Recent Papers 04-05-2022

LO1 Explain strategic organisational planning for information security

CP60042E Enterprise Security Management - Assignment

Academic session

February 2022

Assignment title

Drafting an ISMS for a SME according to the ISO/IEC 27001:2013 standard

Assignment type

Written assignment (Case Study)





Issue date

See BB for the date

Submission due date

See BB for the date

1. Learning Outcome

This group project aims to help students develop the ISO 27001:2013 ISMS knowledge and skill as well as attaining the following learning outcomes of this module:


Explain strategic organisational planning for information security;


Understand various types of information security policies and describe the functional components of an information security program;


Have a comprehensive understanding of the risk management process: risk identification, risk assessment and risk control;


Compare and critically evaluate different approaches to enterprise security management.

This group project also aims to help students develop a host of soft skills that are increasingly important in the professional world, most importantly:

  • Combine one’s strengths with the strengths of others;
  • Improve understanding through peer discussion;
  • Breakdown tasks and delegate responsibilities;
  • Practice with feedback; and
  • Conflict resolution.

2. Case Study Synopsis:

We will be using Bluefrontier ( as an exemplar model in this Information Security Management System (ISMS) project assignment.

In a nutshell, Bluefrontier is a well-established software development company where they are offering a comprehensive end-to-end service, including web design, development, digital marketing, social media marketing, mobile phone app development, cloud computing and IT support. Bluefrontier is considered a highly respectful company as it has gained multiple certifications from ISO i.e. ISO 9001 (Quality Management), ISO 27001:2013 (Information Security Management) and ISO13485 (Medical Devices Quality Management). Rolling back in time, imagine that Bluefrontier does not have an ISMS in place, but the Managing Director (MD) has decided and set a strategic plan wanting the company to establish and implement an ISMS according to the ISO 27001:2013 standard, and aiming to take the company for the ISO 27001:2013certification as soon as it is ready. The company recognised such decision is vital to meet the business needs/operations amid various law and regulations e.g. GDPR law, as well as other reasons e.g. up-holding high quality and standard of their service, customer assurance, reputation etc 

3. Project Tasks and Deliverables

In this scenario, your group is hired as the ISO 27001 Consultant / Implementer to help Bluefrontier in their endeavour where you are asked to produce a draft ISO 27001:2013 ISMS document, that would allow the company to:

  • satisfy the information security requirements of customers and other stakeholders;
  • improve an organisation’s plans and activities;
  • meet the organisation’s information security objectives;
  • comply with regulations, legislation and industry mandates; and
  • manage information assets in an organised way that facilitates continual improvement and adjustment to current organisational goals.

The draft ISO 27001:2013 ISMS document must include the following mandatory clauses:

a) ISMS Scope (clause 4.3)

b) Information Security Policy and Governance Framework (clause 5.2 and 5.3)

c) Risk Management: Information Security Risk Assessment (clause 6.1.2)

d) Risk Management: Information Security Risk Treatment (clause 6.1.3)

The ISMS project can be broken into 4 tasks directly aligned to the documentation structure. Each task involves investigation, design and implementation (here it means the documentation) further detailed as follows:

Task 1: ISMS Scope (clause 4.3) 

You are required to establish/document the company’s ISMS scope (as required in clause 4.3) in which involve investigation and determination of:

• the company’s boundaries and applicability of the information security management system to establish its ISMS scope.

• the company’s external and internal issues that are relevant to its purpose and that affect its ability to achieve the identified outcome(s) of its information security management system;

• the requirement of the interested parties that are relevant to the information security management system; and

• the interfaces and dependencies between activities performed by the company, and those that are performed by other companies.

Task 2: Information Security Policy and Governance Framework (clause 5.2 and 5.3)

First, you are required to conduct business analysis and establish/document an Information Security Policy (clause 5.2) that is appropriate to the purpose of the company includes information security objectives (see clause 6.2), commitment to satisfy applicable requirements related to information security, and commitment to continual improvement of the ISMS.

Second, you are required to establish/document an information security governance framework (clause 5.3)
for ensuring that the ISMS conforms to the requirements of the ISO 27001:2013, which include the following:

• the description of the responsibilities and authorities for top management (board of directors) and the roles relevant to information security;

• reporting process on the performance of the ISMS to the top management; and

• decision making process.

Task 3: Risk Management: Information Security Risk Assessment (clause 6.1.2)

First, you are required to investigate and identify the information security requirements within the overall strategy and business objectives of the company, its size and geographical spread by mean of the following main issues:

• Information assets and their value;

• Business needs for information processing, storage and communication;

• Legal, regulatory, and contractual requirements.

Second, you are required to conduct a methodical assessment of the risks associated with the company’s information asset involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materialising to information assets, and the potential impact of the any information security incident on information assets.  The expenditure on relevant controls is expected to be proportionate to the
perceived business impact of the risk materialising.

To fulfil this task, you are required to document the outcome of your investigation that satisfy the clause 6.1.2. 

Task 4: Risk Management: Information Security Risk Treatment (clause 6.1.3)

For each of the risks identified following the risk assessment in Task 3, a risk treatment decision needs to be made and documented to satisfy the clause 6.1.3.

This task is where you design and implement an ISMS for the company in which you are required to carry out an information security risk treatment process that is to:

•  Establish a set of risk treatment criteria and use it to select one of the following possible risk treatments:

a) knowingly and objectively accepting risks, providing they clearly satisfy the company’s policy and criteria for risk acceptance;

b) applying appropriate controls to reduce the risks;

c) avoiding risks by not allowing actions that would cause the risks to occur;

d) sharing the associated risks to other parties, for example insurers or suppliers.

• Determine all controls that are necessary to implement the information security risk treatment option (b) and (c).Here, you are required to produce a Statement of Applicability that contains the necessary controls from Annex A of ISO 27001:2013 and your justification of the use of the selected controls in treating the risks.

• Implement the selected security controls such as Information Classification Policy (clause A.8), Access Control (clause A.9) etc., by specifying the actual control itself i.e. the issue-specific policy, rules and procedure.

4. Group Organisation and Activities

Group organisation:

• Students are encouraged to form a project group organically.  In fact, project groups should have  been formed prior the release of this project assignment brief. Any student who is not yet found a group will be assigned a group by the tutor;

• A group leader must be nominated by group members democratically;

• Group leader is not a privilege position but hold an important role in organising and facilitating group activities;

• Group members (including Group leader) hold equal responsibilities in the delegation of tasks, monitor and drive the project progress, carry out peer review of delegated tasks, review and finalising project document, etc.

Group activities:

  • Group members must use all technological means in communication and engagement.
  • Nevertheless, all group activities must be primarily conducted using the Blackboard (BB) Group

      Tools such as i.e. Collaborate (audio-visual communication platform), and other as shown below.

  • The “Group Journal” must be used to log all group activities such as meeting minutes (logging of important issues), member attendance, contribution record etc., throughout the project period till the completion of the project document.
  • Mind you, the tutor will not by any mean involve in any group activity, instead will stay on the side line monitoring and providing advice.
  • Group members are expected to participate, contribute, and play their part.
  • Group members are encouraged to exercise their skills in resolving any disagreement and conflict; otherwise, this must be recorded in the Group Journal.
  • The Group Journal is essentially the proof of work by every contributing group member, and it will serve as the basis for Peer Assessment (see the 4. Assessment Criteria).

5. Assessment criteria

Your work will be graded based on the following assessment elements and marks distribution:

Assessment elements


Task 1: ISMS Scope (clause 4.3)


Task 2: Information Security Policy and Governance Framework (clause 5.2 and 5.3)


Task 3: Risk Management: Information Security Risk Assessment (clause 6.1.2)


Task 4: Risk Management: Information Security Risk Treatment (clause 6.1.3)


Group activities logs




The project will be marked out of 100%, and will be scaled to 60% as the module contribution.

Peer Assessment:

  • Group members will have to complete a contribution form, collectively agreeing the percentage of the project stake (out of 100%) their peers deserved based on the contribution evidenced in the “Group Journal”;
  • The contribution form must be submitted along with the completed project document. This will eventually determine the mark each group member deserved to get;
  • Should there be any dispute or disagreement in the peer assessment, the tutor will step-in and carry out the tutor-led individual assessment, using all means including interview, assessment on the domain knowledge, feedback from peers etc., to determine the project stake deserved by each group member.

6. Online Submission

The final structured project document will be submitted to Blackboard according to the due date (see Page 1 of this document).

100% Plagiarism Free & Custom Written, Tailored to your instructions
paypal checkout

Our Giveaways

Plagiarism Report

for £20 Free


for £12 Free

Title page

for £10 Free


for £18 Free


for £9 Free

Limitless Amendments

for £14 Free

Get all these features for
£83.00 FREE