Week-11 Lab: Designing a Simple ISMS with ISO/IEC 27001 & 27002

Overview

In this lab you will apply the ISO/IEC 27000 family, in particular ISO/IEC 27001 and 27002, to a realistic organisation. You will define ISMS context and scope, choose and justify controls, and map activities to the PDCA cycle.

Total time: 2 hours
Format: Group work (3-4 students per group)

You may reuse the same scenario you chose for the NIST CSF lab or select a new one.

Learning Outcomes

By the end of this lab, you will be able to:

• Describe the context, interested parties, and scope of an ISMS (Clause 4).
• Explain key requirements from Clauses 5-10 of ISO/IEC 27001 in practical terms.
• Draft a simple Statement of Applicability (SoA) and justify control selection.
• Map ISMS activities to the Plan-Do-Check-Act (PDCA) cycle.
• Tag example controls using ISO/IEC 27002-style attributes.

Resources

• Public summaries of ISO/IEC 27001 and ISO/IEC 27002 clauses and ISMS principles
• ISO 27001: INFORMATION SECURITY IMPLEMENTATION GUIDE
• Summary of ISO/IEC 27001 ISMS Requirements
• Summary of ISO 27002 Controls

(Full ISO standards are paywalled; YOU do not need the full text.)

Group Instructions

• Form groups of 3-4 students.
• Choose one scenario (you can reuse your NIST scenario).
• Complete Tasks 1-3.
• Produce a short written summary (1-2 pages).
• Be ready to present your work in 2-3 minutes.

Scenario Options (Choose One)

You can use the same scenario as the previous NIST lab or pick a new one.

Scenario A - Small Private Clinic (Healthcare)

A private clinic manages electronic health records hosted by a cloud provider. Staff use laptops, desktops, and mobile devices. Backups occur weekly but have never been tested. A recent phishing attempt targeted the team.

Key details:

• Sensitive patient data stored in a cloud EHR
• Medical images stored with a third-party provider
• No dedicated security team
• Outdated and inconsistently followed policies
• No formal incident response plan
• No asset inventory
• Weekly backups never tested

Scenario B - Retail Shop with E-commerce

A retail business has a physical store and an online shop. Customer details are stored in a MySQL database managed by a freelancer. Staff use a mix of personal and work devices.

Key details:

• Customer personal data stored locally
• Payment processed by third-party provider
• No centralised monitoring
• High staff turnover; accounts not disabled quickly
• Website not tested for vulnerabilities
• Weak password hygiene

Scenario C - University Department (Education / Research)

A computing department manages student records, lab servers, and research data. Backups are irregular and systems vary widely in configuration.

Key details:

• Multiple systems: VLE, shared drives, lab servers
• Inconsistent patching
• Frequent phishing attempts
• External collaborators need access
• Outdated software used for teaching
• Incident reporting inconsistent

Scenario D - Local Government Services (Public Sector)

A council runs online services including payments and permit applications. Systems are a mix of cloud and legacy solutions.

Key details:

• Citizen data including ID documents
• Legacy applications behind VPN
• Poor supply chain governance
• Limited incident response capacity
• Logging exists but not analysed
• Data sometimes stored on USB drives

Scenario E - SaaS Start-up (Cloud-Native)

A small SaaS provider hosts a cloud application using AWS. Deployments occur several times a week and monitoring alerts are often ignored due to noise.

Key details:

• Uses AWS ECS, S3, Lambda
• MFA enabled but contractors share accounts
• No formal risk management framework
• Noisy monitoring system
• Third-party APIs for authentication and payments
• Automated backups never tested

Task 1 - ISMS Context, Interested Parties, and Scope (Clause 4)

1.1 Identify Internal and External Issues

List at least three internal and three external issues.

1.2 Identify Interested Parties and Their Needs

List at least five interested parties and what they expect from information security.

1.3 Define the Scope of the ISMS

Write a short paragraph (5-7 lines) defining the scope of the ISMS.
Your description should include:

• The organisational units covered
• Key information assets protected
• The locations, systems, or processes included
• Any exclusions (and why they are excluded)

Example guidance:
If the organisation uses a cloud system for records, the scope may include clinical operations, IT infrastructure, cloud services, and staff processes. Exclusions might be personal devices if they are not used for work purposes.

Task 2 - Selecting Controls and Drafting a Mini SoA

Choose and justify controls similar to those found in Annex A and create a short Statement of Applicability (SoA).

2.1 Control Categories (choose at least 5)

1. Access control and identity management
2. Backup and recovery
3. Logging and monitoring
4. Physical and environmental security
5. Supplier and third-party management
6. Information security awareness and training
7. Incident detection and response
8. Cryptography and key management

2.2 Mini Statement of Applicability (SoA)

Choose from the categories above and justify whether each control is included, and how it might be implemented.

Note: Your answers should be aligned with the organisation or scenario used in Task 1.

Task 3 - PDCA Cycle and Control Attributes

3.1 Map activities to the PDCA cycle

Add at least one activity to each phase. One example is provided.

3.2 Add ISO/IEC 27002-style Attributes to Three Controls

Use attributes such as:

• Control type: Preventive, Detective, Corrective
• CIA properties: Confidentiality, Integrity, Availability
• Cybersecurity concept: Identify, Protect, Detect, Respond, Recover
• Data states (optional): Storage, Transit, Processing

One example is provided for guidance.

Final Group Output

Each group produces mini presetation 3-5 mins including:

• Your ISMS scope
• Key selected controls and reasons
• One improvement example using the PDCA cycle

Best,

Ali.