Feasibility study on incorporating IEC/ISO27001 information security management system (ISMS) standard in it services environment

Abstract

Feasibility Study on incorporating IEC/ISO27001 Information Security Management System (ISMS) in IT Services Environment is a research study by taking an organization as a case study to carry out a feasibility study on existing maturity level of managing information security and propose an implementation approach to the organization based on ISO27001 ISMS standards. The activities involve the security gap assessment, drafting the mandatory documents as per ISO 27001 ISMS standard requirement. The objective of this study is to identify the common information security incidents and the ISO27001 ISMS practices on corrective and prevention actions. Beside, this research study is focusing on analyzing the current state of an organization by conducting a feasibility study on the readiness of ISO27001 ISMS practiced by the organization. The methodology of this research study was derived with the research operational framework that comprised of several project phases, ISO27001 ISMS implementation phases that mapped to the deliverables. The deliverables and expected results are series of document sets that must comply to the ISO27001 ISMS standard such as initial draft of ISMS policy manual, risk assessment methodology, risk assessment report, statement of applicability (SOA) will be developed to meet the ISO27001 ISMS requirement and criteria. Also, the mandatory activities such as gap assessment, information security risk assessment will be proposed and conducted with the relevant reports to be prepared as part of the results and findings to accomplish the objectives of this research study. The findings of the feasibility study from the gap assessment that has been performed within an organization are not meeting the requirement of ISO27001 ISMS. Hence, this research study proposed the implementation approach based on ISO27001 ISMS standards to implement the ISMS controls to close the gaps and mitigate the risks identified from the gap assessment findings.