Helsinki Shipyard: laying the foundation for ISO/IEC 27001
Germundson, Erin (2023)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2023120133447
https://urn.fi/URN:NBN:fi:amk-2023120133447
Tiivistelmä
The ISO/IEC 27001 standard on information security is quickly becoming an unofficial “must have” for organisations. As a sizeable company with an international client list, Helsinki Shipyard elected to adopt the standard for itself as a strategic business decision.
This thesis was commissioned by Helsinki Shipyard as the initial legwork to incorporating ISO/IEC 27001 into its corporate environment. The project itself was sectioned into three major phases in order to reach the main objective; that is, the completion of the building blocks for an ISO/IEC 27001 compliant Information Security Management System (ISMS).
The phases mentioned above were planning, research and analysis, and creation of deliverables. Planning defined the scope, resources, and schedule of the project; research and analysis shed light on the corporate landscape and the requirements of the standard; and creation of deliverables saw the making of a risk assessment (complete with treatment plan), Statement of Applicability (SOA), and responses to the mandatory clauses 4 through 10. The work itself was predicated on agile methodology.
The scope of the work was defined by its inclusions and exclusions. The inclusions were agreed to be the undertaking of a risk assessment, the aforementioned deliverables (SOA, clauses), and document review. Exclusions were certification, training of personnel, the writing of new policies (but a need for them could be highlighted), and long-term maintenance plans.
Qualitative data was used extensively throughout the project. This is mainly seen through the leveraging of interviews with upper/executive management, and the publishing of a company-wide survey. The risk assessment especially relied on this information for the creation of risk scenarios and how to best mitigate them.
Basic research was also undertaken to broaden the author’s understanding of the modern information security landscape and principles, along with the ISO/IEC 27001 standard and its implementation.
This thesis was commissioned by Helsinki Shipyard as the initial legwork to incorporating ISO/IEC 27001 into its corporate environment. The project itself was sectioned into three major phases in order to reach the main objective; that is, the completion of the building blocks for an ISO/IEC 27001 compliant Information Security Management System (ISMS).
The phases mentioned above were planning, research and analysis, and creation of deliverables. Planning defined the scope, resources, and schedule of the project; research and analysis shed light on the corporate landscape and the requirements of the standard; and creation of deliverables saw the making of a risk assessment (complete with treatment plan), Statement of Applicability (SOA), and responses to the mandatory clauses 4 through 10. The work itself was predicated on agile methodology.
The scope of the work was defined by its inclusions and exclusions. The inclusions were agreed to be the undertaking of a risk assessment, the aforementioned deliverables (SOA, clauses), and document review. Exclusions were certification, training of personnel, the writing of new policies (but a need for them could be highlighted), and long-term maintenance plans.
Qualitative data was used extensively throughout the project. This is mainly seen through the leveraging of interviews with upper/executive management, and the publishing of a company-wide survey. The risk assessment especially relied on this information for the creation of risk scenarios and how to best mitigate them.
Basic research was also undertaken to broaden the author’s understanding of the modern information security landscape and principles, along with the ISO/IEC 27001 standard and its implementation.