Enhancing ISO 27001:2022 Implementation Through Project Management
Nurmi, Pessi (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2024060521226
https://urn.fi/URN:NBN:fi:amk-2024060521226
Tiivistelmä
The organisation where this thesis project was conducted had the objective of obtaining IEC/ISO 27001 certification, published by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). The certification was to be acquired for the entire organisation, in accordance with the 2022 version of the standard. The initial situation was that only a portion of the organisation was ISO 27001:2013-certified.
A project was initiated with the objective of aligning the certified part and the company's Information Security Management System (ISMS) with the new IEC/ISO 27001:2022 version. This was followed by the extension of the project to cover the entire organisation and all its main sites in different countries.
This thesis examines the project from a project management perspective, referencing common project management models and theories, and aligns it with the project process.
The completed project is analysed in stages, using commonly used project management models. This information is then used to formulate a hypothesis, which is then compared to the hypotheses of common project management models in order to draw conclusions about the differences in how the project was managed and whether there are any lessons to be learned from this.
The study revealed that it would have been advantageous for the project to be more effectively managed if the scope of ISO 27001 had been more closely aligned with the information resources of the areas to be extended at the initial stages of the project. This would have facilitated the project's more efficient execution, enabling the allocation of the requisite resources in terms of both human capital and financial and temporal resources with greater ease.
The thesis's central argument was that an understanding of the impact of project phases on a large and fast moving change process was essential. The thesis delineates the challenges and achievements of the process.
A project was initiated with the objective of aligning the certified part and the company's Information Security Management System (ISMS) with the new IEC/ISO 27001:2022 version. This was followed by the extension of the project to cover the entire organisation and all its main sites in different countries.
This thesis examines the project from a project management perspective, referencing common project management models and theories, and aligns it with the project process.
The completed project is analysed in stages, using commonly used project management models. This information is then used to formulate a hypothesis, which is then compared to the hypotheses of common project management models in order to draw conclusions about the differences in how the project was managed and whether there are any lessons to be learned from this.
The study revealed that it would have been advantageous for the project to be more effectively managed if the scope of ISO 27001 had been more closely aligned with the information resources of the areas to be extended at the initial stages of the project. This would have facilitated the project's more efficient execution, enabling the allocation of the requisite resources in terms of both human capital and financial and temporal resources with greater ease.
The thesis's central argument was that an understanding of the impact of project phases on a large and fast moving change process was essential. The thesis delineates the challenges and achievements of the process.