Information Security Management Systems (ISMS): Implementation and ISO 27001 Certification, Assignments of Information Systems

a unilever project on its information security management systems

Typology: Assignments

2020/2021

Uploaded on 07/16/2021

Daamu
Daamu 🇰🇪

1 document

1 / 30

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
UPGRADING OF UNILEVERS
INFORMATION AND SECURITY
SYSTEMS.
Submitted by,
Andrew Munga
Supervised by,
Mr Kibe
May 20th 2021
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e

Partial preview of the text

Download Information Security Management Systems (ISMS): Implementation and ISO 27001 Certification and more Assignments Information Systems in PDF only on Docsity!

UPGRADING OF UNILEVERS

INFORMATION AND SECURITY

SYSTEMS.

Submitted by, Andrew Munga Supervised by, Mr Kibe May 20th 2021

Scenario Unilever Kenya Limited (UKL) is one of the world’s leading consumer goods companies, making and selling around 400 brands in more than 190 countries. Every day, 2.5 billion people use their products to look good, feel good and get more out of life. That’s about a third of the global population choosing from iconic household names such as Sunlight, Rexona, Dove, Fair and Lovely, Royco, Radiant, and Lifebuoy. Unilever owns thirteen of the world’s top 50 brands. Unilever is committed to making sustainable living commonplace and our logo is a visual expression of that commitment. Each icon has a rich meaning at its core, and represents some aspect of our effort to make sustainable living commonplace. Closer home, our purpose is to take the lead in creating a brighter future for every community in East Africa. Everything we do is rooted in this purpose because purpose and performance go hand in hand. We believe that companies with purpose last, brands with purpose grow and people with purpose thrive. Vision To make sustainable living commonplace. We believe this is the best long-term way for our business to grow. This vision statement puts emphasis on sustainability, especially among consumers. Mission To add vitality to life, we meet every day needs for nutrition, hygiene and personal care with brands that help people feel good, look good and get more out of life.

What is an ISMS? An Information Security Management System is a comprehensive, practical system that helps you manage the security of your organization’s information. Why is an ISMS important? The primary goal of the ISMS is to ensure that all personnel involved with the use and management of the organization’s information assets have an understanding of the information security policy, standards, procedures and other requirements to an acceptable level. This document has been developed in order to facilitate the creation and maintenance of a comprehensive information security awareness programme, and an information training and education programme. To achieve ISO 27001 compliance or certification, you need a fully-functioning ISMS that meets the standard’s requirements. Secure your information in all its forms : An ISMS helps protect all forms of information, whether digital, paper-based or in the Cloud. Increase your attack resilience : Implementing and maintaining an ISMS will significantly increase your organization’s resilience to cyber-attacks. Manage all your information in one place : An ISMS provides a central framework for keeping your organization’s information safe and managing it all in one place.

Respond to evolving security threats : Constantly adapting to changes both in the environment and inside the organization, an ISMS reduces the threat of continually evolving risks. Reduce costs associated with information security : Thanks to the risk assessment and analysis approach of an ISMS, organizations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work. Protect the confidentiality, availability and integrity of your data : An ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of your information. Improve company culture : An ISMS’s holistic approach covers the whole organization, not just IT. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices. **(Unknown,

KEY PRINCIPLES OF AN ISMS** There are 3 key principle of an ISMS Confidentiality The information is only available to authorized parties and should not be disclosed to anyone else, this is because of the nature of the content. As if the information gets out it will result in an undesirable effect. Examples of confidentiality controls include user IDs and passwords. In order to protect sensitive information from the public and its competitors. Various

increasing the efficiency in the organization. Integrity will also help unilever stay out of any legal troubles and avoid scandals which will in turn build a good reputation which will result in making build customer loyalty, hence retaining existing customers and potentially have good word of mouth advertising that will bring more customers. Thus increasing earning potential Availability The information should be accessible when need be, because if the information cannot be accessed when needed by those that are authorized it is null and void. Qgcio.qld.gov.au. (2019). Information systems has made it possible for businesses to be open 24/7 around the world. Making information available whenever. Unilever being an ICT hub information is very necessary at all times to enable the systems to run smoothly as the information affects certain aspects of the company’s functionality. The key benefits of implementing an ISMS Secures your information in all its forms: An ISMS helps protect all forms of information, including digital, paper-based, intellectual property, company secrets, data on devices and in the Cloud, hard copies and personal information. Improves company culture: The Standard’s holistic approach covers the whole organization, not just IT, and encompasses people, processes and technology. This enables employees to

readily understand risks and embrace security controls as part of their everyday working practices. Provides a centrally managed framework An ISMS provides a framework for keeping your organization’s information safe and managing it all in one place. Offers organization-wide protection: It protects your entire organization from technology-based risks and other, more common threats, such as poorly informed staff or ineffective procedures. Helps respond to evolving security threats: Constantly adapting to changes both in the environment and inside the organization, an ISMS reduces the threat of continually evolving risks. Reduces costs associated with information security: Thanks to the risk assessment and analysis approach of an ISMS, organizations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work. (IT governance, 2020) An Information Security Management System, or ISMS, does exactly what it says. It’s a comprehensive, practical system that helps you manage the security of your organization’s information

meet constant new infosec challenges. And it quickly picks up and corrects any of its own glitches or errors. Maintenance of a good ISMS Operate the ISMS. First of all, you have to make sure you perform all the activities described in your policies and procedures. Complying with all the requirements in all of your documents and producing the real records. Update the documentation. Circumstances in your company will change – you’ll create some new products, you’ll purchase some new software, your organization will change, etc. This means you’ll have to update your policies or procedures or they will become useless. Best practice is to nominate an owner for each document, and that person will have to review his or her document periodically (usually once a year), and recommend possible changes. Review the risk assessment. Again, because of the changed circumstances, the threats and vulnerabilities will change, meaning your risks will change; and if your risks have changed, this means your existing controls won’t be enough. This is why you should send the results of the last risk assessment to the risk owners so that they can review them and update if necessary – once this is done, you have to implement new controls based on those results. Monitor and measure the ISMS. You have to keep an eye on various security-related events like incidents, errors, exceptions,

etc. Based on this information, you can learn what to do better and how to prevent future incidents from happening. Perform internal audits. An internal audit can reveal to you many more security weaknesses than most of the other activities together. To achieve this, you have to either train some of your employees to do this job, or hire an external auditor. Perform management review. This is a crucial activity, since it actively involves your top management in your information security. You have to inform them about the key issues related to your ISMS, and ask them to make crucial decisions – for example, changes in organization, providing the budget, eliminating obstacles, etc. Perform corrective actions. Corrective actions are something you perform regularly – most probably you do make improvements to what you are doing. Implementation of an effective ISMS in an Organization

1. Create a project mandate The implementation project begins by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:  What are we hoping to achieve?  How long will it take?

Organizations should identify their core security needs. These are the requirements and corresponding measures or controls that are necessary to conduct business.

6. Developing a risk management process and a countermeasure Organizations are supposed to define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. Whereby they are supposed to:  Establishing a risk assessment framework  Identifying risks  Analyzing risks  Evaluating risks  Selecting risk management options Then you must build the security controls that will protect your organization’s information assets. To ensure these controls are effective, you will need to check that staff are able to operate or interact with them, and that they are aware of their information security obligations. 7. Monitor and review the results For an ISMS to be useful, it must meet its information security objectives. Organizations need to measure, monitor and review the system’s performance. 8. Achieve certification

Once the ISMS is in place, organizations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organization understands the importance of information security. The certification process will involve a review of the organization’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice The steps above will help one to implement and achieve an effective ISMS for an organization. For any information security awareness and training program to be successful, detailed planning is essential. The planning of awareness and training programs must consider the whole life cycle from the beginning of the process to completion The following seven steps may serve as a starting pointing the development of the program:

  1. The programs Scope, Goals, and Objectives need to be identified;
  2. The trainers need to be selected;
  3. The target audiences within the organization need to be selected
  4. motivational goals for all members of the Unilever are defined;

establishing and maintaining an ISMS. PLAN Context of the organization This is understanding the organization and its context as well as third parties needs and expectations in addition, the need to determine the scope of the ISMS. Leadership This entails leadership and commitment to be demonstrated by those in charge. A policy should also be put in place as well as the roles and responsibilities should be assigned across all element of the ISMS. Planning

Actions to be address the risks and opportunities and the objectives and how they will be met. Support These are the resources required to establish and operate and ISMS, competencies, awareness, communication and documentation of information. DO Operation The process is a must to implement the ISMS. The process has to planned in order to be implemented then controlled. This involves managing the risk and coming up with a risk treatment plan. This is vital and should be addressed in length. CHECK Performance evaluation Evaluating the performance of the ISMS. This consists of monitoring, measuring, analyzing and auditing the information security controls and management systems so as to make the appropriate improvements where necessary. ACT Improvement Follow up on the results from the audit and make continuous improvements to the ISMS. THE STEPS REQUIRED TO ESTABLISH AND MAINTAIN AN ISMS

Context of the organization The consideration of internal (things over which the organization has some control) and external (things over which the organization has no direct control) issues that affect Unilever and its ability to achieve its intended security outcomes while considering the requirements and expectations of interested parties. Some of the issues in which will need to be considered include: Information assets- as the information is stored in several places both in hard copy and soft copy therefore security measures for both should be established. Systems-Unilever has several software’s running which need to be constantly looked at and protected. Competition-The market we operate in is ever evolving with new technological advancement, which will result in the need to make system upgrades in order to stay competitive.

Shareholders-is there and concern for security breaches from the shareholder In addition, the needs and expectations of interested parties should be considered and determine which ones are relevant to Unilevers ISMS. Some of these interested parties include: shareholder, customers, competitors, suppliers, employees and the government. The scope is important as it defines what information you want to protect. It also defines what will be in scope for the certification audit should you choose to certify your ISMS against the ISO 27001 standard. There are numerous factors that you need to consider when determining the scope of your ISMS, these include but may not be limited to the context of your organization, the requirements of interested parties, the size of your organization, the locations it operates within, the budget you have available and if there is a deadline for completion. The scope of the ISMS is the only mandatory documentation required to conform with the requirements defined in the Context of the organization of ISO 27001:2013. Leadership For Unilever to maintain their management system effectively, senior management must provide the commitment and guidance. Senior Management should be aware of the