Certified ISO 27001 LEAD AUDITOR CASE STUDY

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

Company History
ABC Technologies is the new name of ABC Printing. Paul EVANS (President)
and Sally McCARTY (Executive Vice-President) created ABC Printing in 2001 at
the end of their university studies. The Yorkshire company saw rapid expansion.
It had 253 employees in 2009 when Messrs. Evans and McCarty decided to
diversify their activities by venturing out into computer graphics. This activity, then
emerging with the development of information technologies, was supported by
both senior executives who saw in it the means to strike a balance between their
traditional activities and what they considered the future of the printing industry.
These longtime friends are enthusiasts of new technologies. They have
always known that the information technology sector had a great growth
potential. Conscious of the importance of information, and organizational needs
resulting from it, Paul and Sally seized the opportunity offered them in 2009:
A&B Technologies who developed and commercialized Customer Relationship
Management (CRM) software, and who were located about a hundred meters
from their premises went bankrupt due to insufficient cash assets. Deeming the
firm basically sound and their printing and computer graphics activities
generating cash surpluses, they decided to buy out A&B Technologies. ABC
Printing was then renamed ABC Technologies to display an image more in line
with its new field of activity. The merging of ABC Printing and A&B Technologies
produced a company with 567 employees distributed as follows: 556 employees
in the printing and computer graphics division, and 11 employees in the CRM
division.

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

ISO 27001 ISMS COS7030-B CASE STUDY
This case study has been developed from the original by PECB (PECB Copyright © 2011. All Rights
Reserved)
Certified ISO 27001 LEAD AUDITOR CASE STUDY
Table of Content
Company History

The software developed by A&B Technologies facilitates the acquisition of
information, including customer data entry (name, telephone number, availability,
recreation, etc.). It allows a company to store, control and modify information,
plan tasks, annotate notifications as well as several other functions. Three
products are distributed: ABC Supreme (£3,995), ABC Pro (£495) and ABC
(£295).
4
COMPANY HISTORY

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

Certified ISO 27001 LEAD AUDITOR CASE STUDY
ABC Technologies’ head office is located in Bradford. This location combines
the printing, computer graphics and software development activities.
Following the growth of the company, another office was opened in Leeds in
2012. Paul Evans decided to take charge of the Leeds office, where sales and
services are managed. Since these involve a strong need for managing customer
relations, he was the best candidate for the job thanks to his communication and
negotiation skills.
Sally McCarty stayed in Bradford to manage software development and IT
services because of her technical competencies.
To finance the growth of the company, ABC Technologies concluded an
investment agreement of over 2 million dollars with a capital investment fund.
With this agreement, investors insisted that ABC restructure the company
governance by having a formal Board of Directors and hiring an experienced
CEO. Sabina Senat was hired as CEO to manage all the firm’s activities. Known
for her outspokenness and her direct actions, Mrs. Senat was involved in the
restructuring of several start-ups.
Since the take-over of A&B Technologies, business is booming. The software
activity has made important sales thanks to various distribution channels which
include direct sales, indirect sales (partnerships), as well as recent web sales.
Unfortunately, the growth of the software activity has produced serious
management, organization and operation problems. These problems include the
loss of important information, the loss of several contracts, and more important
still, the loss in confidence of some customers. In addition, the number of new
competitors and similar products on the market has rapidly increased, and has
started to slow the growth of the company’s software activity.

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

In light of these developments and to regain the confidence of their
customers, Sabina Senat, Paul Evans and Sally McCarty decided to implement
the ISO/IEC 27001 standard and to get certified.
5
COMPANY HISTORY
Certified ISO 27001 LEAD AUDITOR CASE STUDY
I. EDP Facilities
A. The Head Office (Bradford)
All the employees who need them have desktop computers connected
through a network and operating with Windows XP™ operating system. The
network is connected to a central file server. This server, operating with Microsoft
server, is used to store all relevant information, such as orders sent by email in
PDF format from the Leeds office, financial and accounting records, production
records, personnel data, and the information the design of products.
B. The Sales Office (Leeds)
The Leeds office has the same configuration as the head office. The
personnel use desktop computers that operate with Windows XP™. The network
is also connected to a central server that operates using Microsoft server. This
server is used to store customer data, customer orders, digitalized contracts of
partnerships and the website. The sales team is concentrated in this sales office
under the supervision of Owen ROGER. And, all orders are transferred by email
or fax to Paul EVANS who is in contact with Sally McCARTY for deliveries.
C. The IT Network

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

The head office system and IT network are managed by William Clay, IT
manager, Peter Ly, network supervisor, and Fred Jones, helpdesk supervisor.
Billy Davis, the sales office helpdesk technician, manages the network and the
helpdesk, and writes and sends a monthly report to Fred Jones, same as the
helpdesk technicians do at the head office.
6
EDP FACILITIES
Certified ISO 27001 LEAD AUDITOR CASE STUDY
II. Recent Facts and Events
1. After the arrival of the new CEO, Mrs. Senat, the following employees
were fired:
• Peter Campbell, previous CEO
• Ian Kovalev, Accounting VP
• Katie Harper, Marketing Assistant
2. The Bradford office alarm system does not work and the company who
installed it went bankrupt two months ago.
3. Julia Robinson, the website designer, was sick for one month.
4. Eric Lewis was informed by a customer that Steven Baker and Ian Kovalev
were hired by their competitor, BearClan.
5. The information on customers (names, addresses, and credit card
numbers) is kept in a database, with no additional control.
6. Only the important incidents related to the network are documented in an
Access file and discussed during the IT team’s weekly meeting.
7. A formal description of the employees’ roles and responsibilities exists but,
in reality, several employees hold other jobs. Management wants to favour
teamwork and increase their multi-skilling.

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

8. ABC has bought a list of 500,000 emails of potential customers from a
company located in the Bahamas to launch an Internet advertising
campaign.
9. The webmaster that developed the Corporate Website for ABC carries out
the site’s updates and releases.
7
RECENT FACTS AND EVENTS
Certified ISO 27001 LEAD AUDITOR CASE STUDY
III. Implementation of the ISMS
To prove ABC Technologies’ competence in information security and gain
greater confidence from its customers, you have been employed as a consultant
by Sally McCarty to implement the ISO/IEC 27001 prerequisites to obtain
certification.
The implementation of ISO/IEC 27001 is done by creating an ISMS. You must
firstly formally define and clarify the scope of the ISMS, however, with this in
mind, it has already been decided that only ABC Technologies’ software activity
would be included in the ISMS. During a meeting with Sabina Senat and the
persons in charge of the software activity, it was estimated that the information to
protect was:

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

• the product development plan (design, development costs, source
code, etc.),
• the marketing plans (the company’s development strategy),
• the human resources data,
• the customer database,
• the financial and accounting data,
• all contracts (partnerships, employees, contractors).
The information assets considered to be the most important are the product
source code, and the company financial data.
To account for the external threats, the managers have extended the ISMS
scope by incorporating SoftProd, a database which contains information on
ABC’s products, and the companies in charge of maintenance on both sites. You
must take into account that each employee can connect to the network from
anywhere, through an Internet connection, using their own login and password
thanks to a VPN.
Following the clarification of the ISMS scope, you should create:
1. A scoping document
8
IMPLEMENTATION OF THE ISMS
Certified ISO 27001 LEAD AUDITOR CASE STUDY
2. A Risk Assessment
3. A Statement of Applicability
4. A master list of all documents you think would constitute a complete
ISMS for ABC

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

5. Anew policy for network use, more specifically for remote access
6. You should then create three further documents of your choice to show
you understand the steps needed to implement your complete ISMS.
7. Key to this assessment is the reflective narrative related to academic
literature around the development of your ISMS. You can structure this
such that you reflect on each stage or that you have a reflective piece that
encompasses all you have developed.
Looking at the Plan-Do-Check-Act cycle, you must decide the appropriate
order to carry out the tasks. However, you must make sure you clarify ABCs
attitude to risk and therefore establish the risk treatment plan (transfer,
avoidance, acceptance, or reduction) as early as possible. The ISMS policy has
been developed and is below for clarification of the objectives.
9
IMPLEMENTATION OF THE ISMS
Certified ISO 27001 LEAD AUDITOR CASE STUDY
IV. Organization Chart
10
President
Paul Evans
(Bradford)
Vice-President
Sally McCarty
(Leeds)
IT Supervisor
William Clay
Secretary/
Receptionist
Sales
Supervisor
Chris Roger
Sales Persons
Maria Alves
Mathieu Martin
and Kim Luong
Cusotmer
Service
Supervisor
Eric Lewis
Agents

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

Alison Parker,
Lucas Morris &
Marketing
Supervisor
John Rodick
Web Designer
Julia Robinson
Support
Technician
Billy Davis
Secretary/
Receptionist
Andrea Stevenson
Manager
Software
Development
Sam Gold
Analyst
Debby Martinez
Supervisor
Information
Security
Alan Brown
Quality Control
Analyst
Paul Lee
Programmer
Mick Harris
Network
Supervisor
Peter Ly
Network
Technicians
Richard Feringa
Patrick O’Grady
Supervisor
IT Support
Fred Jones
Support
Technicians
Francis Smith
Reese Taylor
Malcom Porter
Computer

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

Graphics Team
Printing
Manager
Tony Roch
Printing Team
Computer
Graphics
Manager
James George
Software activity team (CRM) IT team
Computer
graphic team
Printing team
HR Manager
Jack Johns
Financial
Manager
Maria Garcia
Assistant
Assistant
Legal Advisor
and Superviso
for Customer
and Supplier
Accounts
Thomas Smith
Payroll
Supervisor
Jennifer Gordon
Customer

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

Account
Assistant
Supplier
Account
Assistant
Patricia Ducan
Admin
CEO
Sabina Senat
Certified ISO 27001 LEAD AUDITOR CASE STUDY
V. ISMS Policy
• Statement
– The object of this policy is to define the policy of the Information Security
Management System for ABC Technologies.
• Definitions
– Information Security Management System (ISMS):  Part of the total
management system, based on a business risk approach, allowing to
establish, implement, operate, control, review, maintain and improve
information security.

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

– Information Securityis the protection of information from a set of threats to
ensure business continuity, reduce business risks to a minimum, and
maximize the return on investment and business opportunities.
• Scope and Application
– The current policy applies to all Users. The use of Information Assets by a
User constitutes in itself an implied acceptance of the policy.
– It is up to the Support Department Manager, in cooperation with ABC
Technologies Management, to ensure the respect of this policy and to take
the necessary measures to apply it.
11
ISMS POLICY
Certified ISO 27001 LEAD AUDITOR CASE STUDY
• Objectives
– Clarify the organization’s security strategy.
– Ensure that the appropriate information and critical actions are protected from
threats.
– Ensure that, in case of system error or any other threat, all the appropriate
information and critical assets maintain a satisfactory level of confidentiality,
integrity and availability, as determined by management.
– Ensure that, in case of error, disaster or any other problem that can threaten
ABC Technologies, ABC’s commercial operations continue to operate with a
minimum degree of obstruction.
– Create a security culture involving employees.
• Policy

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

– The policy must be approved by management.
– All the critical information of ABC Technologies, which includes: the data
stored on computers, the information transmitted over the networks, printed or
written on paper, sent by fax, stored on cassettes or diskettes, or transmitted
verbally in conversations or over the telephone must be protected from any
threat whether it be internal or external, deliberate or accidental.
– Any authorization for access to information given to a person must be defined
and approved by the person’s supervisor.
– Vital information and services must be available to authorized users when
and where they need them with the lowest level of interruption possible.
– Information integrity must be maintained, and its exactness and completeness
must be ensured to protect it against changes and unauthorized accesses.
– Information confidentiality must be ensured. The date of human or electronic
communications must be protected to ensure that valuable or sensitive
information is protected against unauthorized disclosures or inevitable
12
ISMS POLICY
Certified ISO 27001 LEAD AUDITOR CASE STUDY
interruptions. The organization must conform to all the IT sector regulatory
and legal specifications to avoid any fines or financial costs caused by
nonconformity to the law.
– A management framework of business continuity must be provided using a
business continuity plan to counter business activity interruptions and to
protect the critical business processes in case of disaster. The business
continuity plan must be maintained, tested and reviewed to be efficient in
case of an event that can cause damages to ABC Technologies.

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

– ABC Technologies must train its employees on information security by putting
in place a continuous awareness program on the importance of information
security and the participation to the necessary trainings.
– Real or suspected security breaches must be evaluated and reported to the
competent authorities.
– Adequate access control must be put in place and the information must be
protected against unauthorized accesses.
– To support the ISMS, all policies, procedures and guidelines must be
available in print or electronic version to all authorized persons by means of
an internal network system (intranet).
– All supervisors are responsible for implementing the ISMS in their
Department.
– All personnel have the responsibility to adhere to the ISMS policy.
– In case of an information security problem, the situation must be handled
using ABC’s risk management framework.
ABC
Title: ISMS Policy No: MTR-POL
Revision Date: January 2015
Number of pages: 4
I s s u e d b y A l a n  Division: ABC Technologies Approved by: Paul Evans
13
ISMS POLICY
Certified ISO 27001 LEAD AUDITOR CASE STUDY
Notes
14

Certified ISO 27001 LEAD AUDITOR CASE STUDY

Order 100% Plagiarism Free Essay Now

By admin in Essays on April 6, 2017