Tasks for Developing an ISMS

Task 1

For your scenario, you will have to define the organisation and state your assumptions for the way they conduct their business.

This is not expected to be an exhaustive list, but it must give a thorough idea of how they currently operate.

Following from this you must define the operation of the business units that are to be protected by the ISMS.

These business units must be of a reasonable size for the selected organisation and be recognisable entities within the organisation (for example, a call-centre or technical support helpdesk within a University, an IT department within a car dealership etc.).

Defining the scenario gives you the opportunity to present the business units that you are more comfortable with. Some of you might be familiar with an organisation due to past exposure (e.g., you might have been an employee). Others might be interested in joining a particular industry so researching for an organisation will help you understand more about the industry.

You are advised not to refer to specific names or disclose confidential information if your scenario is based in an actual organisation that you have had any involvement with. As such your report should be anonymised, and can relate for example to The University of ABC or ABC Forensics Ltd.

Task 1

You will briefly define the organisation and the business units’ operations, constraints, the roles of the personnel, the IT and physical infrastructure, and clearly identify the stakeholders.

Task 2

Define the key assets that the ISMS must protect within your proposed business unit and provide some valuation of the assets. Each asset will need to be considered in terms of value and significance to the organisation.

Task 3

Conduct research and identify common threats to organisations like the one you have selected.

Look at the top twenty threats relevant/specific to your organisation. Pick any ten you like and explain each of these with the use of a short narrative. Explain their impact within a few lines. Explain their mitigation. Explain the exposure and what has happened to similar companies/organisations, companies that contain elements that have similarity to your business units. Please do not simply use a bulleted list without explanations as you will not receive any marks.

Task 4

Based upon your research, and with reference to what has been studied in this module, draw up appropriate risk assessment matrices that will allow you to assess the risk relating to the business unit’s assets.

• From the threats studied in the previous task, identify five threats that pose the highest risk. Conduct risk assessment and present appropriate risk treatment strategies.

Students in previous years have covered this within four to eight pages. The most common representation was the threat, followed by a description, followed by an example of how it will affect the business, impact and mitigation/suggested fix.

Task 5

Your business unit decides to embrace working from home. Think how this will impact the existing risk analysis and risk treatment strategy you have proposed above.

• Identify threats associated with this new technology and the risk assessment levels they represent
• Identify appropriate risk treatment strategies for this new technology and identify changes that may need to be incorporated into the original risk treatment plan.