dc.description.abstract | Organizations use Information Technology (IT) to enhance their effective and efficient responses for facing this rapid growing world. The more IT they adopt, the more information security incidents can happen and the more impact they can be. In order to improve information security and decrease the probability of risk occurrence, more and more government agencies and enterprises implement the best practice, Information Security Management System (ISMS), in the information security field.
This thesis is based on the case study, which is the process of an enterprise in the cloud industry to implementing ISMS. It includes the motivation of implementation, gap analysis, asset collection, risk assessment, ISMS establishment, awareness training, internal auditing, management review, corrective and preventive actions, and third party certification so that the enterprise obtained the international ISO/IEC 27001:2005 certificate in early 2011. The contribution of this thesis is to find the difficulties and solutions, benefits, and critical success factors while implementing ISMS.
The research result indicates that the organization’s determination of putting information security into practice is based on whether its core business function is included in the ISMS scope or not. By the assistance of professional information security consultants to implement ISMS via a recognized methodology in the industry, the organization can conduct comprehensive risk analysis and adopt information security controls from different perspectives. After declaring the implementation scope in information security policy and create a dedicated information security organization to have cross-teams’ communication and coordination, employees in the organization can fully understand the support and commitment of their senior management. Along with appropriate information security trainings to enhance employees’ information security awareness, the organization can fulfill the objective of continuous improvement and the purpose of long-run business operations.
| en_US |