Trusted Client


Security Optimization, Bank/Finance


Mary 30, 2005

Project Budget


Project length

5 months

Project Details


An organization within FMI (financial monetary institutes) industry needed an overview of their Governance across the entity, including potentials for security process optimization. The foundation Control IT Security was defined as the process for providing security protection of logical and physical inventory and assets that were associated with delivery of IT services. It involved the definition of security strategies, policies, and procedures; managing implementation by or operational processes, risk identification, evaluation, monitoring and control compliance status.          

Goal of the Control IT Security process project was to implement necessary processes to meet external security requirements; Information Security Controls Definition, including risk identification and assessment of contractual and legal requirements, as well as internal security requirements that are necessary to assure service continuity.

There was also an urgent need to replace undated systems and update the processes and procedures, to optimize the business need for information security standard, to be in line with ISO27001 in order to prepare the IT-Department to become ISO certified.



The organization had an established information security policy but lacked a formal information security management system (ISMS). The project were created to analyse the need for improvements and create a road map for implementation.

Each of all Service Providers, Business Partners and Vendors that provided IT Services to the organization was evaluated for level of confidentiality, integrity and availability or continuity required, resulting in client’s Service Level Requirements for security. Client’s Service Level Requirements provide primary input into Control IT Security process, and implementing and monitoring of security provides reporting information needed to ensure Service Level Requirements were fulfilled.

  ISO Security Process and

  Framework Optimization

Do you need similar expert help?

Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.


In order to properly document an organizations information security management system (ISMS) the ISO/IEC 27001 standard requires that, for certification, management must:

  • Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;

  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

The target goal for the organization were to secure a maturity model that enabled them to proceed to seek certification as compliant with ISO/IEC 27001 covering:

  • A.5 Security Policy
  • A.6 Organisation of information Security
  • A.7 Asset Management
  • A.8 Human Resources
  • A.9 Physical and environmental security
  • A.10 Communications and operations management
  • A.11 Access Control
  • A.12 Information systems acquisition, development and maintenance
  • A.13 Information security incident management
  • A.14 Business continuity management
  • A.15 Compliance


– A Control IT Security Policies & Procedures Overview process document was successfully implemented and handed over to Steady Stats, including training material and Go-live announcement that together improved IT Security Controls for account steady state operation.

- The project also performed:

- Established the ISMS policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.

- Implemented the go live and work activities of the ISMS by implementation and exploit (test) the ISMS policy, controls, processes and procedures.

- Checks, monitoring and review of the ISMS by assess and measure the performances of the processes against the policy, objectives and practical experience and report results to management for review.

- Actions to update and improvement of the ISMS and  undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.