Scribd
Upload
276 views9 pages

Audit Case Study For Student

The document presents eight case studies related to ISO/IEC 27001:2022 compliance issues in various organizations, highlighting specific violations such as access control failures, weak incident response processes, and lack of data encryption. Each case outlines scenarios, associated risks, and questions for corrective actions. The case studies emphasize the importance of adhering to security policies to protect sensitive information and maintain business continuity.

Uploaded by

AHMAD FAISAL BIN ABDUL GHAFAR / IDEC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
276 views9 pages

Audit Case Study For Student

The document presents eight case studies related to ISO/IEC 27001:2022 compliance issues in various organizations, highlighting specific violations such as access control failures, weak incident response processes, and lack of data encryption. Each case outlines scenarios, associated risks, and questions for corrective actions. The case studies emphasize the importance of adhering to security policies to protect sensitive information and maintain business continuity.

Uploaded by

AHMAD FAISAL BIN ABDUL GHAFAR / IDEC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

ISO/IEC

27001:2022
Case Study

WAN NOOR ASIAH


INTAN BUKIT KIARA
Case Study 1: Access Control Violation

Scenario:
A multinational company conducted an internal audit and discovered
that several employees had access to confidential customer data
that was unrelated to their job roles. The access control policy states
that employees should only have the minimum necessary access.
The HR department had access to financial transaction records, and the
finance team could access personnel files.

Questions:
1. Which ISO/IEC 27001:2022 control is violated?
2. What are the risks associated with this issue?
3. How should the organization correct this non-conformity?
Case Study 2: Weak Incident Response Process

Scenario:
A retail company suffered a cyberattack where hackers exfiltrated
customer credit card data. The IT team detected unusual network
traffic but did not report it to management until three days later.
Upon review, the organization found that their Incident Response Plan
(IRP) had not been updated for two years, and employees were not
trained on incident handling procedures.
Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.What could be the consequences of this incident?
3.What steps should be taken to strengthen the organization’s response?
Case Study 3: Lack of Backup & Disaster Recovery
Readiness

Scenario:
A financial institution experienced ransomware that encrypted critical
customer records. When attempting to restore backups, the IT team
realized the latest backup was six months old and could not be fully
restored.
The audit revealed that the company did not test its backup systems
regularly, violating ISMS policies.
Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.How does this impact business continuity?
3.What corrective measures should be taken?
Case Study 4: Weak Password Policy Implementation

Scenario:
During an internal audit at a financial institution, it was discovered that employees
used weak passwords such as “12345678” and “password”. Additionally, multi-factor
authentication (MFA) was not enforced for accessing critical systems. The password
policy stated a minimum of 8 characters but did not require complexity (e.g., numbers,
symbols, uppercase letters).
Further investigation found that several accounts had been compromised due to
credential stuffing attacks, where attackers used leaked passwords from previous
breaches to gain unauthorized access.

Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.What risks does this pose to the organization?
3.What corrective actions should be taken?
Case Study 5: Unsecured Third-Party Vendor
Access
Scenario:
A healthcare organization outsourced its IT support to a third-party vendor. The vendor
had unrestricted remote access to the hospital’s systems, including patient records,
without proper logging and monitoring.
An audit revealed that the vendor’s employees shared credentials for accessing
critical systems, violating security best practices. Additionally, no security
assessment was conducted before granting access, and there was no contractual
requirement for the vendor to follow the hospital’s security policies.

Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.What are the potential consequences of this issue?
3.How should this be addressed?
Case Study 6: Lack of Data Encryption for Sensitive
Information

Scenario:
An e-commerce company stores customer payment information
in a database without encryption. The audit revealed that data was
stored in plain text, increasing the risk of data theft.
Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.What are the risks of not encrypting sensitive data?
3.What actions should be taken to mitigate this risk?
Case Study 7: No Security Awareness Training for
Employees

Scenario:
An internal audit at a law firm found that employees regularly
clicked on phishing emails and used personal USB drives to
transfer company documents.
The organization did not have a formal security awareness
training program.
Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.How can poor security awareness impact the organization?
3.What corrective measures should be implemented?
Case Study 8: Lack of Security Logging & Monitoring

Scenario:
A manufacturing company suffered a ransomware attack that
went undetected for 48 hours due to the lack of a centralized
logging system.
The audit revealed that no security event logs were reviewed by
the IT team.
Questions:
1.Which ISO/IEC 27001:2022 control is violated?
2.What risks arise from inadequate logging and monitoring?
3.What corrective actions should be taken?

You might also like