ISO 27001 Lab Series: Establishing the Context of a Software Development Company.

This is the first page of the document that establishes organization context.

So far in the ISO 27001 series, we have been familiarizing ourselves with the various clauses found in the main section of the standard. As a firm believer in putting learning into action, I have made up a use case for us to build a business, establish an ISMS that will be auditable and compliant to ISO 27001.

We will start today by establishing the "context," both internal and external for a software development company. Over the coming weeks we will apply the knowledge of the previous articles, with documentation as we did in the NIST RMF series. Let’s go!

The Scenario

I started by thinking of a name for the company (it took more time than you’d expect :(

We already know that it is a software development company. I named it (drum rolls pls) "DevEngineers.” We know context from a previous article; we established that “context” is the reason the organization exists, their objectives, values, vision, number of staff, etc.

DevEngineers is dedicated to providing full-cycle, end-to-end software development services. DevEngineers aim to help companies launch their projects, adopt advanced technologies, switch to digital-first strategies, and grow their businesses. With more than 100 custom software solutions delivered, DevEngineers is trusted by startups, SMBs, and over 50 enterprises in Nigeria. We empower our clients to deliver improved experiences to their customers and employees, gain competitive advantages, and enhance internal efficiency.

We have been hired to set DevEngineers on a path to ISO 27001 certification. Where do we start? Of course, we need to understand everything that is unique about DevEngineer, from the people to the processes to the technology.

Organization Structure

As part of the context of DevEngineers. We need to understand the structure in place, the number of employees at the firm, the roles they play, the responsibilities they have, and the chain of command and communication.

So DevEngineers has 15 staff across 5 departments. With Kabir Umar as the CEO and Chinaza Obi as the head of project management. Amina Sunmonu is the quality assurance head. Salman Abubakar heads development. Abimbola Adesina heads support and maintenance.

Vision

The mission of DevEngineers Solutions is to empower businesses through innovative and secure software solutions, ensuring the confidentiality, integrity, and availability of their critical information assets. At DevEngineers, we strive to be a trusted partner for our clients, providing them with cutting-edge web applications tailored to their unique needs while adhering to the highest standards of information security.

Mission

At DevEngineers, our mission is to empower businesses through innovative and secure software solutions. We are dedicated to delivering high-quality, customized web applications that not only meet but exceed the expectations of our clients. Our commitment to information security is unwavering, ensuring the confidentiality, integrity, and availability of our clients’ critical data. Through continuous collaboration, ethical conduct, and a focus on client empowerment, we strive to be the trusted partner that propels businesses forward in an ever-evolving digital landscape. At DevEngineers, we don’t just develop software; we build lasting relationships and contribute to the success of our clients by providing solutions that stand the test of time.”

Values

• Integrity: We uphold the highest standards of integrity in all our interactions and business practices.
• Innovation: We foster a culture of continuous innovation, encouraging creative thinking and exploration of new ideas and technologies.
• Security First: We prioritize the security of our clients’ information assets, implementing robust measures to safeguard confidentiality, integrity, and availability.
• Client-Centric Focus: We are committed to understanding and meeting our clients’ needs, providing tailored solutions that contribute to their success.
• Quality Excellence: We strive for excellence in all aspects of our work, emphasizing quality in software development, testing, and client service.

Activities

DevEngineers provides many services to ensure that client specifications are met by collaborating with project managers to understand project specifications. Conducting code reviews to ensure code quality and security. Integrating new technologies and frameworks. Debugging and troubleshooting software issues.

The various departments at DevEngineers carry out the following functions to support the delivery of software:

Project Management Department

· Planning and scheduling project timelines and milestones.

· Allocating resources and managing project budgets.

· Communicating with clients to gather and clarify project requirements.

· Coordinating activities between development, QA, and support teams.

· Monitoring project progress and ensuring timely delivery.

· Identifying and managing project risks.

Quality Assurance (QA) Department

· Developing and executing test plans and test cases.

· Testing software applications to identify bugs and issues.

· Collaborating with developers to address and resolve identified issues.

· Conducting performance testing and security testing.

· Ensuring the overall quality of deliverables before client deployment.

Support and Maintenance Department

· Providing ongoing support to clients for deployed applications.

· Addressing and resolving reported issues and bugs.

· Implementing updates, patches, and enhancements to existing applications.

· Monitoring application performance and reliability.

· Managing service level agreements (SLAs) with clients.

Security and Compliance

• Implementing and enforcing information security policies and procedures.

· Conducting regular risk assessments and vulnerability assessments.

· Managing access controls and ensuring data confidentiality.

· Overseeing incident response and security awareness training.

· Ensuring compliance with industry standards and regulations.

Human Resources

· Recruitment and onboarding of new employees.

· Employee training and development programs.

· Performance management and evaluations.

· Managing employee relations and resolving conflicts.

· Ensuring compliance with employment laws and regulations.

General Business Activities

· Client meetings to discuss project requirements and updates.

· Collaboration sessions among departments to enhance communication.

· Regular team meetings for status updates and project planning.

· Continuous learning and training programs for employees.

· Internal audits and assessments for ISO 27001 compliance.

Stakeholders

As part of defining the internal context of DevEngineers, we have to not forget the relevant stakeholders without whom DevEngineers would not operate without.

• Our clients: DevEngineer's primary stakeholder is its client base. They primarily request custom web application development services.
• Employees: The team working within DevEngineers, including developers, project managers, support staff, and administrative personnel.

• Leadership/Management: The leadership team, including the CEO and heads of departments, is responsible for strategic decision-making and guiding the overall direction of the company.
• Investors/Shareholders: The individuals and groups that have invested in DevEngineers and hold shares in the company.
• Partners and Collaborators: Other companies or organizations that collaborate with DevEngineers on projects, partnerships, or business initiatives.

External Context

The external context of DevEngineers would include the laws and regulations that apply, as well as the external threat landscape.

Regulations

The context on any organization, and DevEngineers is no different involves the regulatory and legal responsibilities they have. Some of the relevant regulatory instances that apply to DevEngineers include:

• NDPR Implementation Framework
• Guidelines for The Management of Personal Data by Public Institutions in Nigeria, 2020
• Guidelines for Nigerian Content Development in Information and Communication Technology (ICT)
• Framework and Guidelines for Public Internet Acces
• Guidelines for Clearance of Information Technology (IT) Project by Public Institutions
• Guidelines for Registration of ICT Service Providers and Contractors for Delivery of Their Services to MDAs
• Nigerian e-Government Interoperability Framework (Ne-GIF)

Purpose and Scope of the ISMS

We need to remember that this is all for the purpose of establishing an ISMS for DevEngineers. We are required to define the purpose and scope of this ISMS.

The purpose of the ISMS is to:

1. Understand the needs of DevEngineers and the necessity of establishing an information security management policy and objectives.
2. Implement and operate controls and measures for managing the DevEngineers overall capability to manage information security incidents.
3. Monitor and review the performance and effectiveness of the ISMS.
4. Continually improve the DevEngineers information security based on objective measurement.

This purpose applies to the scope of the ISMS, as defined below.

Scope of the ISMS

The defined scope of DevEngineers’ ISMS takes into account the internal and external factors referred to in sections 4.2 and 4.3. It also reflects the needs of interested parties and the legal and regulatory requirements that are applicable to the organization.

The scope is defined below in terms of the parts of DevEngineers, products and services and related activities.

Organizational

The ISMS includes the following parts of DevEngineers:

· General Business Activities

· Support and Maintenance

· Project Management

· Quality Assurance (QA)

· Security and Compliance

Products and Services

The following products and services are within the scope of the ISMS:

Services:

1. Custom Software Development: DevEngineers specializes in creating bespoke software applications tailored to the unique requirements of clients across various industries.
2. Web Application Development: The company excels in designing and developing web-based applications, ranging from e-commerce platforms to business management tools.
3. Mobile App Development: DevEngineers offers mobile app development services, creating applications for both iOS and Android platforms to meet the growing demand for mobile solutions.
4. Quality Assurance and Testing: The QA department ensures the reliability and performance of software applications through rigorous testing, including functional testing, security testing, and performance testing.
5. Support and Maintenance: DevEngineers provides ongoing support and maintenance services to ensure the smooth operation of deployed applications. This includes bug fixes, updates, and enhancements.
6. Project Management: The project management team oversees the planning, execution, and monitoring of software development projects to ensure timely delivery and client satisfaction.

Products

1. SecureWebGuard: A web application firewall (WAF) product designed to protect web applications from various online threats, including SQL injection and cross-site scripting attacks.
2. DataGuard+: A comprehensive data protection and encryption product to safeguard sensitive information and ensure compliance with data protection regulations.
3. MobileSecure: A mobile security suite that includes secure coding guidelines, encryption protocols, and secure authentication mechanisms for mobile app development.
4. AuditTrail Pro: A logging and auditing solution designed to track and monitor user activities within applications, aiding in compliance and security management.
5. SecureCommerce Platform: An e-commerce platform that incorporates secure payment processing, PCI DSS compliance, and advanced security features to protect customer data.

Conclusion…

Establishing and understanding the unique context of an organization is the first step towards building a culture, cyber hygiene, and an ISMS. I hope to have you on this journey as we break the veil on one of the most sought-after standards today.

I hope you have found value in today’s article. Consider clapping, subscribing and following me on my socials. If you need the document used in this lab, I am a DM away.

• LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
• Twitter: https://twitter.com/m49D4ch3lly
• Facebook: https://www.facebook.com/m49d4ch3ly
• GitHub: https://github.com/UFarouk10
• Gmail: Umarfarouk037@gmail.com