we45 iso-27001 case study
TRANSCRIPT
Contents
! Overview
! Pre Engagement Scenario
! we45 Proposed Solution
! Post Engagement Scenario
Overview
! As the only Company offering products for extra high voltage data and power transmission, our client is positioned strongly in high growth geographies and high growth industries.
! Net Revenue: $500 Million
! Centralized IT Services: Firewall & Content Filtering Services, Google Apps, SAP, Cordys, HRMS.
! Localized IT Services: Local File Server monitoring and maintenance, Backup and Restoration and Genereic IT Support (daily operations)
! No. of Locations: 9
! Overall IT Employee Strength: 50
! IT Employee Strength per location: 5
Pre - we45- Engagement Scenario
! ISO 27001 was a critical requirement for the organization from a global market reach perspective.
! Non – Standard IT operational procedure across the group
! Low levels of awareness and understanding on Information Security and ISO 27001 requirements across the group and departments.
! Non availability of dedicated resources for the ISO 27001 implementation.
! Lack of in-house technical security competency.
! Streamlining of existing standard operating procedures was a challenge as each of the 9 locations were following their own standard operating procedure.
! Existing Information Security Policies & Procedures (ISPP) were ineffective and lacked technical granularity.
we45 Proposed Solution
! Conducting of a comprehensive workshop on ISO/IEC 27001:2005
! Identification of an appropriate and effective Scope for the ISO 27001
! Conducting an IT Risk Assessment based on the OCTAVE Methodology to identify critical assets and drafting of a Risk Mitigation Plan for the identifed asset –risk values.
! Preparation of a Statement of Applicability based on the agreed controls applicable and identified in the Risk Mitigation Plan
! Amendment of the existing Information Security Policies & Procedures (ISPP) in aligment to the ISO 27001 mandates and ensuring that they map to the controls identified earlier on.
! Technical Assessment (Vulnerability Assessment / Penetration Test) conducted for all 9 locations on sampled critical information assets and services.
! Implementation of the ISO/IEC 27001:2005 suggested controls and generation of evidences.
! Comprehensive ISO/IEC 27001:2005 based (pre-certification) Internal Audit.
Implementation – Activity Chart
Activities performed No of we45 Consultants
Effort (in Working
Days)
Deliverables
1. Understand Business Environment 2. ISMS Scope Definition & Documentation 3. Setting up of Security Steering Committee 2 7
1. ISMS Scope Documentation 2. Org. specific high level security policy statement
1. Risk Assessment 2. Technical VAPT 3. Gap Analysis as per ISO/IEC 27001:2005 guidelines 4. Asset Identification, Valuation & Classification 5. SOA (Statement of Applicability)
2 15
1. Risk Assessment Reports 2. VAPT Reports 3. Gap Analysis Report 4. Asset Register 5. SOA.
Create / Review / Amend Policies & Procedures. 1 30
ISO/IEC 27001:2005 Information Security Policy and Procedure deck.
ISO/IEC 27001 Implementation Workshops. 1 15
ISO/IEC 27001:2005 Awareness & Implementation Manual
ISO/IEC 27001:2005 Internal Audit and Preparation , Follow up & closure of CAPA.
1 7
ISO/IEC 27001:2005 Internal Audit Plan & Report
Post Engagement Scenario
! A successful attainment of the ISO 27001:2005 certification for 9 location at one-go
! A marked increase in the awareness and knowledge levels of an Information Security Management System (ISMS) across the organization.
! Enhanced levels of technical, operational and knowledge on Security Best Practices.
! A measurable and repeatable IT Operations Process instilled across the organization at both the Central and Local entities.
! A sound Incident Management Response and Learning system in place that captures and reports IT and Non IT security incidents. This is followed up by a root cause analysis, preventive and corrective action mechanisms.
! The Sales and Marketing team able to showcase the mature and secure IT practices at the organization to the global partner and client network
Thank You