Based on scenario 5. which committee should Operaze create to ensure the smooth running of the ISMS?

Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.

Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company’s departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.

Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.

Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze’s top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the

smooth running of the ISMS operations. In this situation, Operaze’s top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.

Based on scenario 5. which committee should Operaze create to ensure the smooth running of the ISMS?
A . Information security committee
B . Management committee
C . Operational committee

Answer: A

Explanation:

According to ISO/IEC 27001:2022, clause 5.1, the top management of an organization is responsible for ensuring the leadership and commitment for the ISMS. However, the top management may delegate some of its responsibilities to an information security committee, which is a group of people who oversee the ISMS and provide guidance and support for its implementation and operation. The information security committee may include representatives from different departments, functions, or levels of the organization, as well as external experts or consultants.

The information security committee may have various roles and responsibilities, such as:

Establishing the information security policy and objectives

Approving the risk assessment and risk treatment methodology and criteria

Reviewing and approving the risk assessment and risk treatment results and plans

Monitoring and evaluating the performance and effectiveness of the ISMS

Reviewing and approving the internal and external audit plans and reports

Initiating and approving corrective and preventive actions

Communicating and promoting the ISMS to all interested parties

Ensuring the alignment of the ISMS with the strategic direction and objectives of the organization

Ensuring the availability of resources and competencies for the ISMS Ensuring the continual improvement of the ISMS

Therefore, in scenario 5, Operaze should create an information security committee to ensure the smooth running of the ISMS, as this committee would provide the necessary leadership, guidance, and support for the ISMS implementation and operation.

Reference: ISO/IEC 27001:2022, clause 5.1; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 9.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments