What you will study
‘In today’s high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their systems of internal control’ (Nigel Turnbull, from the preface of the book IT Governance: A Manager’s Guide to Data Security BS 7799/ISO 17799).
Taking a practice-based approach based upon an organisation you are familiar with, this module provides the foundational knowledge, understanding, analysis and synthesis that you need to develop a practical information security management system, to the standard set by the ISO 27000 family of standards (particularly 27001 and 27002). You will also acquire the personal development skills that you need to keep abreast of important development in a rapidly developing field.
The module is structured into strands. The main strand has three independent units written to support and extend the module book.
An introduction to information security
You will begin by learning about the current requirements on, and the incentives for, organisations to implement information security. Next, you will study the foundations of the subject, learning to identify and value information as an organisational asset. The protection of information assets is the subject of the British standards, around which this module is based. This unit outlines the processes required to satisfy the requirements of these standards.
Information security risk assessment
This unit places in context the issues involved in information security risk assessment, as required by the standard. You will examine the risks that may arise in all relevant aspects of an organisation's operations, including human factors, ecommerce, web services and systems development. You will learn how to conduct a systematic risk assessment that leads to a prioritised list of information security risks for an organisation, and the requirements for their treatment. The unit concludes with an assignment in which you will carry out a risk assessment for your chosen organisation, based on the information contained in the British standards and the module book.
Information security risk management
In this unit you will complete your study of the development of a fit-for-purpose information security management system through the management of information security risks. You will learn how to be systematic in the choice of controls that treat specific risks, and how to produce the documentation required by the relevant British standards. You’ll fully explore the technologies that underpin the standard's controls, and complete the unit by considering the topic of planning for when things do go wrong.
The other strands cover professionalism, home information security, information security research, and exploring the leading edge of information security.
This module makes extensive use of videos, podcasts, blogs and other web resources to support your learning. At the end of the module you will be required to carry out some independent research into an issue in information security management, analysing and evaluating the results of your research for presentation in the end-of-module assessment.
The module is based on the current version of the Information Security standard against which an Information Security Management System would be assessed.