysis
The persons in charge of the ISMS need to have a clear overview of the existing stakeholders,
and their requirements for the organization and the management system. The requirements of
interested parties may include legal and official provisions (for example the German Federal
Data Protection Act BDSG, the German Act against Unfair Competition UWG, the German
Telemedia Act TMG, regulatory authorities, etc.) as well as contractual obligations. The or-
ganization itself (or an organization on a higher hierarchical level) might also have decision-
making and/or policy-making authority, which must be taken into account.59
Documentation requirements
The following minimum documentation requirements apply according to ISO/IEC 27001:2013:
 scope of the ISMS (Clause 4.3)
 statement of applicability (Clause 6.1.3 d)
 overview of all relevant legal, regulatory, and contractual requirements that have an
impact on the information security strategy and the ISMS (A.18.1)
Additionally, the following documents have proven useful in practice:
 Overview of all stakeholders relevant to the specific scope of the ISMS
58
international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Germany Chapter. At
page 13.
59
Id.
Page | 26
2.3.2. Leadership and Commitment

A successful ISMS is implemented “top down” and establishes a connection between business
objectives and information security by taking stakeholders’ requirements into account, and by
using effective measures to reduce risk to the operational business processes to an acceptable
level. To achieve this, the business objectives and requirements must be known, and the
appropriate organization (such as the implementation/adaptation of risk management processes
in the organization) must be put in place.
Approval and support from top management is indispensable to ensure a mandatory character
and acceptance of the introduced management system processes.
The standard correctly and explicitly requires top management to take full and verifiable
responsibility for information security within the organization. In addition, the importance of an
effective ISMS and compliance with its requirements must be communicated to the affected
employees. This is generally achieved by means of the information security policy.
 under the headline ‘IT governance’ and in relation to management’s responsibility for
strategy, particularly in areas subject to regulation, the supervisory authorities and boards
are requesting verifiable proof of responsibility in an increasing manner
 The following minimum documentation requirements apply according to ISO/IEC
27001:2013:
 Clause 9.3 ‘Management Review’ requires documentation of the fact that top
management monitors the ISMS, including the decisions regarding changes and improve-
ments to the ISMS. They can be included in the risk treatment plan in the form of
measures.
 Results of a management review, such as decisions on options for continuous
improvement, must be retained as documented information.

 A document that records the derivation and assessment of risks resulting from existing
discrepancies between the strategic IS objectives and the degree of objectives achieved,
ideally in the form of a risk treatment plan.
 Documents (presentations, logs, minutes, reports, etc.) which provide evidence for an
effective reporting to the top management.60
Note: There are several documentation options in the context of management responsibility. The
examples above are suggestions for possible types of recording that contribute to making
reporting and decision-making processes more transparent. Each organization must determine
the type and frequency of documentation that works best.
60
Available at Julia Hermann (CISSP, CISM). (2016). A practical guideline for implementing an ISMS in
accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
Germany Chapter. Page 16
Page | 27
2.3.3. IS Objectives
The ISMS as a whole contributes to protecting and maintaining confidentiality, integrity, and
availability of the respective business processes and the information contained therein. The
company objectives laid out by company management and the IT objectives derived from the
company objectives serve as the basis for designing/determining the information security
objectives and the resulting controls.
 Documentation of the IS objectives must be made available.

 The documentation of the IS objectives must be designed to include an implementation
plan and/or references to specific processes. Generally, the IS policy already refers to the
(documentation of the) IS objectives. The IS objectives can also be part of the IS
strategy.61
2.3.4. IS Policy
The (top) managers responsible for the organization are required to set out an information
security policy (IS policy) that documents the organization’s strategic decision to implement an
ISMS, informs the target group about the obligation to comply with information security
requirements as well as the self-commitment to continuously improve the ISMS. The policy must
suit the organization’s purpose and include the principles and objectives that the ISMS seeks to
achieve, as well as the organization’s general information security objectives.
 Information security policy (see Clause 5.2 e)
 Subject-specific information security policies and guidelines (see Annex A.5.1)
 Associated documents and organizational charts, e.g., explaining the organizational
structure in the context of information security (if not included in the policy) 62
2.3.5. Roles, Responsibilities and Competencies

According to Clause 5.3 of the ISO/IEC 27001:2013 standard, the organization is required to
define the roles required for an effective ISMS, as well as the responsibilities regarding the
setup, maintenance, and continuous improvement of the ISMS. The resources required for the
process must be determined and made available (see Clause 7.1).
In this context, management is required to assign responsibility and authority for the tasks
relevant to information security and to communicate to the appropriate individuals accordingly.
61
Available at Giesecke & Devrient GmbH, Angelika Holl (CISA, CISM). (2015). A practical guideline for
implementing an ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation
Guideline ISO/IEC 27001:2013. UK Chapter. Page 11
62
Id
Page | 28
However, it must be ensured that roles are clearly structured and defined, and that potential
conflicts of interest are avoided.
 Proof of qualifications (Clause 7.2 d)
 Descriptions of roles/job descriptions
 Design of strategic and operational partnership between Process Owner and CISO63
2.3.6. Risk Management

Generally speaking, risk management allows us to analyse anything that could happen, as well as
the potential impact of these occurrences, before making a decision as to what should be done
and when in order to prevent potential harm. The goal is to reduce the identified risks to an
acceptable level; the individuals responsible in a given context (and sometimes even in a given
situation) have to decide how acceptable is defined here. A decision also has to be made
regarding how the identified and assessed risks should be dealt with.
Risk management is a comprehensive process within a management system; in an ISMS, it is

intended to contribute to the systematic identification, assessment, and transparent presentation
of risks in the context of information security and to ensure an acceptable/long-term
improvement in the level of security within the scope of the ISMS. The specific objectives of risk
management in the context of information security are:
 Early identification and elimination of information security risks

 Establishing consistent assessment methods for identified risks
 Clear assignment of responsibilities when dealing with risks
 Clear, standardized documentation of risks, including their assessment
 Efficient treatment of risk
How are risks identified and assessed?
Before the identification and treatment of risks can begin, the general risk assessment process
and the risk acceptance criteria applicable throughout the company/ISMS must be defined in
consultation with top management (if the process and criteria could not or did not have to be
adopted from a higher level of risk management).
The risk assessment process includes the following:
 Methods for identifying risks
 Criteria for assessing risks
 Criteria for risk acceptance
63
Available at Nikolay Jeliazkov (CISA, CISM), Union Investment. (2015). A practical guideline for implementing
an ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC
27001:2013. UK Chapter. Page 13.
Page | 29
Methods for identifying risks

The identification of relevant risks generally requires the perspectives of multiple
stakeholders/departments to be considered and merged. Various techniques and methods can be
used as tools here, including:
 Interviews
 Scenario analysis/‘what-if’ analysis
 Brainstorming64
 Business impact analysis (BIA)65
 Checklists
 Delphi method66
Criteria for assessing risks
The criteria for assessing risks should be phrased in such a way that they can be used to cover the
widest possible variety of risk types/categories. The specific risk management process can be
designed using a point-score model or a catalog of qualitative parameters.
 From a practical perspective, it is recommended to provide a set of questions tailored to

the organization’s field of business in addition to standard criteria (such as the level of
protection required for confidentiality/integrity/availability, supported business processes,
number of users, etc.). This set of questions can be expanded on a case-by-case basis.
 Assessing the probability of occurrence is extremely challenging in practice. In addition
to ‘looking back’ (empirical values, comparable results at other organizations, KPIs,
statistics, etc.), it is also extremely important here to ‘look forward’ in order to consider
previously unidentified insights and developments already on the horizon (the emergence
of new technologies, for example, or changes to hazardous situations). Or, to put it
another way: “In risk management, success depends on preparation.”
Risk acceptance criteria

Defining risk acceptance criteria is a vital step in the risk management process, because it is the
only way for the organization to experience the full benefits of the process; it prevents the
64
Brainstorming is the name given to a situation when a group of people meet to generate new ideas around a
specific area of interest. Using rules which remove inhibitions, people are able to think more freely and move into
new areas of thought and so create numerous new ideas and solutions. The participants shout out ideas as they occur
to them and then build on the ideas raised by others. All the ideas are noted down and are not criticized. Only when
the brainstorming session is over are the ideas evaluated. Available at
http://www.brainstorming.co.uk/tutorials/whatisbrainstorming.html. Accessed on 01/03/2018
65
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and
gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk
assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed
deliveries. There are many possible scenarios which should be considered. Available at
https://www.ready.gov/business-impact-analysis. Accessed on 01/03/2018
66
The Delphi method was originally developed in the early 1950s at the RAND Corporation by Olaf Helmer and
Norman Dalkey In Delphi decision groups, a series of questionnaires, surveys, etc. are sent to selected respondents
(the Delphi group) through a facilitator who oversees responses of their panel of experts. The group does not meet
face-to-face. All communication is normally in writing (letters or email). Members of the groups are selected
because they are experts or they have relevant information. The responses are collected and analyzed to determine
conflicting viewpoints on each point. The process continues in order to work towards synthesis and building
consensus. Available at http://www.nwlink.com/~donclark/perform/delphi_process.html. Accessed on 01/03/2018
Page | 30
organization from having to invest the same level of funding and resources in handling all
identified and analyzed risks.
 Risk acceptance criteria can be defined in terms of acceptance levels based on the
qualitative and/or quantitative potential for damage (e.g., non-compliance, financial
harm, damage to reputation, etc.).
 Risk acceptance criteria can encompass multiple threshold values. Each threshold level
can be tied to a specific level of the hierarchy/management so that the acceptance of risks
above a certain level can only be handled by the managers appointed within this level.
 For purposes of improved comparability and reproducibility, qualitative damage levels
can be converted to (financial) values. These values can generally only be approximate,
however.
 For small and medium-sized companies in particular, it may be recommendable to start
the risk assessment process with a simplified model and then enhance it step by step. For
example, in the first step, risks can be compiled and initially evaluated without a
completely fleshed-out model and in cooperation with the experts in the IT
department(s). Risk acceptance criteria can be derived from the results step by step and
then translated into formal criteria at a later point, upon approval from company
management.
 Risk acceptance criteria should be defined with care and foresight to ensure that they are
in line with the company’s attitude toward risk17 (neither too high nor too low) and that
they safeguard the efficiency and effectiveness of the ISMS by allowing risks to be
comprehensively identified and consistently treated in accordance with how they have
been assessed (not all risks can be given top priority).
 In practice, it would be impossible to implement a risk management system that is
completely comprehensive, that detects and analyzes in detail all information security
risks in all areas of the company at all times – the same way that it would be impossible
and impractical to operate all IT systems with the same level of security. An ‘ap-
propriately high’ level of security for certain components and processes simultaneously
means an ‘appropriately low’ level of security for other components and processes. The
trick is drawing this distinction; it requires sufficient experience and the proper methods
and assessment criteria.
Once the risk assessment method has been defined, the steps of the risk management process
follow in order:
Step 1: Risk identification

The risk identification process is always based on information within the scope of the ISMS (see
Clause 6.1.2 c). The following scenarios are examples of how specific risks might be identified:
Audits
Audits show that the relevant departments are not properly implementing security standards or
existing best practices, or that the relevant systems are not in line with these standards/practices.
Naturally, a prerequisite is that audits have been conducted in the first place and that the audit
process includes a clear approach to dealing with the findings of the audit (documentation of
findings, handover of findings to the audited department, etc.).
Page | 31
Risk analysis
Explicit risk analysis and assessments can be specifically conducted for business-critical
processes, applications, and systems; these analyses and assessments can be used to make clear
statements regarding the risk situation and risk exposure of the affected processes, applications,
and systems. In the context of project management, risk analysis (each with an appropriate
scope) should be mandatory.
Operations
Depending on the risk management process selected, insight gained during ‘normal’ operations
may bring to light previously unidentified risks that should/must be (swiftly) reported to the risk
management team upon assessment by the employees/team of experts responsible for the subject.
Security incidents
Security incidents (however they are defined) can allow for the identification of previously
unknown risks on the one hand; the incident makes these risks ‘visible,’ so to speak. On the other
hand, risks that are already known but have not been sufficiently dealt with, or risks that were
accepted up to this point, may materialize (e.g., because of active exploitation of a known
vulnerability by an attacker or the failure of a system due to insufficient technical
dimensioning).67
Step 2: Risk analysis

When analyzing identified risk, the probability of occurrence and the possible impact if the risk
occurs should be clearly determined and presented to decision-makers in a comprehensible way.
 When determining how the description of the impact should be phrased, the focus should
be on the impact on business processes and the business in general rather than on
technical details.
 Standardized assessment matrices can be used for risk analysis where, depending on the
organization and the specific case, it may make more sense to use matrices with an even
number of columns (e.g., 4x4). Matrices with an odd number of columns/rows (e.g., 3x3
or 5x5) carry the risk of the decision more frequently ‘landing in the middle’.
Step 3: Risk evaluation/assessment

The final decision on how to treat identified risks should lie with the owner of the respective risk,
as the owner can best assess the impact of the risk materializing and is ultimately responsible for
the business processes affected by the risk. Generally, the risk owner also makes decisions
regarding the allocation of resources (e.g., financial resources):
 At this point, the importance of the identification and definition of the risk owner for the
entire risk management process has been made clear.
 In practice, the role of risk owner should be held by the relevant managers at the
company (e.g., board of directors, CEOs, managing directors, team leaders, division
heads or department heads). For projects, the project manager is generally the risk owner
– at least for project-specific risks.
67
Available at Boban Krsic (CISA, CISM, CISSP, CRISC). (2017). A practical guideline for implementing an ISMS
in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
US Chapter. Page 13.
Page | 32
Step 4: Risk treatment

The way risks are treated depends on the given organization’s attitude toward risk or risk
appetite. The models in ISO/IEC 27005:2011 are a good starting point for modeling risk treat-
ment options in the context of information security.
FIGURE.2.2. Risk treatment options in accordance with ISO/IEC 2700568
 Risk treatment measures can be drawn from practically any source, but they must be in
line with Appendix A of the standard and the SoA of the ISMS.
 Risks must be assigned to the appropriate risk owner. Without dedicated owners, it will
be difficult to make a ‘correct’ assessment or ensure successful long-term treatment of
identified risks.
 The risk owner is generally the authority that bears responsibility for the financial impact
of the risk if it materializes. In many cases, this is the process owner, but it might also be
upper management, depending on the impact and risk assessment.
 Even if the risks are caused by IT systems, for example, the affected business areas
ultimately suffer the effects. So, even though the respective21 IT department is respon-
sible for the treatment of (IT) risks, the departments that are affected by the risk and that
make decisions regarding the allocation of resources are still the risk owners and are still
fully accountable.
 The risk identification process and the process of identifying the associated risk owner
can be carried out separately/at different times.
68
Available at ISO/IEC 27005:2011.
Page | 33
How are risks documented?

 It is recommended to keep the results of all risk assessments in a central location, such as
a risk register. The standard does not require this, but it can be helpful in evaluating and
managing identified risks and their status. Depending on the size of the organization,
tools with a diverse range of functions may be required (number of risks, number of
users, authorization concept, multitenancy, online availability, evaluation options, etc.).
 The standard does not require a central risk register. However, it does require the
information security risk assessment process to produce consistent, valid, comparable and
reproducible results (see Clause 6.1.2 b). Consequently, depending on the nature and use
of the tools implemented, setting up a register could be a logical step.
 The risk register generally contains sensitive and (strictly) confidential information, so an
appropriate role- and permission-based concept for data access should be drawn up and
implemented.
 Risk assessment process (Clause 6.1.2)
 Risk treatment process (Clause 6.1.3)
 Records and results of risk assessments/risk analyses (Clause 8.2)
 Records and results of risk treatments (Clause 8.3)
 Records and results of risk assessments and risk analyses69
2.3.7. Performance Monitoring & KPIs

A series of provisions (i.e. requirements) are defined in the context of the ISMS, including
information security objectives and guidelines/concepts for implementing them in practice. It is
expected that compliance with these provisions will be continuously monitored.
Key performance indicators

Specific indicators are used in practice to continuously monitor the effectiveness and efficiency
of the ISMS processes and established measures. They provide information about the
performance of the entire ISMS and serve as a catalyst for management to get involved when
necessary.
This means assessing the current situation compared to the desired situation as laid out in the
provisions and to intervene in a corrective capacity as required. These performance indicators are
aggregated in terms of the company objectives to be achieved, legal regulations, and protection
requirements. The aggregated performance indicators are known as key performance indicators
(KPIs).
KPIs are both important and beneficial because they make it possible to make general statements
about the security system. They provide management with a transparent, comprehensible basis
69
Available at Boban Krsic (CISA, CISM, CISSP, CRISC). (2017). A practical guideline for implementing an ISMS
in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013.
Page | 34
for making well-founded decisions governing information security. KPIs can uncover indicators
of (new) risks and/or changes within the risk landscape, as well as non-conformities in terms of
the implementation of security provisions and guidelines.
Relevant KPIs for the ISMS

There are many sources for performance indicators in information security; they offer an
enormous selection. COBIT 5 for Information Security, the CIS Security Metrics, and the
Performance Measurement Guide for Information Security are just a few examples. Specific
KPIs should be selected based on the circumstances at the organization, meet the already
described criteria and be continuously optimized.
The following are generalized examples of these sorts of performance indicators:
 Integrating information security/IT security into projects Proportion of projects
involving IT security requirements in relation to the total number of projects. Proportion
of projects with IT security shortfalls at go-live with and without formal risk evaluation
during the project phase in relation to the total number of projects
 Deviations from IT security and architecture standards Number and development of

approved deviations from internal requirements over time. Development of detected,
unapproved deviations from the required standard over time. Proportion of detected
deviations that were resolved in relation to deviations approved after the fact
 Incident response/problem management Proportion of the security loopholes that

cannot be closed (deviation from the standard) in relation to the total number of
deviations detected. Proportion of security loopholes that were successfully closed in the
pre-defined time in relation to the total number of known security loopholes
 Asset ownership Number of information assets that are assigned to an owner in relation
to the total number of information assets as a percentage
 Documentation of the measurement structure for all KPIs.
This answers the following questions:
 How are the metrics defined in detail?
 What was measured and evaluated?
 Which methods were used for measurement, analysis, and evaluation, and do they
lead to reproducible results?
 When were measurements conducted, and by whom?
 When were analyses and evaluations conducted, and by whom?
 Results of measurements and the derived management reports for escalation
 All records and evidence that prove effectiveness.
2.3.8. Documentation
In the context of documentation, a primary requirement is that the following aspects are
regulated (at least) for ISMS documentation within the management system:
Page | 35
 Documents must be created, updated, approved and, if necessary, published according to

a defined workflow.
 The documents must be clearly labeled, e.g., title, date, author, version, storage location,
performance and suitability test (QA), and final approval.
 Classification of documents/their contents in terms of confidentiality
 Creation of sufficient records with relevant content as part of operational tasks to ensure
transparency and reproducibility.
The content and degree of detail that the standard requires in documents depends in part on the
selected scope of the ISMS, the size of the organization, the technologies utilized, and the
organizational structure; for this reason, these factors differ from organization to organization.
The number and type of documents can also vary. From a practical perspective, it can be a good
idea for a given organization to create a set of (numerous) individual documents and maintain
them granularly. For other organizations, on the other hand, it may make more sense to use a
central storage medium that can be accessed from anywhere in the organization. In practice, this
can mean using a wiki or another online system as the basis for documentation.
If no specific documents are required, the standard ISO/IEC 27001:2013 uses the term
‘documented information’ in connection with documentation and records. In this case, it is left
up to the company to decide what types of documents should be used to manage this
information; the term ‘document’ can comprise any number of formats.
The documentation required within the ISMS must be continuously monitored to ensure the
following:
 Availability and suitability for the intended use, regardless of time and location
 Appropriate protection, e.g., from loss of confidentiality, improper use, or unauthorized
manipulation/loss of integrity.70
The following minimum documentation requirements always apply according to ISO/IEC
27001:2013 (Clauses 4-10):
 Scope of the ISMS (Clause 4.3)
 Information security policy (Clause 5.2 e)
 Description of the risk assessment process (Clause 6.1.2)
 Description of the risk treatment process (Clause 6.1.3)
 Statement of applicability (Clause 6.1.3 d)
 Information security risk treatment plan (Clause 6.1.3 e)
 Information security objectives (Clause 6.2)
 Evidence of competence (Clause 7.2 d)
 Proof of proper execution of the ISMS processes (Clause 8.1)
 Results of the information security risk assessment, (Clause 8.2)
 Results of the information security treatment (Clause 8.3)
 Evidence of the monitoring and measurement results of the ISMS (Clause 9.1)
70
Available at BridgingIT GmbH, Jan Oetting (CISA, CISSP). A practical guideline for implementing an ISMS in
Page | 36
 Evidence of the audit program(s) and the audit results (Clause 9.2)
 Evidence of the results of management reviews (Clause 9.3)
 Evidence of the nature of the nonconformities and any subsequent actions taken (Clause
10.1 f)
 Evidence of the results of any corrective action (Clause 10.1 g)
Moreover, the organization must determine for itself which documentation and records are
necessary in addition to those required by the standard to ‘establish sufficient trust that the
processes will be carried out as planned’ (see Clause 8.1). Added to that are the documents and
records from Annex A, if these measures are applicable in accordance with the statement of
applicability.
2.3.9. Communication
When operating an ISMS, cooperation with other organizations and departments is required
(suppliers, human resources department, legal department, audit, etc.). The primary task of the
‘Communication’ component is determining and describing the requirements for internal and
external communication. External communication here refers to communication with (external)
stakeholders and other organizations. Internal communication refers to the need for communica-
tion within the management system and within the organization – e.g., with internal stakeholders
such as the board of directors, executives, and employees.
An analysis should be conducted to determine which information (Clause 7.4 a) has to be

communicated to whom (Clause 7.4 c) by whom (Clause 7.4 d) in the context of the ISMS.
Moreover, it must be determined when this information has to be communicated (Clause 7.4 b)
and via which communication channels/processes (Clause 7.4 e).
Ideally, the results of the analysis will be summarized in a communication plan. This is generally
developed as part of a formal process with five specific steps:
FIGURE.2.3. Developing a communication plan71
71
Available at BridgingIT GmbH, Jan Oetting (CISA, CISSP). A practical guideline for implementing an ISMS in
Page | 37
 In the interest of efficiency, process and communication interfaces should be clearly

defined and integrated into organizational and operational processes. There must be clear
rules regarding which information has to be sent to whom by whom at what time – in the
context of change or incident management, for example.
 The standard requires the organization to define internal and external communication in
the context of the ISMS. It does not explicitly require this to occur as part of an analysis.
However, the practical advantage of an analysis is that it can be used to clearly identify
the requirements for a custom-tailored communication structure.
 When the communication matrix is complete, it generally becomes clear that numerous
interfaces between communication partners and/or departments already exist. Identifying
these interfaces is an important factor in successfully shaping efficient communication
within the organization in the context of the ISMS. It can be a good idea to integrate the
IS communication plan into an overarching communication plan.
 A platform for communication between all levels of the organization should be provided
so that a range of different target groups have access to the comprehensive security
information in the ISMS. Collaboration platforms for improved communication/reporting
can include the intranet, Confluence, wikis, etc.
ISO/IEC 27001:2013 does not include any specific documentation requirements for the ISMS in
the context of communication.
 Procedures for internal and external communication
 Communication matrix
 Communication plan72
2.3.10. Competence and Awareness

“Information security means using firewalls and anti-virus programs.” – This is one of the
biggest misinterpretations of the concept of information security, and it can put a company’s
information and IT systems at grave risk. Numerous security-relevant events and security
incidents can occur during operations because of ‘a lack of accountability,’ ‘a lack of processes,’
or ‘a lack of training and/or awareness among employees.’
Obviously, making employees and executives aware of the issue isn’t a magic bullet when it
comes to preventing information security-related issues. There is no empirical evidence that the
number of security incidents decreases because of awareness campaigns. In fact, the opposite is
usually true, because employees tend to report security incidents more frequently as their
awareness increases (regardless of whether those numbers include some false reports). In that
sense, it is not necessarily a bad thing if the number of security incidents reported goes up. One
thing is clear, however: If an employee or manager is not very aware of the applicable security
regulations and processes or the specific risks that they face daily, it will be even more difficult
72
Available at Andrea Rupprich (CISA, CISM). A practical guideline for implementing an ISMS in accordance with
the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Canada Chapter.
Page 13.
Page | 38
to achieve the desired level of security within the company and to ensure transparent com-
munication of the issue.
Creating a robust and balanced level of risk awareness within a company is consequently an
essential component of a functional ISMS that generates value for an organization by identifying
threats at an early stage, preventing security incidents, and eliminating the labor that would have
been required to deal with these materialized threats.
However, security awareness isn’t something that is created out of thin air; it requires active
support and effort on the company’s part (in the form of awareness campaigns), and it must
address the following points (see Clause 7.3):
 It must be ensured that the intended audience for the guidelines (employees, executives,
external partners) is aware of the information security policy and the relevant information
security guidelines.
 Each individual employee’s contribution to the effectiveness of the information security
guidelines within the scope of the ISMS must stem from materials that are used in the
context of an awareness campaign and that can be proven through testing, if necessary.
 Consequences of and possible sanctions for non-compliance with security provisions
must stem from materials that are used in the context of an awareness campaign
 Proof of employee competence within the scope of the ISMS (Clause 7.2)

 Awareness/training concept
 What issues are addressed?
 How are awareness campaigns carried out (e.g., classroom training and/or online
training)?
 How is the content of the information security policy communicated?
 Awareness/training plan
 When will each issue be addressed?
 Are campaigns regularly updated as the standard requires?
 Training documents that explain the content of the information security policy clearly and
concisely and point out the risks and vulnerabilities in information processing
 Proof of participation: Names of the participants, content and date of the awareness
campaign.73
2.3.11. Supplier Relationships

The high degree of standardization and interconnectedness in information processing has
fostered the need for a great many external service providers. However, the security risks
associated with service providers also have an impact on an organization’s own infrastructure.
73
Available at Andrea Rupprich (CISA, CISM). A practical guideline for implementing an ISMS in accordance with
the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. US Chapter. Page
20.
Page | 39
Highly publicized incidents from recent years are proof of this fact; in these cases, security flaws
at service providers led to data theft or other security incidents at well-known companies.
The term ‘service provider’ or ‘supplier’

In the standard ISO/IEC 27001:2013, the term ‘supplier’ covers a broad range of business
relationships with external companies and partners. For example, it can include relationships in
logistics, with utilities, IT (outsourcing) providers, facility management, cleaning services, and
many others. The requirements of ISO/IEC 27001:2013 are focused on various protective
measures, such as the creation of guidelines (Clause 15.1.1) and agreeing on contractual
provisions with suppliers (Clause 15.1.2), although risks arising from suppliers’ ICT
infrastructure, supply chains, and other forms of contracting must be considered (Clause 15.1.3).
Rules on monitoring (Clause 15.2.1) and change management (Clause 15.2.2) are also required.
 Determining the scope, taking into account dependencies of external partners and service
providers (Clause 4.3)

 A.15.1.1 requires the creation of a guideline for service provider relationships. This
document should define the requirements resulting from the procurement strategy and all
service provider relationships.74
2.3.12. Internal Audit

The primary objectives of internal ISMS audits include monitoring the extent to which the ISMS
meets the requirements of the organization, and the requirements of ISO/ IEC 27001:2013
(conformity control), and monitoring the implementation and effectiveness of the measures taken
(implementation and effectiveness control). To that end, an audit program must be planned and
implemented; it should govern aspects such as frequency, procedure, roles and responsibilities,
planning requirements, traceability, and reporting. In addition, a method for dealing with
corrective and preventive actions (the measures derived directly from the audits) must be
defined, and it must be determined who will follow up to ensure that the measures are
implemented.
The audit program is intended to ensure that all the business processes covered by the ISMS (in
accordance with the scope) are audited at least once every three years in terms of the applicable
provisions and guidelines on information security and in terms of conformity with the ISMS.
Evidence of the audit must be provided. For purposes of the standard, the term ‘internal audits’
does not refer to internal audits in the narrow sense, although this department may be the one to
actually conduct internal audits. In practice, the internal ISMS audits are a primary task of the
ISMS officer/CISO, who in cooperation with an internal audit team or external support, if
necessary – plans and manages audits.
74
Available at Dr. Tim Sattler (CISA, CISM, CRISC, CGEIT, CISSP). A practical guideline for implementing an
ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC
27001:2013. Japan Chapter. Page 15.
Page | 40
 Documentation of the audit program(s) (Clause 9.2 g)
 Documentation of audit results (Clause 9.2 g)
2.3.13. Incident Management

Although not explicitly mentioned in the normative section of the standard, the management of
information security incidents is another essential component of a functional ISMS.
Incidents relevant to security are generally non-conformities that can have a decisive impact on
the continuous improvement process (CIP) and the maturity of the ISMS if their causes are
investigated. Ultimately, only when we recognize mistakes and learn from them, i.e. by
rethinking our activities and strategies and removing or replacing ineffective measures, updating
existing (security) concepts or implementing new (security) solutions, will we gain the greatest
benefit from a management system operating in ‘unpredictable’ conditions (risks) over the long
term.
According to ISO/IEC 27001:2013, no minimum documentation requirements apply.
 Incident response plan (IRP), including up-to-date (!) contact lists and escalation plans
 Rules of conduct if security-related irregularities occur
 Process descriptions and procedures for securing evidence
 IS incident reports75
2.3.14. Continuous Improvement

No matter how many guidelines and books are written about ‘optimal’ management systems, it is
unlikely that these systems will ever exist in practice; organizations are simply too different for a
‘one-size-fits-all’ solution. What’s more, circumstances are constantly changing, so there can
never be a permanent ‘perfect solution.’ For this reason, organizations need to analyze existing
best practices and always adapt them to their own needs. It is especially important that they take
advantage of non-conformities to determine where there is room for improvement in their ISMS
and constantly update their ISMS accordingly. This process is known as the continuous
improvement process (CIP).
Consequently, an organization that wants to operate a standard which compliant with ISMS must
define organizational measures that form the basis for implementing the CIP in a targeted,
scheduled way. The implementation of these measures and the subsequent results must be
monitored and appropriately documented. The organization must also prove that it has
implemented measures to ensure that any flaws detected will not reoccur.
75
Available at Hubert Burda Media, Holger Schrader (CISM, CRISC). A practical guideline for implementing an
ISMS in accordance with the international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC
27001:2013. Japan Chapter. Page 16.
Page | 41
 Evidence of the type of non-conformities and all measures implemented in response

(Clause 10.1 f)
 Proof of the results of all corrective actions (Clause 10.1 g)

 Procedures for corrective actions (from Clause 10.1 c onward)
 Description of incident management and pursuit of corrective action
 Documentation tool for tracking the status of implementation
2.4. Controls of Annexure A of ISO/IEC 27001:2013

In the Annexure A of the mentioned standard all the controls which are being used by an
organization to achieve the implementation of ISMS in accordance with the ISO/IEC
27001:2013 are elaborated in a good manner. It is depend upon the discretion of the higher
management of the organization and implementer to decide how many controls are required by
the respective organization to achieve continual improvement of ISMS, it is not mandatory for an
organization to implement all the mentioned control in Annexure A instead of it the organization
can choose the control based on their requirement to protect their information assets and state
them in the Statement of Applicability report (SOA Report)76 and the SOA Report is also
contains the justification for those controls which aren’t avail by the organization.
The content of this section will follow the same order and numbering of the following controls
required to certify an ISMS against ISO 27001:2013 as they mentioned in standard:
A.5. Information security policies
The controls in this section aim to provide direction and support to the ISMS by the
implementation, communication, and controlled review of information security policies.
A.6. Organization of information security

The controls in this section aim to provide the basic framework for the implementation and
operation of information security by defining its internal organization (e.g., roles,
responsibilities, etc.), and through the consideration of organizational aspects of information
security77, like project management, use of mobile devices, and teleworking78.
A.7. Human resource security

The controls in this section aim to ensure that those people who are under the organization’s
control and can affect information security are fit for working and know their responsibilities,
and that any changes in employment conditions will not affect information security.
76
The SOA is use to identify the controls which are selected to address the risks that were identified in the risk
assessment process, explains why those controls have been selected, and it also states whether or not they have been
implemented, and explains why any Annex A controls have been omitted. Available at
https://www.vigilantsoftware.co.uk/blog/the-statement-of-applicability-in-iso-270012013. Accessed on 25/02/2018
77
Information Security is defined as “Preservation of Confidentiality, Integrity and availability of information”.
Available at Clause no. 2.33 of ISO/IEC 27000:2016.
78
Teleworking refer to working from home using telecommunications equipment or to the use of mobile
telecommunications technology to be able to work from restaurants, coffee shops or other public locations.
Available at https://www.techopedia.com/definition/2120/teleworking. Accessed on 25/02/2018
Page | 42
A.8. Asset management

The controls in this section aim to ensure information security assets (e.g., information,
processing devices, storage devices, etc.) are identified, that responsibilities for their security are
designated, and that people know how to handle them according to predefined classification
levels.
A.9. Access control

The controls in this section aim to limit access to information and information assets considering
business needs, by means of formal processes to grant or revoke access rights. The controls
consider either physical or logical access, as well as access made by people and by information
systems.
A.10. Cryptography
The controls in this section aim to provide the basis for proper use of cryptographic control or
solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security

The controls in this section aim to prevent unauthorized access to physical areas, as well as to
protect equipment and facilities that if compromised, by human or natural intervention, could
affect information assets or business operations.
A.12. Operations security

The controls in this section aim to ensure that the operation of information processing facilities,
including operating systems, are secure and protected against malware79 and data loss80.
Additionally, controls in this section require the means to record events and generate evidence,
periodic verification of vulnerabilities81, and the establishment of precautions to prevent audit
activities from affecting operations.
A.13. Communications security

The controls in this section aim to protect the network infrastructure and services, as well as the
information that travels on them.
A.14. System acquisition, development and maintenance

The controls in this section aim to ensure that information security is considered in the system
development life cycle.
A.15. Supplier relationships

The controls in this section aim to ensure that outsourced activities performed by suppliers also
consider information security controls, and that they are properly managed by the organization.
79
Malware are programs which can perform a variety of functions, including stealing, encrypting or deleting
sensitive data, altering or hijacking core computing functions and monitoring users' computer activity without their
permission. Available at https://searchsecurity.techtarget.com/definition/malware. Accessed on 25/02/2018
80
Data loss is any process or event that results in data being corrupted, deleted and/or made unreadable by a user
and/or software or application. It occurs when one or more data elements can no longer be utilized by the data owner
or requesting application. Data loss is also known as data leakage. Available at
https://www.techopedia.com/definition/29863/data-loss. Accessed on 25/02/2018
81
Vulnerability is defined as “Weakness of an asset or control which can be exploited by one or more threats”.
Available at Clause 2.89 of ISO/IEC 27000:2016
Page | 43
A.16. Information security incident management

The controls in this section aim to provide a framework to ensure the proper communication and
handling of security events and incidents, so that they can be resolved in a timely manner and
consider the preservation of evidence as required, as well as the improvement of processes to
avoid recurrence.
A.17. Information security aspects of business continuity management

The controls in this section aim to ensure the continuity of information security management
during adverse situations, as well as the availability of information systems.
A.18. Compliance
The controls in this section aim to provide a framework to prevent legal, statutory, regulatory,
and contractual breaches, and to ensure independent confirmation that information security is
implemented and is effective according to the defined policies, procedures, and requirements of
the ISO 27001 standard.82
2.5. ISO/IEC 27002:2013

ISO/IEC 27002 applies to all types and sizes of organizations, including public and private
sectors, commercial and non-profit that collect, process, store and transmit information in many
forms including electronic, physical and verbal. This standard should be used as a reference for
the consideration of controls within the process of implementing an Information Security
Management System based on ISO/IEC 27001, it implements commonly accepted information
security controls, and develops the organization’s own information security management
guidelines. The standard contains 14 security control clauses, collectively containing a total of 35
main security categories and 114 controls.
In each section of the ISO/IEC 27002 standard, there is a security control category that contains:
• A control objective stating what is to be achieved;

• One or more controls that can be applied to achieve the control objective;
• Implementation guidance and any other pertinent information useful for understanding the
controls and implementation process.
The order of the clauses in this standard does not relate to their criticality or importance.83
2.5.1. ISO 27001 vs. ISO 27002

If we came across both the ISO 27001 and the ISO 27002, we probably noticed that ISO 27002
is much more detailed, much more precise so, what’s the purpose of ISO 27001 then? First of all,
we cannot get certified against ISO 27002 because it is not a management standard. What does a
management standard mean? It means that such a standard defines how to run a system, and in
82
83
Available at Eric Lachapelle, Mustafe Bislimi. (2016). Whitepaper on ISO 27002:2013. PECB.
http://zih.hr/sites/zih.hr/files/cr-collections/3/iso27002.pdf. Accessed on 25/02/2018
Page | 44
case of ISO 27001, it defines the information security management system (ISMS) –
therefore, certification against ISO 27001 is possible.
This management system means that information security must be planned, implemented,
monitored, reviewed, and improved. It means that management has its distinct responsibilities,
that objectives must be set, measured and reviewed, that internal audits must be carried out and
so on. All those elements are defined in ISO 27001, but not in ISO 27002. The controls in ISO
27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002 control
6.1.6 is named Contact with authorities, while in ISO 27001 it is A.6.1.6 Contact with
authorities. But, the difference is in the level of detail – on average, ISO 27002 explains one
control on one whole page, while ISO 27001 dedicates only one sentence to each control.
Finally, the difference is that ISO 27002 does not make a distinction between controls applicable
to a particular organization, and those which are not. On the other hand, ISO 27001 prescribes a
risk assessment to be performed in order to identify for each control whether it is required to
decrease the risks, and if it is, to which extent it should be applied.
Why is it that those two standards exist separately, why haven’t they been merged, bringing
together the positive sides of both standards? The answer is usability if it was a single standard, it
would be too complex and too large for practical use.
Every standard from the ISO 27000 series is designed with a certain focus if we want to build the
foundations of information security in our organization, and devise its framework, we should use
ISO/IEC 27001:2013; if we want to implement controls, we should use ISO 27002, if we want to
carry out risk assessment and risk treatment, we should use ISO 27005 etc.
To conclude, one could say that without the details provided in ISO 27002, controls defined in
Annex A of ISO 27001 could not be implemented; however, without the management framework
from ISO 27001, ISO 27002 would remain just an isolated effort of a few information security
enthusiasts, with no acceptance from the top management and therefore with no real impact on
the organization.
2.6. ISMS in Banking Industry

Information Security Management Systems (ISMS) is a systematic and structured approach to
managing information so that it remains secure. ISMS implementation includes policies,
processes, procedures, organizational structures, software and hardware functions. The ISMS
implementation should be directly influenced by the Bank’s objectives, security requirements,
processes employed, size and structure.84
Modern banking organizations are connecting internal human resources, material resources and
work processes with management strategies and sets objectives for enhancing the effectiveness
of their business and inputting lots of resources to develop and operate information systems to
84
Available at http://cnii.cybersecurity.my/main/resources/ISMS.pdf Accessed on 23/02/2018.
Page | 45
support the foregoing process. The organizations bring efficiency of work by sharing information
through proper function of information system.85
The systematic management of information security in accordance with ISO/IEC 27001:2013 is

intended to ensure effective protection for information and IT systems in terms of confidentiality,
integrity, availability, authenticity86 and non-repudiation87. This protection is not an end unto
itself; rather, its aim is to support business processes, the achievement of business objectives, and
the preservation of bank’s assets by providing and processing information without disruptions.
An ISMS generally employs the following three perspectives:
 G – Governance perspective – IT and information security objectives derived from

overarching Bank’s objectives (e.g., supported by/ derived from COSO88 or COBIT89).
 R – Risk perspective - Protection requirements and risk exposure of Bank’s assets and
IT systems.
 Bank’s attitude towards risk.

 Opportunities vs. risks.
 C – Compliance perspective - External regulations lay out by laws, regulators, and

standards.
 Internal regulations and guidelines.

 Contractual obligations.
These perspectives determine which protective measures are appropriate and effective for:
 The Bank’s opportunities and business processes,

 The level of protection required in regards to the criticality of the Bank’s assets in
question
 Compliance with applicable laws and regulations.90
85
Available at https://www.sciencedirect.com/science/article/pii/S0895717712002014. Accessed on 23/02/2018.
86
Authenticity is assurance that a message, transaction, or other exchange of information is from the source it claims
to be from. Authenticity involves proof of identity. Available at https://www.brighthub.com/computing/smb-
security/articles/31234.aspx Accessed on 23/02/2018.
87
Nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the
authenticity of their signature on a document or the sending of a message that they originated. Available at
https://searchsecurity.techtarget.com/definition/nonrepudiation Accessed on 23/02/2018.
88
COSO-ERM framework stand as The Committee of Sponsoring Organizations of the Tread way Commission -
Enterprise Risk Management which provides guidance to enable cyber and information security professionals to
communicate risks and threats in language that stakeholders can understand and take action on. Available at
https://www.csoonline.com/article/3227050/risk-management/aligning-cybersecurity-strategy-and-performance-
with-updated-coso-erm-guidance.html. Accessed on 24/02/2018.
89
COBIT is stand as Control Objectives for Information and related Technologies it is Framework which provides
guidelines for developing, implementing, monitoring and improving information technology (IT) governance and
management practices.
90
Available at https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Planning-for-and-Implementing-
ISO27001.aspx Accessed on 24/02/2018.
Page | 46
Technical and organizational measures (herein after referred as TOMs) to achieve and maintain
smooth and consistent information processing must be effective in order to achieve the required
level of protection; they must also be efficient. ISO/IEC 27001:2013, and the TOMs
comprehensively and systematically laid out therein (various versions and quality levels of which
are part of operating any ISMS), support the process of achieving the objectives initially laid out
in terms of all three perspectives:
Bank Management
Bank's Legal & Contractual
Bank's Objective Bank's Risk
Procedures
Governance, Risk Management & Complaince
Risk Management Information Security
Information Security Requirements, Control Objectives & Policies

Controlling Information Security with
Bank and IT Management
Information Security Measures
Figure.2.4. Incorporating the ISMS into Bank’s processes91
 The governance perspective refers to the control aspects of the ISMS, such as the close
involvement of top management, consistent business and information security objectives,
an effective and target group-oriented communication strategy, and appropriate policies
and organizational structures.
 The risk perspective, which serves as a basis for transparent decision-making and
prioritization of technical and organizational measures, is one of the key aspects of an
ISMS in accordance with ISO/IEC 27001:2013. It is represented by IS risk management
and includes standards and methods for identifying, analyzing, and assessing risks in the
context of information security – meaning risks that present a potential threat to the
confidentiality, integrity, availability, authenticity and/or Non-repudiation of IT systems
and information and, ultimately, the business processes that depend on them.
 The compliance perspective is firmly anchored throughout the entire standard. It

comprises the definitions of the required (security) provisions, supported by the re-
91
international standard ISO/IEC 27001:2013. Implementation Guideline ISO/IEC 27001:2013. Germany Chapter (1).
Page | 47
commended controls in Annex A, it also addresses the concrete implementation of these

provisions, which must be ensured through regular monitoring by management and the
Information Security Officer through internal audits. Appropriate documentation and a
reasonable level of awareness of security issues among employees and managers are also
vital from the compliance perspective.
2.7. RBI Guidelines for Banks on Cyber Security

In India the RBI (i.e., Reserve Bank of India) is the principal and regulatory body of all banks in
India. The banks which are wants to perform operations in India needs to comply with all the
mandatory guidelines of the RBI, as RBI is the Governing body for all Banks in India so it
releases guidelines related to the all the operations perform by a bank for offering its services to
the citizens of India.
In April 2010, RBI announced the creation of a Working Group on Information Security,
Electronic Banking, Technology Risk Management and Tackling Cyber Fraud in. The Group
was set up under the Chairmanship of the Executive Director Shri.G.Gopalakrishna. The
Group delved into various issues arising out of the use of Information Technology in banks and
made its recommendations in nine broad areas. These areas are IT Governance, Information
Security, IS Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity
Planning, Customer Awareness programmes and Legal issues.92
The mentioned group had submitted its report to the RBI in which under the head of “Major
Recommendations of the Working Group On Information Security” it is stated that:
Commercial banks should implement ISO 27001 based Information Security Management
System (ISMS) best practices for their critical functions. Additionally, other reputed security/IT
control frameworks may also be considered by banks.93
The guidelines issued by Reserve Bank of India on Risks and Controls in Computers and
Telecommunications vide circular DBS.CO.ITC.BC.10/31.09.001/97-9826 will apply mutatis
mutandis (the necessary changes having been made) to the mobile, internet banking. The
guidelines issued by RBI on know your customer (KYC), anti-money laundering (AML) and
combating the financing of terrorism (CFT) from time to time will also be incorporated into
mobile-based banking services. The guidelines suggest banks towards implementing a system of
document-based registration with mandatory physical presence of their customers before
commencing mobile-banking service. With a view to simplify the procedure of registration for
Mobile Banking, Reserve Bank of India has advised National Payment Corporation of India
(NPCI) to develop the mobile banking registration service/option on National Financial Switch
(NFS). NPCI‘s aim is to create infrastructure of large dimension and operate on high volumes
resulting in payment services at a fraction of the present cost structure.
92
Available at https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=610&UrlPage= . Accessed on
25/02/2018
93
Id
Page | 48
In cases where the customer files a complaint with the bank disputing a transaction, it will be the
responsibility of the service-providing bank to address the customer grievance. Banks should
formulate charge-back procedures for addressing such customer grievances. The grievance-
handling procedure including the compensation policy should be disclosed. Customer’s
complaints/grievances arising out of mobile-banking facility will be covered under the Banking
Ombudsman Scheme.94
2.8. Badge on the wall debate

There are two approaches to implementation of the standard:
 Develop and implement an ISMS to meet the requirements of the standard and have it
certified;
 Develop and implement the ISMS but do not seek certification.
This is known as “Badge on the Wall Debate”
The argument in favour of certification is, this route enables the other organizations (customers,
partners and suppliers) to obtain without having to carry out their own audit, a level of
reassurance about the effectiveness and completeness of the ISMS. It can also be presented as
evidence of compliance with many aspects of information related regulation. The argument in
against is that a “badge on the wall” is not necessary to prove to the organization that its ISMS is
adequate or that is doing a good job of preserving information security.
ISO/IEC 27001:2013 is drafted as is all guidance on implementation, on the assumption that the
organization implementing an ISMS in accordance with ISO/IEC 27001:2013 will seek
certification. ISO/IEC 27002:201395 provides guidance for the organizations that simply wish to
develop an ISMS that uses best practice controls. Any organization that claims that it has an
ISO/IEC 27001:2013 complaint ISMS but which has not subjected itself to certification should
under the risk assessment requirement of the standard be treated like any other organization that
does not have an adequate ISMS until it proven otherwise.
Four broad reasons were identified in previous section for implementing an ISO/IEC 27001:2013
conforming ISMS. While two of them (customer confidence and regulatory best practice
demonstration) can only achieve through certification, the other two could perhaps be achieved
without. However, as most people recognize, independent third party verification has reliable
track record in helping organizations make a success of almost any initiative. Third party
Certification is absolute necessity for any ISO/IEC 27001:2013 ISMS, it not only provides the
94
The Banking Ombudsman Scheme enables an expeditious and inexpensive forum to bank customers for
resolution of complaints relating to certain services rendered by banks. The Banking Ombudsman Scheme is
introduced under Section 35 A of the Banking Regulation Act, 1949 by RBI with effect from 1995. Available at
https://www.rbi.org.in/Scripts/FAQView.aspx?Id=24, accessed on 25/02/2018.
95
The Information Security standard ISO/IEC 27002:2013 is the “Code of Practice for Information Security
Controls”. First it was published by the International Organization for Standardization (ISO) and by the International
Electro Technical Commission (IEC) in December 2000 as ISO 17799. Today, ISO/IEC 27002 is part of the
ISO27XXX series. Available at http://zih.hr/sites/zih.hr/files/cr-collections/3/iso27002.pdf. Accessed on 25/02/2018
Page | 49
management and the business in initial, as well as on-going, target on which to aim, but it also
ensures that the standard is properly understood and effectively implemented.96
ISO 27001:2013 provides organizations with guidance on how to manage information security
risks, with the ultimate goal being to preserve the confidentiality, integrity, and availability of
information by applying a risk management process and give confidence to interested parties
those risks are adequately managed. And, by implementing all the clauses of the standard and
truly understanding their impacts, any organization can achieve many other benefits.
Certification and compliance can bring reputational, motivational, and financial benefits to the
organization through customers that have greater confidence that organization can protect their
information at agreed security levels, along with improvements in its supply chain security. All
of these elements are closely related to the organization’s ability to deliver satisfaction to its
customers, and fulfill the expectations and wishes of stakeholders, while protecting the
organization’s capacity for doing business in the long run.
96
Available at Alan Calder, Implementing Information Security Based on ISO 27001/ ISO 27002- A management
Guide, Van Haren Publishing, Second Edition, 2009, ISBN 978- 90 8753- 540- 7. At page 8.
Page | 50
Chapter.3- Implementation of ISO/IEC

27001:2013 in a Bank
Page | 51
Chapter.3- Implementation of ISO/IEC 27001:2013 in a Bank
Key Points Discussed in this Chapter
 Hypothetical Bank Environment.

 Implementation of ISO/IEC 27001:2013 in ABC Bank
 Context of ABC Bank
 Asset Register for ABC Bank
 Risk Assessment for ABC Bank
 Statement Of Applicability of ISO 27001:2013 for ABC Bank
 Risk Treatment for ABC Bank
In this chapter we will perform the implementation of ISMS in accordance with ISO/IEC
27001:2013 in Indian Banking Industry for which firstly we have to understand the components
of ISMS, after wards the researcher will elaborate the working culture in Banking environment,
which will then followed by the core processes of ISMS implementation like establishing the
context of the organization, drawing the scope of the ISMS for a bank, objective of ISMS, needs
of stakeholders, assets of a Banking organization, Statement of applicability report of the applied
controls.
3.1. Hypothetical Bank Environment

For the purpose of implementation of ISMS in accordance with ISO/IEC 27001:2013 the
researcher will assume the hypothetical scenario of a bank, it’s operations and employee
hierarchy. The scenario will be of Indian based bank which is named as “ABC BANK”.
ABC bank having its most of the operations online now is using the internet for more than a
decade and security is the key building block upon which the bank depends. Information security
is valued at high level creating operational, financial backing and making it a significant asset to
the organization.
Mr. RST, Manager- IT explains, “Financial business can’t sustain without security checks. 24x7
monitoring is needed to safeguard the information. If we fail to comply with the security
guidelines we can face heavy fines and severe damage to our reputation”. According to him, the
business integrity, confidentiality and availability of information need to be preserved for giving
reliable banking services to its customers. For this, he and his colleague Mr. XYZ, Senior
Manager, IT mainly insisted on risk analysis, regular updating the applications and processes,
access checks and business continuity. Above all, they also added that ABC Bank is in the initial
process of achieving ISO/IEC 27001 information security certification that offers a
comprehensive approach to the information security. Mr. RST continues, “This certification will
assure the customers of our quality of service in security.”
Page | 52
3.1.1. Focus at Department of IT, ABC Bank

ABC bank according to its officials represents safety and security. The bank has got dedicated
Information Security governance that controls the whole idea of information security within the
organization. Information Security governance mainly consists of Board members, Head risk
management and chief information security officer (CISO). The top management supports
resolution of Information Security issues and is responsible for aligning information security
mechanisms with the bank’s operational objectives and goals. These officials are also
responsible for assessing and implementing new technologies and other measures to preserve the
information.
Apart from that, Information Security issues are discussed and new strategies are devised in the
quarterly board meetings. The status of new initiatives (i.e., implementation of ISMS in
accordance with ISO/IEC 27001:2013) taken in the past, security incidents, audit reports and
logging reports are being reviewed and analyzed in these meetings. Moreover, the top
management is also accountable for approval of new projects based on the cost benefit analysis
document produces by the cost benefit analysis (CBA) team and risk analysts. CISO directly
heads the Information Security team, Risk Management team and Network team.
Information Security team is responsible for continuous monitoring the logs of the tasks
performed at different machines and assigning access rights to the employees. Log monitoring is
documented monthly or sometimes quarterly in the form of reports and is submitted to the CISO
for further review. Moreover, Information Security team manages login credentials of the
employees and other users. They assign a new domain login identity for each employee which is
different for each employee. An employee’s work is identified by the logs associated with his/her
domain login. Also, Information Security team ensures that all the USB ports of the employees
systems are disabled and they are not able to install any software not even from the internet.
Such restrictions are lifted and administrative rights are provided to the employees but for a
certain period of time and upon approval from Deputy General Manager. Information Security
team also arranges different training programmes for the employees. Mostly, the trainings are
given by the third party trainers and its staff colleges located in different part of the country. Any
policy updates, notices or circulars are distributed among the employees via group emails and
updating the bank’s portal. If some updating requires personal communication or trainings, then
these trainings are mainly provided to the “Zonal Officers” which communicate the same to the
respective employees of their branches. Generally, policy is updated annually by the experts in
month of April, at the start of the every financial year.
On the other hand, Risk Management (RM) team performs risk analysis against the cost involved
for the newly proposed projects. Also, if some security incident is reported, RM team analyses
the criticality of the incident and performs root cause analysis (RCA) of the incident. If it is
found that the incident is highly critical or something erroneous has been done intentionally by
some employee, strict actions (sometimes termination from services) are taken against the
offender. Whenever an employee is terminated or leaves the organization, it is immediately
intimated to the IS team so that his/her login credentials can be deleted instantly.
Network team plays a crucial role in preserving Information Security over the internet and
business continuity through disaster recovery and high availability multiprocessors. This team
monitors business support network fluctuations and provide the maintenance as per the needs. In
Page | 53
case of emergencies such as floods, famines or any other hazards that affect server availability,
the network load is shifted to Disaster Recovery (DR) server set up at a different location in
India itself. Disaster Recovery servers are the clones of primary servers. If any update is made on
primary server it is available to the secondary (DR) server within few minutes. Moreover, the
team ensures that antivirus and system updates are installed periodically throughout the
organization systems. Network team also maintains multilayered hardware and software
firewalls which prevent unauthorized accesses, misuse, modification and implements denial to
the irrelevant or malicious webpages.
3.1.2. Other Implementations

Besides the roles and responsibilities of different security teams discussed above, there are
various Information Security practices which have been adopted by the ABC Bank. These
practices are –
i. Security at Data Centers Data centers are much more secure than any other area.
Access to these areas is provided to just a few members and that too under high security
protocols. A person must possess access cards as well as biometric access to enter these
areas. Data centers are under 24x7 video surveillances by the highly specialized teams.
Also, the CCTV videos are reviewed every three days by the security administrator to
avoid any pilferage.
ii. Maker Checker for Financial transactions this concept ensures that a transaction made
by any employee using his domain credentials is complete only if any other official
approves the same by logging in with his/her credentials. Dual member transaction
processing prevents chances of frauds and insider’s threat until a person possesses the
credentials of both the parties. In this way, implementation of Maker-Checker model has
made the system more secure and effective.
iii. Job segregation theory of job segregation avoids task dependency. Also, whenever an
employee is on leave, he may handover the task to the other employee so that operational
continuity is not affected. Moreover, job segregation accounts to distribution of
accountability. If a user is using other person’s credentials and perform some misconduct,
the person whose credentials were used will be accountable for the delinquency. So,
sharing of passwords and systems has been reduced owing to this concept and this has
resulted in the lowering of risk and reduction in number of security incidents.
iv. Compliance Policy every new employee is provided with the Information Security
policy document and has to sign “Acceptance Use Policy” which refers to the statement
that “I shall abide to all rules and regulations mentioned in the above policy document. In
case, I fail to comply by the foresaid guidelines, I am liable to be lawfully trialed” i.e.
organization is free to take legal actions in case an employee is found indulged in any
wrongdoing. Also, it includes the provision for check compliance through use of
monitoring methods.
v. Security Auditing ABC Bank takes the help of third party auditors to execute security
audits within the organization. Third party auditing ensures that any cognitive biasing can
be prevented during the time of inspection. This makes the process more efficient and
effective.
vi. ISO/IEC 27001 ABC Bank has lately applied for ISO/IEC 27001 security certification
that covers improved security for the bank as well its clients. It also gives assurance of
best. Practices to the bank’s stakeholders and enhanced security awareness among the
staff members. Firms like Deloitte Consulting India Private Limited performed the GAP
Page | 54
analysis for the same and has helped the bank to potentially improve its security
processes. As a part of the progression, the operations, processes and different standards
of the organization have been documented in the recent past. ABC Bank has finally
reached the concluding stage of this accreditation and will soon be known for its quality
of security.
vii. HR Processes— Human Resource team has also played a significant role in maintaining
the IS standards in ABC Bank. While recruiting a new staff, including contractors,
temporary staff and cleaning staff, the HR team is responsible for arranging police
verification of these people against any criminal act. Also, when an employee resigns
from the bank, he is closely monitored for a notice period of 3-months as he may not be
involved in some misconduct while leaving the bank. HR officials also ensure that all the
credentials are deleted and all the assets including the access rights assigned to the
employee are taken back on last day his/her service.
The bank has since planned and prepared for the Information Security Management System
implementation, it has to achieve its goals of having an effective Information Security
Management System and reaching into the level of being certified to ISO/IEC 27001. As for the
future, further focus of ABC Bank is to update its processes periodically and manage the
insider’s threat which is still a major issue for the whole banking industry as observation and
control of human mind is much more complicated. Another concern of the ABC Bank security
team is to control and manage the tailgating issue. It is sometimes authorized and sometimes
unauthorized depending on the circumstances but it is a serious subject as managing access for
visitors is a complex task. The bank has a proper control mechanism for controlling such
problems for the employees and the 3rd party staff but visitors are often accompanied by some of
the staff member possessing the access cards to the working space. It is officially a legal
tailgating case but may be a potential threat to the organization’s security. The bank is looking
forward to overcome this problem and come up with a resolution in the near future enhancing the
security control mechanism through the implementation of Information Security Management
System in all over its departments and organization.
3.1.3. Departments of ABC Bank

The ABC bank is consisting of various departments in which its sensitive information is being
transmitted to successfully accomplishing the operations of the Bank. There are multiple roles
dedicated to an employee which can be of any department it is the duty of the Information
Security team to create the separation of roles like the particular employee can perform those
operations only which are dedicated to his role For the purpose of this dissertation we can
assume the departments and their operations as:
i. Withdrawal and deposit department this department is responsible for the operations of cash
for the customers of the ABC Bank. The department handles the operation like if any customer
wants to withdrawal any amount from its respective account then he should get contact with
the respective window which has been especially dedicated for the operation of withdrawing
the cash. There will be another window beside the window of withdrawal which is responsible
for the deposit of money from customer.
By studying the operation of the above department we can get that how much sensitive
informations like:
 The name of the customer.
Page | 55
 The account number of the customer

 The identity proof of the customer
 The login credentials of the employee.
These are the sensitive information which are being used during the operation of the above
department and the Information Security team has to ensure the appropriate protection of the
mentioned sensitive information.
ii. Loan Department this department is responsible for all the operations related to loans like
sanction of loan and recovery of any loan and to transfer loan to the Non-Performing Asset for
ABC Bank. The Loan Department has the various sensitive personal information like:
 Permanent Account Number of Customer.
 Loan account Number of the Customer.
 The log in credential of the employee.
 The cheques given by the Customer for paying their respective EMI of the Loan.
iii. Information Technology Department the IT department of the ABC Bank is responsible for
all its IT related operations basically the main function of IT department is to enable the
uninterrupted functions of all those services of ABC Bank which are totally dependent upon the
IT like the Cash withdrawal and deposit department the all operation of mentioned department
is depend upon the IT i.e., the computer and the active network connection through which the
ABC Bank has provide its services of instant withdrawal and deposit to their customer.
The IT Department has constituted an Information Security team which is being headed by the
Chief Information Security Officer of the ABC Bank. The IT is used carry out the transaction by
using the personal sensitive data or information.
3.2. Implementation of ISO/IEC 27001:2013 in ABC Bank

3.2.1. Scope: This implementation programme applies to all ABC Bank’s employees, temporary,
trainees, interns and employees of temporary employment agencies, vendors, business partners,
and contractor personnel irrespective of geographic location.
The programme specifically covers all Information and Information Systems (IS) environments
operated by ABC Bank or contracted to a third party by ABC Bank. The term “IS environment”
defines the total environment and includes, but is not limited to, all documentation, physical and
logical controls, personnel, hardware (e.g. Mainframe, distributed, desktop, network devices, and
wireless devices), software, and data/information.
Although this implementation programme explicitly covers the responsibilities of Infosec

Department, it does not cover the matter exclusively. Other ABC Bank’s Systems Security
policies, standards, and guideline define additional responsibilities. All users/employees are
required to read, understand and comply with the other policies, standards, and guideline, and
provide their consent to having understood all the policies in an appropriate manner that they
read and understand all the policies. If any user does not fully understand anything in these
documents, he/she should consult with his business or functional manager, who will contact the
CISO.
Page | 56
3.2.2. Purpose: The purpose of this implementation programme is to manage information

security within ABC Bank and maintain appropriate security controls in the Information Systems
(IS) environments within ABC Bank and define the Vision and Mission for Information Security.
3.2.3. Context of the ABC Bank: ABC Bank is an India based Private Sector Bank which has
its Head Office at Bhopal (M.P.) India. The main operations of the bank is same as all other
Banks the difference is that the ABC Bank is perform major percent of its operations with the
help of IT i.e., use of computer, network and all other software and Enterprise Resource
Management software to transmit its operations and informations related to its operations among
its branches and employees.
 Internal Context: Board Members, CISO, Information Security Team, Network Team
and all other employees of the ABC Bank including its premises
 External Context: Legal Regulations and Compliances, Vendors,
3.2.4. Asset Inventory:

In this section we are going to prepare an asset register/inventory in which we listed down the assets of
the ABC Bank whether they are of internal context or external context. The inventory includes the
context of the asset, which operating unit or department of ABC Bank it falls, what is the type of asset, is
the asset contains personal data, personal sensitive data or Customer’s sensitive data, classification of
the asset, roles and responsibilities and the risk associated to it, all this content with the context of ABC
Bank will be elaborated in the asset inventory.
Page | 57
Page | 58
Page | 59
3.2.5. Risk Assessment & Treatment Methodology:
Page | 60
3.2.6. Risk Matrix

The Risk Matrix is use to determine the impact or rate any particular risk which is associated
with the organization. Here, we prepared the Matrix for ABC Bank in which it is elaborate din
the matrix that what is the score given to the risks.
Page | 61
3.2.7. Risk Assessment

Risk Assessment is the procedure where we assess the risks associated to the assets of the
organization. Her, we are assessing the risks associated with the assets of ABC Bank.
Page | 62
Page | 63
Page | 64
Page | 65
Page | 66
Page | 67
FIGURE 3.1. Example of Risk Assessment & Treatment of an Asset97
97
Available at https://advisera.com/27001academy/free-downloads/ , Accessed on 12/03/2018.
Page | 68
3.2.8. SOA
The SOA is use to identify the controls which are selected to address the risks that were identified in the
risk assessment process, explains why those controls have been selected, and it also states whether or not
they have been implemented, and explains why any Annex A controls have been omitted. So, Here we
will demonstrate which controls of ISO/IEC 27001:2013 has been implemented in ABC Bank and if any
Control has been omitted then what is the reason of omitting that particular control will also state in an
appropriate manner.
Page | 69
Page | 70
Page | 71
3.2.9. Information Security Policies of ABC Bank:

All the mandatory policies of the ISMS are mentioned and elaborated in Annexure.
Page | 72
3.2.10. Risk Treatment

In this section we will elaborate the method by which we are treating the risk of the ABC Bank
and what are the assets in which risk treatment process has been implemented will be elaborated
in a prescribed manner in the table stated below:
Page | 73
3.2.11. Monitoring and evaluation

The ABC Bank shall evaluate the information security performance and the effectiveness of the
information security management system. For which the ABC Bank shall determine:
 The proper monitoring procedure for implemented information security processes and
controls.
 The methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results.
 The monitoring and measuring of the implemented controls shall be performed twice in a
month (in the interval of 15 days).
 The CISO will be the reporting and responsible person for monitoring.
 The result of the monitoring and measurement shall be analyzed and evaluated
immediately the day after the completion of the monitoring process in the presence of all
the responsible people.
 The result shall be analyzed by whole information security team under the supervision of
CISO of ABC Bank.
3.2.12. Internal Audit

The ABC Bank shall conduct the internal audit after the six months of implementation and apart
from it the internal audit will be takes place twice in a financial year to ensure the proper
working and the accurate positions of the implemented controls.
Page | 74
Chapter.4- ISO/IEC 27001: 2013 Implementation

Issues and Challenges.
Page | 75
Chapter.4- ISO/IEC 27001: 2013 Implementation Issues and Challenges.
 Expectations with ISMS (ISO/IEC 27001:2013) Implementation.

 ISMS Implementation Issues & Challenges
 Recommendations for the Implementation of ISO/IEC 27001:2013
4.1. Expectations with ISMS (ISO/IEC 27001:2013) Implementation.

ISMS is a relatively huge project, although the scale on which it is implemented also depends on
the scope selected for implementation. Thus with such a project, especially one that is as
comprehensive and requires various resources to be used to ensure its success, the level of
expectations of its success are also high. Some of the most common expectations that were
anticipated by organizations that implement ISMS in the pilot programme as observed include:
4.1.1. Risks and losses will be minimized

With an effective and comprehensive ISMS implementation, the number of security breaches
suffered by organizations can be reduced. Thus any security risks and losses will subsequently be
minimized. This is normally the least expected return of an ISMS implementation and should be
the main objective of such an exhaustive project undertaken by any organization.
4.1.2. Compliance to rules, legislation, company standards and practices

By implementing ISMS, organizations will also be automatically be compliant to any relevant
rules, legislation, company standards and practices. This is so because there is a specific clause
in ISMS that mandates organizations to be compliant to them to improve corporate governance
and to avoid being held liable for certain legal issues.
4.1.3. Improved safety

Obviously, by implementing ISMS which focuses on securing vital company information from
being misused by unwanted intruders, the overall safety of information, personnel and assets are
being assured. Thus by performing the risk assessment process and implementing the identified
controls to mitigate the risks as warranted by the ISMS, it will help to prevent unwanted security
breaches from happening and even in the event that something does happen, organizations will
be well prepared for it by the implementation of incident response handling procedures and
business continuity management.
4.1.4. Reliable operations

By implementing ISMS, organizations can be more assured regarding the reliability of its
operations as any weak points to it should already been identified and mitigated appropriately.
Thus, it will enable organizations to plan ahead of a crisis or disaster and develop appropriate
recovery procedures to ensure downtime of operations are minimized.
Page | 76
4.1.5. Business continuity

As explained above, since Business Continuity Management (BCM) is one of the domains in
ISMS, it will therefore benefit organizations tremendously from ISMS implementation as with
proper BCM implementation, the overall downtime for business operations that may be caused
by realization of threats such as flood, fire, theft and others can be minimized. Thus it will ensure
that the business continues to operate in the event of a crisis or disaster, although most possibly
not at 100% as during normal operations, although this depends on the chosen recovery strategy.
4.2. ISMS Implementation Issues & Challenges

ISO/IEC 27001 gives organizations that are looking for securing their business a flexibility to
develop their own information security management system (ISMS). This is because the standard
does not specify any particular approach or method for developing ISMS. Instead, it defines
requirements for ISMS. This gives organizations more freedom to choose their preferred risk
management methodology for example. On the other side, this may create burden for some
organizations that lack security knowledge and do not have competency for developing their
ISMS.
Zuccato98 claimed that security management approaches that depend only on risk analysis, such
as ISO 27001, are not convenient for e-Business, since they only depend on the value of asset,
threats, and the probability of exploiting vulnerabilities by the threats. However, this is not
completely true. Risk analysis may consider other sources for eliciting security requirements and
threats. For instance, company reputation can be considered as asset to be protected, involving
customers in the risk analysis and considering market forces.
Furthermore, the standard is intended to all size of organizations.99 From a practical rather than
financial point of view, it might be more convenient and easy for SMEs to adopt this standard. In
a small company, it is easier to manage ISMS, since you have a small number of assets to be
considered. However, cost and lack of awareness of the standard contents act as a main barrier
for adopting the standard.100
There are various challenges that await ISMS implementers. Among them that Researcher have
observed during the implementation are:
4.2.1. Fear / Resistance to change

By implementing such an extensive management system in the workplace, changes are definitely
going to be made, either in the working process, alterations in personnel responsibilities and
many other areas. We observed that some organizations are quite reluctant to make major
changes without elaborate justifications in place as it will impact the operations of their business.
98
Available at Zuccato, A. (2006) Holistic Security Management Framework Applied in Electronic Commerce.
Computers & Security, 26, 256-265.
99
Available at ISO/IEC 27001:2005 Information Technology, Security Techniques, Information Security
Management Systems, Requirements. http://www.iso.org/iso/catalogue_detail?csnumber=42103.
100
Available at DTI Information Security Breaches Survey (2006) Technical Report. UK Department of Trade and
Industry.
Page | 77
4.2.2. Increased cost

By implementing ISMS, either directly or indirectly, it will definitely cause an increase in the
costs incurred especially when implementing the controls identified to mitigate the known risks.
We discovered that some of the organizations simply did not have adequate budget to allocate
the funds and/or resources to implement such a system.
4.2.3. Inadequate knowledge as to approach

Many organizations still do not have the know-how on proper ISMS implementation and they
may not have personnel who are qualified subject matter experts in the area. Thus this may lead
to the delay or avoidance on the implementation.
4.2.4. Seemingly huge task

Depending on the scope, ISMS can sometimes be such a huge task to complete. Besides the
extensive documentations that are required to be prepared, the other activities that needs to be
done such as managing resources, user training and awareness and many others may prove to be
too daunting to be completed by some of the participating organizations.
Page | 78
Chapter.5 - Conclusion and Suggestions
Page | 79
Chapter 5: Conclusion and Suggestions
 Conclusion
 Suggestions
5.1. Conclusion
ISO/IEC 27001:2013 is an information security standard that was published on the
25thSeptember 2013. It supersedes ISO/IEC 27001:2005. To be compliant with ISO 27001:2013
some requirements have to be fulfilled by the organization. Those requirements can be found in
seven clauses of ISO 27001:2013 and these are – Context, Leadership, Planning, Support,
Operation, Evaluation, and Improvement. It is hard to ignore the fact that all the organizations
involved in the running of the ISMS programme have benefited tremendously from it. Not only
the participating organizations have learnt a valuable methodology to secure and manage their
information systematically, but the organizations have managed to form a forum to discuss the
issues and problems they are facing with ISMS implementation. The programme coordinators,
consultants, trainers and auditors have gained valuable experience as well.
ISO 27001:2013 provides organizations with guidance on how to manage information security
risks, with the ultimate goal being to preserve the confidentiality, integrity, and availability of
information by applying a risk management process and give confidence to interested parties and
customers those risks are adequately managed. And, by implementing all the clauses of the
standard and truly understanding their impacts, any organization can achieve many other
benefits. Certification and compliance can bring reputational, motivational, and financial
benefits to organizations through customers that have greater confidence that organization can
protect their information at agreed security levels, along with improvements in organization’s
supply chain security. All of these elements are closely related to your organization’s ability to
deliver satisfaction to its customers, and fulfil the expectations and wishes of its stakeholders,
while protecting the organization’s capacity for doing business in the long run.
In the report the ISMS in accordance with ISO 27001:2013 has been implemented hypothetically
in a Bank named as “ABC Bank”. While implementation the researcher has faced the issues like
categorisation of assets, assigning the responsibility and the major issue which is faced by
researcher is how to secure the personal sensitive data of the customer! Because there is no
straight forward instruction in the standard to secure the sensitive personal data of the customer
or employees while it is on rest (stored in the drive) or in motion (in transmission) for which the
researcher has found that the ABC Bank needs to comply with other standard that is PCIDSS
(Payment Card Industry Data Security Standard), it is a widely accepted standard introduced by
payment card industry giants like Discover, MasterCard, JCB, VISA, the current version of
Page | 80
PCIDSS is V4. The PCIDSS is providing the straight forward guideline for securing the sensitive
personal informations like (Customer’s Credit Card, Debit Card, Permanent Account Number
and Aadhar number) while they are on rest (stored) or in motion (transmission). The suggestions
for the removal of such issue will be elaborated in next section.
It is hoped and anticipated that in the near future more and more organizations in India,
especially those from the government and financial sectors will view ISMS as a necessity for
them in order to assist them to grow their operations and business and secure the vital
information and assets that enables them to do so.
5.2. Suggestions
To ensure a better and effective ISMS implementation, it is recommended that the following
guidelines are followed to improve the process:
5.2.1. Parallel design of ISMS and Information System

Nowadays the organisations are considering the approach of firstly designing an Information
Technology system which carries out all the operations of the organisation and then the higher
management of the organisations are thinking about the security of that information technology
system, which can be considered as a bad approach for achieving the effective Information
Security.
Researcher want to suggest that the organisations has to start working on the security of their
information system along with the establishment of their Information system, this approach can
enable an organisation to achieve continual improvement and effective information security.
5.2.2. Dedicated Clause for Securing the Sensitive Personal Information

The ISO/IEC 27001:2013 is not address specifically the issues related to the security of personal
sensitive information like (Credit Card number, Debit Card Number, Customers Account
Number etc.) or how to protect them while they transmitted in the network use any secure
protocols like SSL/TLS. So, there is need to amend the ISO/IEC 27001:2013 in a way that it
address the issues related to secured protocols specifically and provide a structured guideline for
securing the personal sensitive information like credit card no., customers account no., customers
ID no. (AADHAR No. in Indian Scenario)
5.2.3. Critical Success Factors

Organizations are encouraged to take into account the Critical Success Factors (CSFs) listed out
in the ISO/IEC 17799:2000 standard to ensure implementation success. Organizations need to
place extra importance on the listed factors and attend to them appropriately to ensure that the
ISMS implementation process runs smoothly.
5.2.4. Complete PDCA Cycle

Ensure that during the ISMS implementation process, organizations adhere to the requirements
stated in the Plan-Do-Check-Act (PDCA) model and complete all the activities mentioned in the
PDCA cycle accurately and comprehensively.
Page | 81
BIBLIOGRAPHY
 BOOKS
 Steve Watkins and Alan Calder, IT Governance: An International Guide to Data
Security and ISO 27001/ ISO 27002, Kogan Publisher, Sixth Edition 2015, ISBN
978- 0- 7494- 7405- 8. Available at:
https://books.google.co.in/books/about/IT_Governance.html?id=OctwCgAAQBA
J&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&q&f=f
alse.
 Alan Calder, Implementing Information Security Based on ISO 27001/ ISO
27002- A management Guide, Van Haren Publishing, Second Edition, 2009,
ISBN 978- 90 8753- 540- 7.
 Shon Harris, All in One CISSP Exam Guide, McGraw-Hill Companies
Publications, Eighth Edition 2016, ISBN 978-0-07-178173-2
 Ja’far Alqatawna. (2016). The Challenge of Implementing Information Security
Standards in Small and Medium e-Business Enterprises. Journal of Software
Engineering and Applications, ISSN 883-890
 Anthony Tarantino (2012). Governance, Risk and Compliance Handbook:
Technology, Finance, Environmental and International Guidance and Best
Practices. Sixth Edition, John Wiley & Sons Inc. ISBN 978-0-470-09589-8.
 Steve G Watkins (2015). An Introduction to Information Security and ISO
27001:2013 A Pocket Guide . India: IT Governance Publishing. 10-85. ISBN 978-
1-84928-526-1.
 Edward Humphrise (2016). Implementing the ISO/IEC 27001 ISMS Standard. 2nd
ed. UK: Artech House. 10-85. ISBN 13:978-1-60807-930-8.
 Kai Roer (2015). Build a Security Culture. USA: ITGP. 10-35. ISBN
13: 9781849287166.
 RESEARCH PAPERS/WHITE PAPERS/ARTICLES

27001:2013, 2016. Available at:
http://openaccess.uoc.edu/webapps/o2/bitstream/10609/59325/8/prodalTFM1216
mem%C3%B2ria.pdf.
 Dejan Kosutic; Advisera Expert solution Ltd. (2017). Clause-by-clause
explanation of ISO 27001. White Paper. 2 (2), 1-10. Available at
http://info.advisera.com/27001academy/free-download/clause-by-clause-
explanation-of-iso-27001
Page | 82
 Amarachi A.A, Okolie S.O and Ajaegbu C. (2013). Information Security

Management System: Emerging Issues and Prospect. IOSR Journal of Computer
Engineering (IOSR-JCE). Volume 12. Available at :
http://www.iosrjournals.org/iosr-jce/papers/Vol12-
issue3/N012396102.pdf?id=2069
 Dejan Kosutic; Advisera Expert solution Ltd. (2017). ISO 27001 vs. ISO
27002. About ISO 27001, ISO 22301 and other standards. Available at
https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
 Mahsa Mohseni. Has your organization compliance with ISMS? A case study in
an Iranian Bank. Available at
https://arxiv.org/ftp/arxiv/papers/1303/1303.0468.pdf
27001:2013, 2016.
 Gerhard Funk. (2016). A practical guideline for implementing an ISMS in
accordance with the international standard ISO/IEC 27001:2013. Implementation
Guideline ISO/IEC 27001:2013. Germany Chapter.
 STANDARDS
Security Management Systems- Overview and Vocabulary.
Security Management Systems- Requirements.
 ISO/IEC 27002:2013 Information Technology - Security Techniques Code of
Practice for Information Security Controls
 ISO/IEC 27003:2017 Information technology - Security techniques - Information
security management systems – Guidance.
 WEBSITES
 https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WREB210111_ES.pdf
 https://www.iso.org/
 http://www.iec.ch/about/activities/?ref=menu
 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
 https://advisera.com/27001academy/free-downloads/
 https://advisera.com/27001academy/knowledgebase-category/iso-27001-
implementation/
 http://cnii.cybersecurity.my/main/resources/ISMS.pdf
 http://www.ijens.org/vol_11_i_05/113505-6969-ijecs-ijens.pdf
 http://www.securityfeeds.com/drupal7/sites/default/files/ISACA_ISO27001_How
To.pdf
Page | 83
 https://www2.deloitte.com/mt/en/pages/risk/articles/mt-risk-article-it-auditing-
iso27001.html
 https://www.itgovernance.co.uk/blog/iso-27001-five-tips-for-successful-
implementation/
 https://www.itgovernance.co.uk/shop/product/build-a-security-culture
 http://www.uni-sz.bg/tsj/Vol9N4_2011/J.Karakaneva.pdf
 https://www.sciencedirect.com/science/article/pii/S0895717712002014
 https://www.bsigroup.com/en-IN/ISOIEC-27001-Information-
Security/Introduction-to-ISOIEC-27001/.
 https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001
 https://dqsus.com/certification/iso-27001/
 https://digitalguardian.com/blog/what-glba-compliance-understanding-data-
protection-requirements-gramm-leach-bliley-act
 www.businessdictionary.com/definition/HIPPA-privacy-rule.html
 searchsecurity.techtarget.com/definition/Federal-Information-Security-
Management-Act
 https://www.techopedia.com/definition/29060/security-breach
 http://zih.hr/sites/zih.hr/files/cr-collections/3/iso27002.pdf
Page | 84
ANNEXURE
Page | 85
A.1. Information Security Organization Policy for ABC Bank
Information Security Organization
Information Technology Department
ABC Bank
Classifications: ABC Bank’s Confidential
CONFIDENTIAL DISTRIBUTION: PROPERTY OF ABC BANK
NO PART OF THIS PUBLICATION MAY BE COPIED OR REPRODUCED, SOLD OR TRANSFERRED

TO ANY PERSON, IN WHOLE OR IN PART, IN ANY MANNER OR FORM OR ON ANY MEDIA,
WITHOUT PRIOR WRITTEN PERMISSION OF ABC BANK
Page | 86
Document Control
Policy Ref.: ISMS-001-v1.6-A
Document History
DOCUMENT COMMENTS PUBLICATION

VERSION DATE
Document Information
AUTHOR – NAME DIVISION / DESIGNATION DATE
REVIEWED BY –
DIVISION / DESIGNATION DATE
NAME
APPROVED BY –
DIVISION / DESIGNATION DATE
NAME
Distribution List
NAME DIVISION
Copies of this document will be held by:
Information Technology Department
Page | 87
A.1.1. Purpose
The purpose of this policy is to manage information security within ABC Bank and
maintain appropriate security controls in the Information Systems (IS) environments
within ABC Bank and define the Vision and Mission for Information Security.
A.1.2. Scope
This Policy applies to all ABC Bank’s employees, temporary, trainees, interns and
employees of temporary employment agencies, vendors, business partners, and
contractor personnel irrespective of geographic location.
This Policy specifically covers all Information and Information Systems (IS)
environments operated by ABC Bank or contracted to a third party by ABC Bank. The
term “IS environment” defines the total environment and includes, but is not limited to,
all documentation, physical and logical controls, personnel, hardware (e.g. Mainframe,
distributed, desktop, network devices, and wireless devices), software, and
data/information.
Although this Policy explicitly covers the responsibilities of Infosec Department, it

does not cover the matter exclusively. Other ABC Bank’s Systems Security policies,
standards, and guideline define additional responsibilities. All users are required to
read, understand and comply with the other policies, standards, and guideline, and
provide their consent to having understood all the policies in an appropriate manner that
they read and understand all the policies. If any user does not fully understand anything
in these documents, he/she should consult with his business or functional manager, who
will contact the IT Head.
A.1.3.Policy Maintenance
 Information Technology Department is responsible for the maintenance and
accuracy of this policy.
 Any queries should be directed to Information Technology Department for
resolution.
Page | 88
A.1.4.Definitions
Definition of some of the common terms:
Critical: Degree to which an organization depends on the continued availability of the

system or services to conduct its normal operations.
Information Asset: Any resource of information which has a value to the organization,
it can be any system or component, hardware, software, database or facility.
Sensitive: Concerned with highly classified information or involving discretionary

authority over important official matters.
Availability: Ensuring that authorized users have access to information and associated
assets when required.
A.1.5.Policy Assumptions
1. The terms “must” and “shall” in this policy denotes a mandatory action;
2. The term “should” in this policy denotes a recommended action;
3. This policy is based on documented conditions that are assumed to be true during
creation.
A.1.6.Policy Statements
This Policy stipulates guidelines for defining the roles and responsibilities pertaining to
information security for Information Technology Department. To ensure that
information security is properly implemented, all employees of ABC Bank must
understand and comply with the responsibilities identified in this document when their
duties entail one or more of the roles described below.
A.1.7.Mission and Vision
A.1.7.1. Vision:
To enable the successful achievement of the overall business goals by continually minimizing
security risks through a secure environment that protects revenues and ensures confidentiality,
integrity and availability of information system assets.
A.1.7.2. Mission:
 To provide high quality, proactive, and optimal Information Security service to all the
customers by fully aligning the Information Security management, infrastructure, strategy
and processes with business and IT requirements.
Page | 89
 To enhance the effectiveness of Information Security Processes by aligning the

Information Security Operations with customer requirements and leading security
practices, and standardizing internal processes by benchmarking against industry de facto
standards.
 To maximize the effectiveness of Information Security Organization through enhanced
staff capability and high employee motivation.
 To protect and optimize key revenue streams by minimizing loss due to revenue leakages
and fraud.
A.1.8.Organization of Information Security
A.1.8.1.Management Commitment
 Management shall actively support information security within the organization through
clear direction, demonstrated commitment, explicit assignment, and acknowledgment of
information security responsibilities.
 All members of the management team will be responsible for information security.
 All information security responsibilities shall be clearly defined for all users.
 Infosec Department will be responsible for directing and coordinating information
security initiatives. It will be specifically responsible for:
 Reviewing and approving information security policies and overall responsibilities
through the ITSC (as per the charter);
 Monitoring significant changes in the exposure of information assets to major threats;
 Reviewing, monitoring and reporting information security incidents;
 Approving major initiatives to enhance information security through the ITSC.
A.1.8.2. Information Security Coordination

 It is ABC’s Bank policy which performs management of all departments to coordinate
with Infosec Department in implementing and maintaining the desired level of
information security. Such cooperation may include but is not limited to the following:
 Identifying information security related roles and responsibilities across the different
Departments of ABC Bank.;
 Identifying, agreeing and implementing specific methodologies, controls and processes
related to information security including assessment of risk and assigning security
classification to information systems assets;
 Agreeing and assessing the adequacy of organization wide security initiatives;
 Reviewing information security incidents;
 Coordination of information security initiatives for new systems;
 Including information security in the information systems;
 Promoting organization wide support for information security
 ABC Bank should formulate an IT Steering Committee comprising a cross functional mix
of top management personnel.
 The Steering committee should meet periodically to discuss amongst other things security
strategy, budgets, spending, major security incidents and recovery capabilities.
Page | 90
A.1.8.3. Information Security Responsibilities

 Infosec Department and Operations head will have the overall responsibility for the
development and implementation of information security and related control processes.
 Information Asset owners will be directly responsible for the safeguarding of the asset
and for identifying and implementing the controls that are necessary to adequately protect
the asset. The level of protection to be provided to the asset will depend on its
classification in accordance with the Asset Classification and Control Policy. In
accordance with the above, the following activities are required:
 The assets and security processes associated with each individual system must be
identified and defined;
 Asset ownership should be agreed and the level of responsibility should be documented;
 Authorization levels should be defined and documented.
A.1.8.4. Specialist Information Security Advice

 ABC Bank requires that individuals with relevant expertise in the various aspects of
information security assigned in the Infosec Department to provide Arrka with specialist
information security advice on a continuous basis.
 Due to the wide area of expertise and skill sets required to maintain an appropriate level
of information security, ABC’s Information Technology Department may at its option
and as appropriate (subject to approval of the ITSC and availability of budget) also hire
the services of external information security consultants either continuously or on a case
by case basis to provide best advice on specific aspects of information systems security.
 The Information Security officer will be the specialist reporting to the IT Head, ensuring
compliance is implemented as per standards adopted by ABC Bank.
 ABC Bank requires that all information security ‘incidents’, ‘breaches’, suspected
‘incidents’ or ‘breaches’ or potential control weaknesses be formally logged and reported
to the Operations Head who would report to IT Steering Committee.
A.1.8.5. Cooperation between Organizations

 ABC Bank recognizes that the maintenance of the desired level of information security
may require the cooperation, support and assistance of certain external agencies.
Therefore, Infosec Department must develop and maintain formal contacts with, vendors,
security groups and industry forums and other service providers in order to establish a
holistic approach of Information Security.
 The extent of cooperation and transfer of information must be formalized to the possible
extent. Such cooperation should be in the interest of Arrka and should not result in
violation of ABC Bank’s Information Security Policies including the transfer of
confidential / classified information to unauthorized third parties.
Description
 ABC Bank’s Whistle-Blowing policy specifies guideline when and by whom

authorities (e.g. law enforcement, fire Department, supervisory authorities) should
be contacted, and how identified information security incidents should be reported
in a timely manner if it is suspected that laws may have been broken.
Page | 91
 ABC Bank’s, when under attack from the Internet, may need external third parties
(e.g. an Internet service provider or telecommunications operator) to take action
against the attack source.
A.1.9.Related Information Security Policies

 Corporate Information Security & Cybersecurity Policy.
 Asset Classification and Control Policy.
 Human Capital Security Policy.
 ISMS Compliance Policy.
 ITSC Charter.
 BYOD Policy.
A.1.10.Compliance Monitoring
Compliance with Information Security Organization policy is mandatory. ABC Bank’s
managers must ensure continuous compliance monitoring within the organization.
Compliance with the policy will be matter for periodic review by Audit Committee of
ABC Bank as per the audit charter.
Violations of the policies, standards and guideline of ABC Bank will result in
corrective action by management. Disciplinary action will be consistent with the
severity of the incident, as determined by the Human Resource Policy of ABC Bank.
A.1.11.Custodians
Policy Reference Custodian
Page | 92
Page | 93

Implementation of ISO 27k1

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Implementation of ISO 27k1

Загружено:

Авторское право:

Доступные форматы

NATIONAL LAW INSTITUTE UNIVERSITY, BHOPAL

CYBER LAW AND INFORMATION SECURITY

Under the Supervision of

Dr. Astitwa Bhargava

Date: Dr. Astitwa Bhargava

I declare that the dissertation entitled “Implementation of ISO 27001:2013 in Banking

Date: Ayushm Dubey

FIGURE.1.1. Potential of ISMS………………..……………………….…………….……..…..07

FIGURE.2.1.Domains of ISMS in accordance with ISO/IEC 27001:2013……...…………....…24

FIGURE.2.2. Risk treatment options in accordance with ISO/IEC 27005:2011…………….…..32

FIGURE.2.3. Developing a communication plan…………………….…….………………..…..36

FIGURE.2.4. Incorporating the ISMS into Bank’s Processes………….……………..…..……46

FIGURE 3.1. Risk Assessment & Treatment of an Asset……………………………………....68

 APT- Advanced persistent threat

Key Points Discussed In This Chapter

ISO/IEC 27001:2013 is an information security standard that was published on the

ISO/IEC 27001:2013 is a security standard that formally specifies an Information Security

1.2. Gestalt of ISO 27001:2013

VI. Performance Evaluation: It states that an organization needs to monitor18, measure19,

VIII. Improvement: This clause states an organization to identify nonconformities21, to take

1.3. Information Security and ISO/IEC 27001:2013

1.3.1. Approach to Information Security

 Process (or Procedure);

1.4. Need to implement an ISMS

FIGURE.1.1. Potential of ISMS23

 Strategic: a government or parent company requirement, or a strategic board decision to

 It provides the assurance to compliance with a range of regulatory requirements like

1.5. Benefits of an ISMS

1.5.1. Improved understanding of business aspects

1.5.2. Reductions in security breaches and/or claims

1.5.3. Reductions in adverse publicity

1.5.4. Improved insurance liability rating

1.5.5. Identify critical assets via the Business Risk Assessment

1.5.7. Be a confidence factor internally as well as externally

1.5.8. Systematic approach

1.5.9. Provide a structure for continuous improvement

1.5.10. Enhance the knowledge and importance of security-related issues at the

1.5.11. Advantages from Certification of ISMS

• Provide a structured way of managing information security within an organization

• Provide an independent assessment of an organization’s conformity to the best practices agreed

• Enhance information security governance within the organization.

• Enhance the organization’s global positioning and reputation.

• Increase the level of information security in the organization.

1.6. Review of Literature

 Steve Watkins and Alan Calder, IT Governance: An International Guide to Data

 Anthony Tarantino (2012). Governance, Risk and Compliance Handbook:

1.6.2. Research Papers/ Articles/ Journals

 Placido Rodal Castro, Implementation Plan for an ISMS according to ISO/IEC

 Gerhard Funk. (2016). A practical guideline for implementing an ISMS in

accordance of ISO/IEC 27001:2013 in an organization is being elaborated in a best

 ISO/IEC 27001:2013 Information Technology- Security Techniques- Information

 ISO/IEC 27002:2013 Information Technology - Security Techniques Code of

 ISO/IEC 27003:2017 Information technology - Security techniques - Information

1.7. Statement of Problem

1.8. Research Questions

1.9. Objectives of the Study

1.10. Research Methodology

1.11. Research Tools

Chapter.2 - Overview of ISO/IEC 27001:2013

Chapter.2- Overview of ISO/IEC 27001:2013

Key Points Discussed In This Chapter

 Understanding ISO/IEC 27001:2013

2.1. Understanding ISO/IEC 27001:2013

27001:2013 is a generic Information Security Management System standard. It can be used by