Guide

Edition 201710
Copyright © EXIN Holding B.V. 2017. All rights reserved.
EXIN® is a registered trademark.

No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic,
mechanical, or otherwise, without the prior written permission from EXIN.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 2

(ISMES.EN)
Content

General 4
Confidentiality 4
Design of the exam 4
Written section 4
Oral section 6
Procedure 7
Appendix 1: Evaluation tools 9
Appendix 2: Case study Smith Consultants Inc. 19

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 3

(ISMES.EN)
General
The Information Security Management Expert module based on ISO/IEC 27001 (ISMES) consists of
a written and an oral exam section.

This document describes the design of the written exam (practical project), the design and duration
of the oral exam as well as the procedure of the entire exam. The document, moreover, contains
the evaluation criteria and a case study which can be used for the practical project.

Confidentiality
The examiners have a Non-Disclosure Agreement with EXIN. The information in the practical
project, the presentation and the examination conversation will be confidential.

Design of the exam

The Information Security Management Expert module based on ISO/IEC 27001 (ISMES) consists of
two parts.
The written section -the practical project- is the first part. The candidate will have to achieve a
satisfactory rating (55% or more) for this part prior to taking the oral exam.
The oral section is the second part.

Written section
Practical project
The written section comprises a practical project paper of approximately 6000 words and a
management summary.

Ideally, the entire practical project paper should be written for the ISMES module; for example, as
the logical continuation of an ongoing project, or because of the needs of the organization for
which the candidate works. The guidelines also apply to the introductory and final chapter.

The content of the practical project has to be related to the professional context of the candidate.
The core of the practical project could consist of an existing document (about one of the
examination requirements), provided that the candidate is the author or co-author, and has had
sufficient say with regard to the content. It should clearly state in the introductory chapter what the
level of involvement of the candidate has been.

The practical project paper contains an introductory chapter, a core and a final
chapter.

Some of the elements of the introductory chapter are:

• the reason for realizing this particular document in the organization, and the related
question and objective;
• the role of the candidate in the realization of the document;
• the role/status of the document within the organization.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 4

(ISMES.EN)
The core of the practical project paper deals with one of the ISMES examination requirements of
one’s choice:
• Security Awareness plan;
• Risk analysis;
• Change plan;
• Information Security Management System (ISMS) plan;
• Audit plan;
• Quick scan;
• Information Security policy.

Some of the elements of the final chapter are:

• well-thought out reflections on the various components of the process; this
demonstrates the candidate’s performance; what the candidate encountered, what
alternatives presented themselves, what choices were made, what could be improved
upon next time, etc.;
• a link to the introductory chapter, e.g. to the question and objective .

If a candidate is not able to write a practical paper based on his/her work environment, the
candidate can put in a request to the trainer to allow a practical paper based on the case study. The
case study can be found in this Guide. Should the candidate choose to write a practical paper
based on the case study, he or she needs to make clear the personal work experience and
professional context that was applied when doing so. In the final chapter of the practical paper the
candidate can indicate how his/her own experience has been an inspiration for the particular
components dealt with, what relevant similarities/differences there are with his/her own
professional context, what he/she has learned from the case study that is relevant to his/her own
professional environment, etc.

It is highly recommended that the candidate sends a plan for the project paper to EXIN in an early
stage in order to have the minimum requirements checked.

Along with the practical paper the candidate has to submit:

1. a management summary of the practical paper, which meets the following requirements:
• the summary is two A4 sides at the most (600 words);
• the summary is aimed at the management team;
• the summary contains an introduction, a core, and a final chapter that contains the
conclusions and recommendations.
2. a short curriculum vitae outlining that he/she has at least 2 years of work experience at
a management level in the areas of at least 2 examination requirements.
3. the trainer will add an account of the relationship between the selected examination
requirement and the practical project.

Evaluation
The practical project will be evaluated by two examiners. The evaluation tools that are used for this
can be found as of page 9 of this Guide.
The candidate can only take the oral exam when his or her practical project has received a
satisfactory rating (55% or more).
The examiners’ feedback to the practical project will be sent to the training institute two weeks
before the oral exam.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 5

(ISMES.EN)
Depending on the chosen subject one of the below tables is used in the evaluation of the practical
project.
• Security awareness plan page 9
• Risk analysis page 1010
• Change plan page 111
• ISMS plan page 12
• Audit plan page 13
• Quick scan page 14
• Information Security policy page 15

Oral section
I A presentation by the candidate
The exam starts with a presentation by the candidate. He or she will do a presentation about the
project he or she worked on. The presentation will simulate a situation in which the candidate gives
a presentation to the management team with the purpose of persuading management, and to gain
acceptance for certain proposals. The presentation will be evaluated on the basis of whether or not
it was sufficiently geared toward the management team. The presentation lasts for a maximum of
15 minutes. An overview of the evaluation criteria can be found in the ISMES Guide (oral section).

II An examination interview based on the presentation

The second part of the exam consists of a conversation with the examiners about the presentation.
The examiners will question the candidate in a critical way, as if they were members of the
management team. The examiners could ask questions about the contents of the presentation.
This conversation takes up (a maximum of) 15 minutes.

III An examination interview about the other examination requirements

In the third and last part of the exam, the examiners will ask questions about the examination
requirements that were not the focus of the presentation, or in the conversation about the
presentation. The examiners no longer play the part of the management team. What will be
assessed is whether or not the candidate is capable to use the contents of ISMES outside their own
professional context, if they can relate the project and the presentation, to their own professional
context and recent developments in this specialty. Apart from that, the candidate’s ability to reflect
on their own conduct in relation to the contents of the module, can be assessed. This means that
the candidate also has to be able to step outside the way their company operates, and they should
have an understanding of the topics listed in the examination requirements. This final examination
interview lasts 25 minutes.

IV Final conclusion
Immediately following the exam, the examiners will reach mutual agreement and will come to a
final decision, resulting in a final mark. This takes 25 minutes. After that, the examiners will notify
the candidate verbally of the final mark, and will clarify their final decision. This takes 10 minutes.
The entire exam will take a maximum total of 90 minutes.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 6

(ISMES.EN)
Procedure
This chapter describes the procedure and rules that the examinee and the examiners have to follow
with the ISMES oral exam.

No later than eight weeks prior to the oral exam three copies of the practical project paper
have to have been submitted to EXIN along with a management summary.
The trainer will have added an account of the relationship between the selected examination
requirement and the practical project.
The candidate is to include and send a short CV to prove that he or she has had at least 2 years
of work experience at management level in the areas of at least 2 examination requirements.

The examination session

• During the presentation the candidate is required to use power point slides on a cd or from
their own laptop.
• Immediately before the presentation, the examiners are provided with two sets of one-
sided prints of the slides (1 slide per page).
• The presentation starts with:
o One slide with the title of the presentation.
o One slide with the name of the candidate, his/her job title, the company and the
type of company.
• The presentation is about the practical project, so it is not about the career history of the
examinee, and not a description of the company for which the candidate works.
• During the presentation the examiners can only ask clarification questions.
• The entire oral exam is documented using recording equipment.
• It is not permitted to influence the examiners by disclosing business or private matters.

The following persons are present at the oral exam:

• the candidate
• two examiners

The candidate’s trainer/supervisor can attend the oral exam as observer, when the candidate has
given his or her approval.
The exam session can be done via a web conference with video and audio facilities. In that case an
EXIN accredited supervisor should be present at the candidate’s site.

Time frame

The entire examination session lasts a maximum of 90 minutes; including communication of the
result. The examination is structured as follows:
• 15 minutes (maximum) for the presentation;
• 15 minutes for discussing the presentation;
• 25 minutes for the examination interview about the other exam requirements ;
• 25 minutes evaluation meeting among the examiners;
• 10 minutes for discussing the outcome with the candidate.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 7

(ISMES.EN)
Evaluation

The examiners evaluate the three parts of the exam based on three evaluation tools (Table I, II and
III). The examiners will fill in these evaluation tools during the oral exam. Once the exam is over the
examinee will leave the room where the exam was taken. The examiners will discuss and
determine the final mark. Afterwards the examiners will inform the examinee of their mark for this
oral exam and justify the result.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 8

(ISMES.EN)
Appendix 1: Evaluation tools

Security Awareness plan

Name of candidate :
Candidate number :
Title of practical project :

Subject that has to be included Evaluation aspects Score in Awarded

points
1. Introduction, background, • Reason
principles • Scope (reach) 10
• Specifying stakeholders
2. Designs and plans • Putting together steering group and
project organization
• Setting tasks, responsibilities and
authorities project members
• Determining scope, setting objectives
(final situation, term)
• Determining slogan/logo
• Determining strategy
• Carrying out baseline measurement
20
• Setting communication objectives per
target group
• Determining target groups and
producing descriptions of the
characteristics of the target groups
• Setting key messages (e.g. ‘correct
use of password’, ‘switching off
monitor’, etc.)
• Formulating project plan
3. Development • Choosing and producing
communication means
• Testing the communication means
20
developed
• Modifying communication means
• Developing scenario
4. Execution • Communication of the vision
30
• Execution of the project plan
5. Evaluation and continuation • Measuring the effects
• Transforming project activities into 10
structural activities
6. Language usage and design • Correct language usage (spelling,
grammar, style)
10
• Clear structure, appropriate layout
TOTAL 100

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 9

(ISMES.EN)
 Risk analysis

Name of candidate :
Candidate number :
Title of practical project :

Subject that has to be included Evaluation aspects Score in Awarded

points
1. Introduction, background, • Purpose
principles • Scope (reach)
• Change logbook (version
management)
• Signature:
o who are the authors; 30
o who are the respondents;
o who are the risk owners.
• Chosen working method for execution
(e.g. workshops or interviews)
• Management summary
2. Process description • Description of the completed process 15
3. Execution • Which threats were outlined and how
• Results of the completed steps
• Final conclusion
45
• Measures to be taken
• Implementation plan (planning,
prioritization, responsibilities)
4. Language usage and design • Correct language usage (spelling,
10
grammar, style)
• Clear structure, appropriate layout
TOTAL 100

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 10

(ISMES.EN)
 Change plan

Name of candidate :
Candidate number :
Title of practical project :

Subject that has to be included Evaluation aspects Score in Awarded

points
1. Introduction, background, • Purpose
principles • Scope (reach)
• Change logbook (version
management)
• Signature:
o who are the authors;
o who are the respondents;
10
o who signs for approval.
• The phases that are distinguished in
the change approach (e.g. AURRA,
J.P. Kotter)
• The willingness to change
• Rewards and penalties
• Management summary
2. Preparation and • Determining the imperative necessity
organization • Putting together the steering group
• Choosing key figures (management,
expertise, reputation)
• The vision to which the project must
lead, the leitmotiv (must be possible
to be explained within 5 minutes) 40
• Determining the parts of the
organization that are involved in the
changes
• The role of the management
• The contribution of each organization
function (department)
3. Execution • Communicating the vision
• Coordinating education and training
of staff with the implemented
measures (knowledge, aids,
expertise) 40
• Planning the short-term benefits
• Consolidating the benefits
• Institutionalizing the new approach
• Evaluation
4. Language usage and design • Correct language usage (spelling,
grammar, style)
10
• Clear structure, appropriate layout
TOTAL 100

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 11

(ISMES.EN)
 ISMS plan

Name of candidate :
Candidate number :
Title of practical project :

Subject that has to be included Evaluation aspects Score in Awarded

points
1. Description ISMS • Operational area
• Purpose
20
• Introduction
• Complete ISMS description
2. ISMS process • Operation of the process
• Results 10
• Registrations
3. Organization • Description of organization
• Tasks, authorities, responsibilities 15
• Reporting
4. Description of set-up An outlined description
1 steps:
o policy
o organization
o training & awareness
o sub-processes ISMS (for
example: risk analysis 45
method, Incident Handling)
o Evaluation
o Reporting
2 planning
3 evaluation
4 reporting
5. Language usage and design • Correct language usage (spelling,
10
grammar, style)
• Clear structure, appropriate layout
TOTAL 100

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 12

(ISMES.EN)
 Audit plan

Name of candidate :
Candidate number :
Title of practical project :

Subject that has to be included Evaluation aspects Score in Awarded

points
1. Foreword, introduction, • Introduction, operational area
background, principles and • Purpose 20
the like • Focus
2. Basis of the plan • References, standards
• Reporting 30
• Confidentiality
3. Execution • Execution details
• Responsibilities
40
• Report details
• Confidentiality
4. Language usage and design • Correct language usage (spelling,
10
grammar, style)
• Clear structure, appropriate layout
TOTAL 100

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 13

(ISMES.EN)
 Quick scan

Name of candidate :
Candidate number :
Title of practical project :

Subject that has to be included Evaluation aspects Score in Awarded

points
1. Introduction, background, • Purpose
principles • Scope (reach)
• Change logbook (version
management)
• Signature:
o who are the authors;
o who are the respondents;
30
o who signs for approval.
• On which questionnaire is this quick
scan based (e.g. Code of Practice
ISO/IEC 27002)
• Chosen working method for execution
(e.g. workshops or interviews)
• Management summary
2. Process description • Description of the completed steps 30
3. Execution • Results of the completed steps
• Final conclusion
• Dependent on the final conclusion:
30
o Measures to be taken
• Implementation plan (planning,
prioritization, responsibilities).
4. Language usage and design • Correct language usage (spelling,
10
grammar, style)
• Clear structure, appropriate layout
TOTAL 100

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 14

(ISMES.EN)
 Information Security policy
Name of candidate
Candidate number
Title of practical project
Subject that has to be included
1. Foreword, introduction,
background, principles and
the like
2. Policy statements
3. Detail subjects
4. Execution
5. Language usage and design
TOTAL
Guide EXIN Information Security Management Expert based on ISO/IEC 27001
(ISMES.EN)
:
:
:
Evaluation aspects Score in Awarded
points
• Motivation, importance, priority
• Purpose
20
• Introduction, operational area
• Gearing to target group level
• Completeness
• Realism 10
• Strategic level
• Organization
• Responsibilities
• Incident handling
• Information Security Continuity
• Sanctions
50
• Awareness, education & training
• Reporting, maintenance policy
• Departures from the policy
• Information back-up cycles
• Suppliers and information security
• Support in the execution, details
• Planning 10
• Approval, signature
• Correct language usage (spelling,
10
grammar, style)
• Clear structure, appropriate layout
100
15
Oral exam
The examiners base their judgment on the demonstrated (work) experience at management level,
the practical project, knowledge and understanding of the field of expertise and the ability of the
examinee to reflect upon this. The examiners consider it important that the candidate shows what
he or she has learnt during and prior to the ISMES module and what his or her view is on that field
of expertise. This chapter describes the evaluation criteria that apply to the oral ISMES exam.

I - Presentation
In Table I the examiners record the score that you achieved for the presentation. This is the first
part of the oral exam.

The candidate… Score (points)

max. Awarded
explains the subject sufficiently and 10
within the set time frame.
handles the details of the subject 10
correctly.
handles the subject at the appropriate 20
level and for the appropriate target
group.
discusses the subject in a convincing 30
manner and can justify his or her own
viewpoints.
sets out his or her own viewpoints in a 30
comprehensible manner.
Total (max. 100 points) 100 I
Table I: evaluation presentation

II - Examination interview resulting from presentation

In Table II the examiners record the score you achieved for the examination interview resulting
from the presentation. This is the second part of the exam.

The candidate… Score (points)

max. awarded
gives essentially correct answers and 15
motivation of answers.
motivates and/or defends viewpoints in 15
a professional manner.
deals professionally with questions or 20
comments from the examiners.
shows a capacity to reflect upon his or 25
her own actions in a work context.
shows a capacity to reflect upon his or 25
her own actions during a presentation
and examination conversation.
Total (max. 100 points) 100 II
Table II: evaluation of the examination conversation resulting from the presentation

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 16

(ISMES.EN)
III - Examination interview concerning other exam requirements
In Table III the examiners record the score you achieved for the examination interview concerning
the exam requirements that had not yet been dealt with in the previous two sections. This is the
last part of the exam.

Max. Oral
Exam requirement points Score
1. Organization of the information security (formulating ISMS) 20
1.1 The candidate can substantiate the risk management process
in relationship with the ISMS.
1.2 The candidate can define the roles for information security.
1.3 The candidate can set up and apply a reporting system for the
management.
2. Information security policy 10
2.1 The candidate can participate in the process of establishing
the information security policy.
2.2 The candidate can set up, present and disseminate an
information security policy.
3. Risk analysis 10
3.1 The candidate can select and carry out a method based on
an understanding of the various risk analysis methods.
3.2 The candidate can analyze the result of a risk analysis.
4. Organizational change and development regarding
40
Information security
4.1 The candidate can, if the situation so requires, draft or modify
a change plan.
4.2 The candidate can, if the situation so requires, draft,
communicate, present and execute an awareness program.
4.3 The candidate can, if the situation so requires, implement the
changes or guide this process.
5. Standards and norms 10
5.1 The candidate can, if the situation so requires, select and
implement a relevant standard.
5.2 The candidate can, if the situation so requires, implement a
standards framework or baseline construction.
6. Audit and certification 10
6.1 The candidate can organize the execution of audits.
6.2 The candidate can help with a management evaluation of the
ISMS.
Total 100 III
Table III: evaluation other exam requirements

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 17

(ISMES.EN)
IV - final evaluation ISMES
After the exam the candidate will leave the room and the examiners will come to their final
conclusion in consultation with one another. For this they use Table IV. They will give the candidate
a definitive answer immediately afterwards and explain their final conclusion.

Part Weighting Points per exam section Weighting points per part
Practical project 10% W
Oral
I Presentation 20% I
II Examination 20% II
conversation resulting
from presentation
III Examination 50% III
conversation other
examination requirements
100% Total points achieved

Table IV: final evaluation ISMES

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 18

(ISMES.EN)
Appendix 2: Case study Smith Consultants
Inc.

The case study is optional and belongs to the written section.

Smith Consultants Inc.

Forestville

Company Profile

Smith Consultants Inc.1 is a relatively small consultancy agency (approximately 180 staff)
specializing in IT. The company was set up approximately 16 years ago.
Their clients appreciate its ability to solve unconventional problems. They have, for example,
carried out demonstration projects to show that open source software can be successfully used to
realize complete office environments or complex security functionality, and that this software can
be used to build on-line and mobile applications that allow organizations to connect easily with
their customers.

Clients include a number of government departments, a bank, insurance companies and

engineering firms.

Smith Consultants Inc. is divided into three divisions that carry out the various activities. The
divisions are regarded as business units with their own profit/loss responsibilities.
• Consultancy: Business consultants (25) – supply consultancy services for the interfaces of
business and IT. Subjects include: business analysis, translating business processes to web
applications, support in setting up functional requirements, identifying business information
assets and their business owners etc.
• ITC: IT consultants (60) – supply consultancy services in the area of IT, software design and
development, project management etc. Examples include: converting functional specifications
to technical specifications, configuring infrastructure components, capacity management,
setting up configuration management, designing information security, Network Management,
Service Management, etc.
• SD: Software development (85): designing, developing and supplying software. When the
occasion arises hardware components and software can also be supplied so that clients can
receive complete solutions. In addition, for a small number of clients remote management
services are carried out as well.

Each division has its own administration staff who are responsible for human resource
management (HRM), time administration and invoicing. Office management and first line
application management are also locally available.

The central organization (10) consists of the Management Board, legal affairs, facilities
management (including IT), Internal Communication and public relations (PR), payroll
administration, central personnel administration, help desk and Quality & Security (Q&S).

Smith Consultants Inc. has an ISO 9001 quality certificate. This has been awarded for carrying out
projects in the ITC division and for remote management and support in the SD division.

During their certification process for ISO 9001 Bettina Smith (not related to Brad) was appointed
quality controller (hence the ‘Q‘). Three months ago, security was added to her portfolio.

1) any similarity with an existing organization or company is purely coincidental. This case is a complete work of
fiction.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 19

(ISMES.EN)
 Brad Smith
CEO
Bettina Smith,
Controller
HRM, Legal,
Quality & Security
PR, Facilities

Mike Dunn John Caser Paul Dwyer

mgr Consultancy mgr ITC mgr SD

Office mgr Office mgr Office mgr

admin admin admin

field mgr field mgr field mgr field mgr field mgr

consultants consultants consultants consultants consultants

Figure 1 : Organization Smith Consultants Inc.

Office environments

Smith Consultants/Consultancy is based in Forestville, Smith Consultants/ITC is based in Coleville,

whilst Smith Consultants/SD has its offices in Rockville. The management and the central
departments are based at the office in Forestville.

Each office has a manned reception (only during office hours). In Coleville and Rockville the staff
regularly work after hours. At night the offices are closed. Each branch has an alarm system that is
connected to a local emergency center.
Six months ago a report showed that the number of false alarms had risen; at present this has
decreased somewhat again. The alarm systems are now 5 to 7 years old. It appears that these
days people are increasingly forgetting to switch on the alarm systems in the evenings.

IT environment

Smith Consultants Inc. has a network with various brands of hubs bought by different staff over the
years and when the price was low. There is relatively little network traffic between the branches.
The connection between the branches consists of a rather slow and old broadband Internet
connection.

Each branch has file servers for storing reports and documents (the Y disk). Most staff have
access to their own directory; a number of people (office management) also have access to joint
directories.

The Rockville office has an Internet connection with a Cisco firewall protection for which it has a
maintenance contract. A router (placed four years ago) distributes the traffic between the internal
network and the Internet.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 20

(ISMES.EN)
The Mail service and Web services used by Smith Consultants Inc. are external, Cloud based.

The SD consultant who had determined the technical details at the time left two years ago. As the
system has been working without any problems no one had given the documentation any thought.
It is also not clear who is responsible for maintenance.

The content of the corporate web pages is maintained by the people from the PR group.

Figure 2:Overview of IT infrastructure

In Rockville there is a separate LAN (two Servers, five workstations and extra hubs for the laptops)
for SD to experiment with new features/functionalities. Furthermore, there are three Linux servers
for development and testing. There are also a number of workstations with Linux versions.

The financial administration and the time administration are run centrally, using an Oracle database
with Internet application front end (Oracle application server). Branch administration does not have
access to these applications. Local information is transmitted to the central administration by
email (Excel sheet in attachment, once per month), where it is converted into the correct format
and imported into the databases.

For remote use of intranet and webmail a user name and password are used. Plans are being made
about a token may be used for this in the future.

All staff have a fast Internet connection at home. Everyone receives $30,- per month as a
contribution to the costs of the work related use of the Internet connection. A few employees have
been given a written-off PC in order to be able to send e-mails.

Office applications (all recent variants of MS-Office) run locally on the workstations and laptops.

The consultants have been divided according to an expertise group (EG) structure. Each EG has a
joint directory for the storage and distribution of reports and other documentation.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 21

(ISMES.EN)
Information security

Up until now information security has not been dealt with in a consistent and structured manner.
Some questions had been asked about intranet and security, but these soon faded away. The
appointment of Bettina Smith has not yet had any effect, but she joined only three months ago. It is,
however, expected that all sorts of procedures will soon be implemented. This could mean that the
more technically grounded consultants and the people from SD may lose a number of their
unofficially acquired privileges.

The core of the security is formed by a username-password construction in order to gain access to
the network. Based on the username, access is granted to files and applications. Access rights are
assigned through Active Directory (AD). There are some staff who regularly change their password,
but they are not yet forced to do so.

A backup is made centrally of the database files. Backups of the Mail and Web content are
managed by the external Cloud service provider. There is the possibility of saving the most
important files on the network, but not everybody (euphemistically, for almost no one) does this.
The documents that are used by the administration, however, are all on the network.

There are too few filing cabinets in Forestville. The financial administration in particular complains
about not being able to store their documents. They are also in charge of the contracts.

Rockville is the only place that has a shredder, a large one, in which entire books can be destroyed.
The machine was left to the office after a confidential project for the Ministry of Defense ended, as
well as the safe in which the original CDs of most of the purchased software are now kept.

Centrally a subscription to antivirus software has been arranged. This runs on the servers,
workstations and on the laptops. Part of the login script is that the version of the anti-virus
software is checked. If necessary this is updated to the latest version. Users of the workstations
and laptops are able to switch off the virus scanner. This makes the PC start a lot faster.

There are no licenses for cryptographic software.

Operational processes

The operational processes of Smith Consultants Inc. are approached in a rather simple manner.
The company regards three processes as primary ones:
• Consultancy and projects: supplying services according to agreed contracts in three forms
(individual placement, time-and-material cost consultancy or projects and fixed price
projects)
• Sales: selling the services
• Invoicing: sending invoices and receiving payments for the services supplied.

All primary processes are present in each of the divisions.

There is, however, some difference in opinion regarding which of the primary processes have the
highest priority. The supply of services should not be unavailable for a long time. What's more,
some clients consider their information as highly sensitive and of high competitive value.
If necessary the sales process can be unavailable for a week but any longer would cause too many
problems. This process particularly uses office automation functions. Fortunately, a great deal of
information that is used in the sales process is available scattered over diaries and laptops.
Invoicing is at its peak in the first week of the month. Any interruption to the invoicing process
leads to an immediate loss of money. This is less important during the rest of the month.

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 22

(ISMES.EN)
In addition, there are supporting processes such as:
• Consolidated administration (hours and finance)
• Legal matters – contracts
• Central personnel administration
• Payroll administration
• Management of facilities, including IT facilities
• Internal communication and PR
• Etc.

The management team (director, managers and controller) believe that all these processes can be
unavailable for a longer period of time without risking the business. A solution, however, will need
to be found for the salary payments.

Responses from managers to the question: Is information security necessary?

Response from Bettina Smith, Q&S manager
Three months ago a financial audit was carried out by the accountant. This revealed that there may
not be a qualified audit opinion next year, if the reliability of the automated information processing
has not been improved by then.
There has been considerable agitation among the management team, which has led to ‘Security’
being handed to me with the comments ‘Do something about it’ and ‘If it's going to cost money, let
me know - but not too much mind you’.

Smith Consultants Inc. has grown from four consultants who started a small business to the
organization that it is now. As we always got more assignments than we could handle – the
company regularly had to hire external help – the operation always had priority. In fact a ‘Wild West’
culture predominates: we shot at everything that moved with everything that we had, and it worked.
It is for that reason that the infrastructure is in such a mess. We no longer know exactly which
hardware and software are used in the company. License and asset management has never been
considered. Whenever something is required, it is bought. That goes for the hardware, but also for
the software. The decentralized structure paves the way for this. It costs a great deal of money, but
at least you don't have to give it much thought.

Fortunately, the SD experts know what they are doing. There have never been – as far as I know –
any major problems. We have never been hacked and we have only had to disconnect the Internet
once or twice for a while due to too many viruses. This resulted in only one or two days of lost e-
mail.

Oh yes, I almost forgot, one of the consultants lost his laptop (had it stolen) a year ago. This was a
nuisance as there were no backups. Fortunately, most of the information could be retrieved. I don't
think that the client noticed anything. But I am not 100 per cent sure. And the company still doesn't
make any backups now.

Unfortunately, I don't know much about computer security myself. I have only just started doing
this. There are not many crash courses in this area. I could do with some help in setting it up. I have
many questions, such as:
• Where do I start?
• What is already in place?
• How many measures do we need? And will this then be sufficient?
• Who is responsible?
• How can we get staff, for example, to regularly change their password?
• What can I do to get the managers influence their staff?

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 23

(ISMES.EN)
Response from Mike Dunn, mgr Consultancy
Information security is a must. I had hoped to have heard from Bettina Smith by now. All our major
clients are talking about cyber security due to the many high-profile cyber-attacks recently. There
are also many legal and regulatory requirements for this area now. How does this affect our
clients? And how should we deal with this?

Can we also sell this as a service to our customers? In the form of risk management maybe? I will
have a look to see if there is demand for this. I have some business contacts.

Would information security make our work more difficult? My consultants are not IT specialists. It
mustn't be too difficult.

Otherwise anything else?

Response from Paul Dwyer, mgr SD

Information security is necessary I’m sure, but we don't have much time for it at the moment. After
all, everything is going well. We have never been in the newspapers. We are clearly able to sort all
this out ourselves. It all seems quite secure to me.

What's more, would we then still be able to carry out our work? Would we actually have any access?

Why is this necessary all of a sudden? Everything is going well, isn't it? We have never had any
major problems. Apart from that laptop; that was stupid. You shouldn't leave that sort of thing on
the back seat if a car. It was a nuisance that the client’s database was on it. Fortunately, we still
had someone working at the clients site who was able to make a copy. It was a good thing that the
client didn’t notice anything, otherwise we would have had to clear our desk there.
Oh yes, that disk crash last year was bad news, especially when the backup turned out to be
useless. We should test more often. I have no idea if this has ever been looked into. It was clever
how that company managed to retrieve 72% of the data that was on the disk. It cost a bit, and took
longer than we would have liked, but oh well, what can you do.

See, it's not that bad really. I'm sure everyone has had to put up with their network failing, or with
Windows crashing at some time.

Assignment with the case study

Write a practical project paper for Smith Consultants Inc. based on one of the following
components of ISMES:
• Security Awareness plan
• Risk analysis
• Change plan
• ISMS plan
• Audit plan
• Quick scan
• Information Security policy

Guide EXIN Information Security Management Expert based on ISO/IEC 27001 24

(ISMES.EN)
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 25
(ISMES.EN)
Contact EXIN

www.exin.com