Using ISO 27001 in Teaching Information Security

Manar Abu Talib*, Adel Khelifi**, Tahsin Ugurlu***

*College of Information Technology, Zayed University, UAE
**Software Engineering Department, ALHOSN University, UAE
***University College, Majan College, Oman
manar.abutalib@zu.ac.ae, a.khelifi@alhosnu.ae

Abstract-Although the College of Information Technology (CIT) II. LITERATURE REVIEW

at Zayed University follows the ACM guidelines for Information
Security curricula, its graduates are not able to fully meet
Zayed University
employers' requirements. In this paper, we illustrate a new H. E. Sheikh Nahayan Mabarak Al Nahayan, president of and
approach for teaching and engaging students in the context of a minister of Higher Education and Scientific Research has
real experience related to the Information Security field using said: "Zayed University shall become the leading university
ISO 27001. Ten IT students at the college were supervised in the region, embodying the same rigorous standards and
throughout their capstone projects, in which they investigated intellectual elements found in major universities throughout
the use of ISO standards related to IT in the UAE. They
the world."
expressed a great deal of satisfaction with their projects, and,
created five case studies. Three of these are related to ISO 27001 Zayed University was established in 1998, with campuses in
implementation. In addition, three of the students were hired to Dubai and Abu Dhabi, and is educating more than 7,121
work in this area after graduation. Our results reveal the male and female students from 19 countries to be leaders
importance of integrating international standards into the who will provide the knowledge and abilities this nation will
curricula of educational institutions. need to enjoy a future of security and progress. It offers an
academic program that prepares talented, ambitious, and
Index Terms-Information Security, ISO 27001, capstone project.
enthusiastic students for success in government, the arts,
I. INTRODUCTION business, media, and IT, and to meet the challenges of a
dynamic 21 st century world [9].
We live in an age in which our information is stored in many
organizations which are responsible for handling information The IT Curriculum at Zayed University
safely and securely, as well as for auditing its accuracy, The CIT seeks to produce graduates recognized by business,
confidentiality, and integrity. At the same time, universities government, and educational entities in the UAE, the Gulf
are responsible for producing graduates who are able to region, and the rest of the world as having a sound, current,
understand and perform these Information Security tasks, and and comprehensive education in IT systems. The IT program
to maintain the information on an ongoing basis. Graduates is practical and competency-based, and designed to prepare
area also required to meet the needs of industry when they students for entry-level positions as IT professionals [10].
are hired by these organizations. Numerous papers have been
Two majors are offered by the CIT: Enterprise Computing,
published and many workshops have been held on the
and Security and Network Technologies. The first
various approaches to teaching Information Security. These
specialization prepares students to examine new, emerging
studies vary from designing and teaching an Information
technologies, and to develop leading edge information
Security curriculum [1, 2, 4] to mapping Information
3,
systems and their underlying architecture in order to achieve
Security curricula to professional accreditation standards [5]
competitive advantage. The second specialization prepares
and using interactive teaching methods, practical exams, or a
students to protect and secure information systems from
learning platform in Information Security courses [ 6, 7, 8].
threats and attack. Students learn to apply IT in the design
We believe that our approach provides some insights into the
and deployment of computer networks and
importance of integrating international standards into
telecommunications.
curricula at educational institutions. Our case study involved
the capstone projects of ten students from the College of Information Systems
The CIT also offers three joint majors:

Information Technology (CIT) at Zayed University. We
show that these students learned about the procedures for
implementing ISO 27001 and participated in hands-on
activities involving this standard, which is one of the most
widely used in the Information Security field.
The rest of this paper is organized as follows. Section
provides a brief overview of Zayed University and the IT
majors it offers. Section 3 discusses the capstone project case
study. The students' learning outcomes are discussed in
detail and evaluated in section 4. Possible enhancements to
Information Security courses are presented in section 5.
Lastly, conclusion and future work are presented in section 6.
and Technology Management (College ofBusiness Sciences);
Multimedia Design (College of Communications and
Multimedia Sciences); and Technology and Education
(College ofEducation).
ISO 27001
2 ISO 27001 is the most widely used standard and the most
recognized structured methodology dedicated to information
security [11, 12]. This standard focuses on the Information
Security Management Systems (ISMS) standard to ensure
integrity, availability, and confidentiality. Moreover, it is
known as a management process that can be implemented to
evaluate and maintain an Information Security Management

978-1-4673-2421-2/12/$31.00 2012 IEEE 3149

System [11, 12]. Most organizations around the world are documents, messages, recordings, communications,
applying this standard. It approves to have many advantages conversations, and photographs. Such information includes
such as reducing liability due to unimplemented or enforced digital data, and even emails, faxes, and telephone
policies and procedures; measuring the success of the conversations. To the best of our knowledge, no complete
security controls, and improving the effectiveness of study has been conducted on using the ISO standards in
Information Security. teaching Information Security [11, 12]. In this section, we
expand on what the students at Zayed University learned
III. CAPSTONE PROJECT CASE STUDY
using this new approach. In the following section, we show
Interviews of alumni and presentations by students who have how we have enhanced the Information Security course
completed internships where they had to apply their offered by the CIT based on this experience.
Information Security knowledge revealed that there is a gap
A. ADSIC Learning Outcomes
between what they learn in the Infonnation Security courses
The Government of Abu Dhabi began improving its services
and what they see in the real world. Although the CIT
and delivering them electronically through its new program,
follows the ACM guidelines for Information Security
E-Government, which can, however, expose sensitive
curricula and will soon be granted ABET accreditation, ZU
information to risk and threats. Therefore, security tools are
graduates are still not able to fully meet employers'
required and action must be taken to protect the infonnation
requirements. In the academic year 2010-2011, the CIT
and make the program work smoothly and successfully.
engaged ten students in new Information Security experience
The students noted that this government is facing specific
through their capstone projects. In addition to fulfilling the
challenges, such as the following: information security is not
requirements of their capstone projects, for example: creating
consistently applied across government entities; systems are
an IT application and a web application, and conducting
being developed without effective security controls; and
surveys and interviews, they had the opportunity to learn
Information Security is perceived as someone else's
about five case studies of the following organizations located
responsibility. These weaknesses can affect the availability,
in the UAE: the Emirates Authority for Standardization &
validity, and confidentiality of government information and
Metrology (ESMA), the Abu Dhabi Systems & Information
services.
Centre (ADSIC), Injazat Data Systems, Abu Dhabi Gas
ADSIC has developed a strategic vision for the government,
Industries Ltd. (GASCO), and Nbiz Infosol. We know that
which is to ensure that high-performance systems in place
from this experience the students fully understand ISO 27001
that deliver world-class services designed to benefit all
and how it can be implemented in different contexts: the
customers and stakeholders. In accordance with its mission
ADSIC case study follows the ISO 27001 framework, and
has been expanded using additional management processes;
ADSIC considers infonnation technology to be a governmen
service, and so they elected to follow the ISO 27001
the Injazat case study integrates both the ISO 27001 and the
framework and add more management processes to
ISO 20000 standards; the GASCO case study details the
implement their strategic vision for the government. As a
certification process for ISO 27001; and, finally, at Nbiz
result, our students had the opportunity to study, in detail, all
Infosol, ISO 27001 certification was obtained with the help
the phases required to fulfill the ADSIC mission: Risk
of services in Information Security, audit and assurance, IS
Assessment, Information Security Planning, Security Testing
governance, training, and ISO standards implementation. The
& Evaluation, and Certification and Accreditation. They
students also learned about the ESMA, the organization that
came to understand the activities involved in conducting
can provide them with the latest information about changes
Infonnation Security planning, as well as the process of
to standards and regulations in the UAE and in the GCC
certification and accreditation of a specific organization, and
region generally. The ESMA program focuses on developing
the inputs and outputs of each step, as shown in Figures 1
and promoting the application of standards in UAE industries
and 2.
and their products. For example, with the existence of this
ADSIC has its own Infonnation Security standards, which
authority, consumer confidence about produce offered in the
play an essential role in the information system. They also
local markets, which must conform to international standards
guide, support, and coordinate the Information Security
of hygiene, is increased. These results point to the
program, by developing the desired standards and helping to
importance of integrating international standards into the
implement them in the government entities. This enables
curricula offered at educational institutions in the GCe. We
quick and secure information-sharing among the various
are proud to say that three of the students were hired to work
entities. In this way, ADSIC is striving to make the Abu
in this field upon graduation.
Dhabi Government one of the top five governments in the
IV. EVALUATION AND RESULTS world, by making it efficient and effective, and accessible to
everyone in Abu Dhabi.
With the very high number of security breaches that occur,
We should point out that ADSIC has helped thirty-five
following established IT standards could be one way to
different entities in Abu Dhabi to adopt the ISO 27001
protect an organization's sensitive information and to audit
framework in their organizations.
its accuracy, confidentiality, and integrity. When we talk
about infonnation, we are referring to all forms of data,

3150
 Input Activity Output Input Output ,I
Alist of risks STEP1 Aprioritized list
identified during Determine Risk of risks based Risk Assessment RelXlft
Updated Risk Assessment

i
_ _

the risk Tre;nment on seourity Information Security Plan,

Report Information Security
Plan, ST&E Report,
levels (OUTI)
ST&E Report
Priority OM Name, CO Name
assessment
phase
Alist of

Risk Assessment Report,
OUTI STEP2 Summary of Security
potential Information Security Plan,
AOSIC Identify ST&E Report
Risks Report

oontrols that
Information Potential
ma yb e
Seourity Controls
implemented to
Standards Risk Assessment Report,
treM each risk

Information Security Plan, Accreditation Decision
Gu ide
(OUT2) ST&E Report. Summary of
Security Risks Report
(ATO. IATO. DTO)

"
*
OUT2 STEP3 Alist of

i
Decision to Restart
Detennin potential Configuration Management
Security Scans. the Risk Management
- Cost. Effective oontrols along Audit Logs Process

Controls with resource

requirements
-
that are oost
effective Fig. 2. ADSIC certification and accreditation
(OUn)
* B. lnjazat Learning Outcomes
oun STEP4 S e n i or Injazat Data Systems offers services in IT strategy and IT
oun Dete rm ine management
-
a consultancy and systems integration, as well as
Mitig;nion
Route and
- decision on
mitigation route comprehensive outsourcing of IT and business functions.
Select Controls for each risk
Injazat has the knowledge and experience to manage,
Name otthe
senior manager develop, and support the IT and business processes of both
Alist of

government and private sector organizations.
controls th;n
have been The students have learned from Injazat that they can
be
selected to implement two ISO standards, ISO 27001 for ISMS and ISO
implemented
(OUT4) 20000 for IT Service Management, at the same time. These
standards have helped Injazat enhance its structure,

list of processes, organization, and security systems to deliver

OUT4 STEP!)
Assign Indilliduals trusted and valued services to its clients.
-
Responsibility <lssignedto
While the company already had its own security and service
and Sohedule implement the
Implementation controls or set management policies and procedures in place, it wanted to
of c ontrols in a
align these with global best practices, which is why they
given sohedule
(OUT5) decided to implement the ISO standards. By adopting these
standards, Injazat has achieved substantial system and

OUT4 STEPS Status oflhe process improvements and has become much better able to
.OUT5 - Implement impl m nti!ion deliver high quality IT management services that are
Controls of thesecurity
controls and customer-centric. The students learned valuable lessons
implement;nion about the Plan, Do, Check, and Act Model (PDCA) for both
d;ne (OUT6)
standards. They witnessed the way in which Injazat
established the Information Security Management System

The outoome (ISMS) in the plan phase, and how long they spend on ISMS
OUT6 STEP 7

\krify Control of the test along policies, the scope and organization of the ISMS, and its risk
H with the
Implementation
verification date
management framework. They followed the implementation
Pay residual of the ISMS into the Do phase, and monitored the ISMS
risk follow ing
co ntrol
process through the internal audit phase to ensure compliance
implementation and control effectiveness in the Check phase. They also
(OUT7) examined the results in the latter phase and improved the

ISMS by taking corrective and preventive action in the Act

The outputs STEPS Information phase. See Figure 3 for more details.
I Develop Seourity Plan
from Step The students experienced a great deal of satisfaction in
through 7 Information
Scourity Plan knowing that they can integrate this ISO 27001 model with
ISO 20000, because these standards prioritize security
Fig. 1. ADSIC Infonnation Security Planning management by requiring in-depth risk assessment, impact
analysis, and mitigation planning. The following table

3151
provides further detail on the areas covered by the two c. GASCa Learning Outcomes
standards. The students were enthusiastic about examining one more
case study, which was concerned with ISO 27001

,'
Establish Information Implement and
certification, as the context can differ from one organization
Operate ISMS

.
Security Manage to another. In the case of GASCO, they asked professional
System (ISMS) services firm Deloitte to perform their gap analysis, which
. . -IS Risk Management
Framework
the company began by assessing GASCO's current security
-(ISMS) Policies implementation and
-ISMS Scope and Organization operation
practices against the best practices inspired by ISO 27001,
-IS Risk Manag em ent Framework identifying the gaps in the existing security controls, and
defming the steps required to fill them. Deloitte was also
Maintain and Improve Monitor and Review ISMS
responsible for writing the main ISMS documents for

ISMS
- Corrective and Preventive
-Internal Audit GASCO. The GASCO security team then developed a risk
-Ensure compliance
actions treatment plan, which determined the appropriate

- Controls effectiveness
-Ensure conti n ua l
-Results review management action to take, and the resources,
improvement
responsibilities, and priorities for managing Information
Fig. 3. Injazat PDCA Model Security risks. Finally, they developed the required
The students were aware that, in the integrated ISO approach, documents, as stated in Table 1 for ISO 27001. GASCO
Injazat was able to follow a security and risk management monitored the ISMS and implemented the controls. They also
framework in the Plan phase, while objectives such as began executing the internal ISMS audit. However, they still
identifying scope, writing policies, establishing service needed an ISMS expert to perform the audit for them. They
management and security organization, and developing an chose Deloitte, who planned to carry out risk management
Information Security Risk Management (lSRM) and ITIL testing for GASCO every six months, and then revised the
Service Management Framework were being pursued schedule to every eight months.
concurrently. Injazat explained gap analysis to the students,
in terms of addressing security problems based on its own -Gap Analysis

internal protocols and adhering to the ITIL Service

Management framework. The company then spent a
significant amount of time updating its policies, process -Define ISMS Scope and PoliC{
eEstablishml?nt of $PCllrity Forum
documentation, and procedures to align them with the -n.isk Assessment

standards and improve their services even further. The -Risk Treatment
-Internal Audit Program
students also looked at Injazat's forums and training
eTrainine and Awar'rll?SC;
programs, and their diversity awareness campaigns designed
to address the various backgrounds and differing levels of
-tage I (Uesktop) Audit
understanding of its employees. It was fun to see posters sent -Monitor Controls
-Stage II (Final) Audit
to employees from time to time to raise awareness about
Information Security issues.

TABLE I Figure 4. GASCO ISO 27001 road map

ISO 27001 AND ISO 20000 In addition, GASCO performed a management review of the
results and resolved the non conformities identified. The
[SO 27001 ISO 20000 detailed ISO 27001 roadmap is explained in the following
figure.
- Overall IT service management
policy and processes
- Security policy V. INFORMATION SECURITY COURSE
- Service reporting
- Organization of Information
- Capacity management Information Security Basics, CIT235, is a core course in all
Security
- Business relationship management
- Asset management the majors programs offered by the CIT. This course presents
- Supplier management
- Human resources security the managerial and technical aspects of Information Security
- Problem management
- Physical and environmental
- Release management to prepare future business decision makers, and addresses the
security
- Planning and implementation of knowledge areas of CISSP (Certified Information Systems
- Communications and operations
new or changed services
management Security Professional) certification. The course provides an
- Management review
- Access control overview of the issues related to Information Security,
- Service continuity and availability
- Information systems acquisition.
- Information Security management including assessment of the levels of confidentiality,
development, and maintenance
- Service level management integrity, and availability needed for different types of
- Information Security incident
- Incident management
management information, the nature of threats, and the three tiers of
- Change management
- Business continuity management information protection: detection, correction, and recovery.
- Configuration management
- Compliance
- Budgeting and accounting Various security techniques related to the overall physical
- Internal audits environment, as well as to IT systems, data encryption, and

3152
computer forensics specifically, are discussed. Security
issues at the personal, enterprise, and global level are also
studied. The topics covered in this course are the following:
Nature and scope of Information Security
Legal, ethical, and professional issues in
Information Security
Levels of security needed for different types of
information
Security of technical systems
Introduction to data encryption techniques
Introduction to network security issues, including
wireless networks
Introduction to Internet security
Nature of threats - prevention, detection, recovery
Planning for and implementing Information Security
Personal security
Enterprise security
Topics that can be added to this course, which would be
enjoyable for students while they learn the basics about the
Information Security field, might be:
ISO standards related to Information Security
ISO 27001
Plan-Do-Check-Act model
Gap analysis
ISMS
Risk assessment
Internal and external audit programs
By adding the above topics, a wider range of activities and
case studies could also be covered in this course, such as
writing a case study about an organization obtaining ISO
27001 certification, implementing a PDCA model in a
specific context, conducting a short gap analysis, learning in
depth about ISMS, creating a risk assessment report, and
investigating internal and external audit programs more
deeply. All these activities can serve as tools that the students
can access after their graduation, as they will be familiar with
the vocabularies and concepts that are used extensively in the
Information Security world. After taking this course, they
will be able to meet the course requirements, as well as the
employers' requirements:
1. Address the technical aspects of Information Security for
decision makers;
2. Investigate and report on how the various levels of the
Information Security objectives of data confidentiality,
integrity, and availability can be achieved, and at what cost to
an organization.
3. Understand the role that an appropriate access control
policy serves in securing the information resources of an
enterprise.
4. Investigate and experience the nature of security
technologies/threats, such as frrewalls, computer viruses, and
worms.
3153
5. Learn and implement simple encryption techniques to
protect data and email.
6. Use examples of Information Security issues, tools, and
practices implemented in today's businesses.
7. Use international standards and best practices in the
Information Security field.
VI. CONCLUSION AND FUTURE WORK
The use of ISO 27001 to teach the topic of Information
Security inspires students to learn more about the PDCA
model, ISMS, gap analysis, internal and external audits, and
risk assessment. We support this approach with real case
studies from organizations, which help greatly in getting the
students interested in the subject. Ten students from our IT
College were engaged in this valuable learning experience.
We encourage others to try our approach, and hope that it
will help those students as much as it has helped ours. In
future work, we plan to evaluate the enhanced Information
Security course, and improve the advanced course, CIT 335,
Information Security Technologies.
REFERENCES
[1] Designing and teaching information security curricula. Michael E.
Whitman, Herbert J. Mattord. New York, USA: ACM, Proceedings of
the Ist Annual Conference on Information Security Curriculum
Development, 2004.
[2] Workshop on designing and teaching information security curricula.
Michael E. Whitman, Herbert J. Mattord. New York, USA: ACM-SE
43 Proceedings of the 43rd Annual Southeast Regional Conference,
2005.
[3] Teaching the Undergraduate CS Information Security Course. Bradley
K. Jensen, Melinda Cline, Carl S. Guynes. New York, USA: ACM
SIGCSE Bulletin Homepage archive, 2006.
[4] Towards Changes in Information Security Education. Mariana Hentea,
Harpal S. Dhillon, Manpreet Dhillon. s.l.: Journal of Information
Technology Education, 2006, vol. 5.
[5] Mapping information security curricula to professional accreditation
standards. Armstrong, C. J., Armstrong, H. L. s.l.: IEEE SMC
Information Assurance and Security Workshop, 2007.
[6] Interactive Teaching Methods in an InformationSecurity Course.
Jingtao Li, Yiming Zhao, Lei Shi. s.l.: Scalable Computing and
Communications; Eighth International Conference on Embedded
Computing, 2009.
[7] A Teaching Model Application in the Course of Information Security.
Chunyan Qiu, Wei Zhao, Jianhua Jiang, Jialing Han. s.l.: IEEE
Computer Society Proceedings of the 20II Third International
Workshop on Education Technology and Computer Science, 2011.
[8] The Design and Analysis of an Information Security Teaching and
Learning Platform. Wang ChangJi, Liao DingFeng, Huang HuaJie. s.l.:
Education Technology and Computer Science, 2009.
[9] Zayed University Vision. Zayed University. [Online]
http://www.zu.ac.ae/mainlenlexplore_zulindex.aspx.
[ 10 ] College of Information Technology. Zayed University. [Online]
http://www.zu.ac.ae/mainlen/colleges/colleges/college_information_te
chnology/index.aspx.
[ 11 ] Exploratory Study on the Innovative Use of ISO Standards For IT
Security in the UAE. Manar Abu Talib, Adel Khelifi, May El Barachi.
Greece: European, Mediterranean & Middle Eastern Conference on
Information Systems (EMCIS2011), 2011.
[ 12] Guide to ISO 27001: UAE Case Study. Manar Abu Talib, May EI
Barachi, Adel Khelifi. Canada: Issues in Informing Science and
Information Technology, Volume 9, 2012.