Assessing Information Security Management Using an Iso 27001:2013 Framework: a Case Study at Ethio Telecom
No Thumbnail Available
Date
2018-11-04
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
Nowadays, information is becoming critical for any organization because information is one of the most valuable assets in organizations to operate their businesses and market interactions. Information security and its management have great role on keeping the organization’s reputation through the preservation of confidentiality, integrity and availability of the systems and services in telecom sector. An information security management system is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.
Despite its importance for business innovation, information technology has continuously posed new security challenges to business information and information assets. The technical solutions alone cannot be enough to address the information security challenges. Management aspects and fulfillment of information security standards are required to be considered. The purpose of this study is to assess current information security management practices of Ethio telecom based on the ISO/IEC 27001 and its control to identify the critical and mandatory requirements for ISM based on ISO/IEC270001:2013 standard for Ethio telecom. In this work, attempts were done to examine and compare the available ISM frameworks and standards. This research combines ISO/IEC 27001 audit checklist and researcher’s own experience to assess the information security practices in telecom industry.
Both qualitative and quantitative research approach were used. Data were collected via questionnaire survey, document analysis, and interviews. To analyze the data SPSS tool is used. The study results show that assessed telecom is at diverse states in managing the security of its information security. Moreover, they all are found to be at low level or doesn’t comply of ISM practice with respect to the selected international standard. Critical and mandatory requirements for ISM is developed and evaluated. The evaluation identifies and shows the security requirements and selects controls. Thirteen main ISM requirements are identified as critical and mandatory and also some which are not mandatory for the telecom sector.
Description
Keywords
Information Security, Information Security Management, Information Security Management Framework