Date of Publication


Document Type

Master's Thesis

Degree Name

Master in Information Security

Subject Categories

Information Security


College of Computer Studies


Computer Technology

Thesis Advisor

Michelle Renee D. Ching

Defense Panel Chair

Arlyn Verina O. Tiu

Defense Panel Member

Michelle Renee D. Ching


The 21st century has seen data emerge as the new oil. The significance of information in making management decisions has increased, making it essential to ensure that it retains the fundamental features of confidentiality, integrity, and availability. Most organizations believe that information security is a technological issue that can be resolved through technology alone. However, it is a comprehensive process that requires risk management, and developing an information security policy is the primary step toward mitigating such risks. This study aims to help a government agency protect its IT services against cyber attacks by developing Issue-specific policies (ISSPs) and a compliance roadmap based on the ISO 27001:2013 standard. The study used the Capability Maturity Model for Integration (CMMI) to conduct a gap analysis and a high-level risk assessment to identify the risks that are the basis of the policies developed. Data triangulation validated the conducted interviews, observations, and analysis of presented documents. The project developed twelve (12) ISSPs to mitigate the seven (7) high risks identified, and the policies' applicability, scope, purpose, penalties, effectiveness, coherence, and completeness were assessed through an expert review. The project concludes by providing the compliance roadmap of the agency to ISO 27001:2013 certification based on the standard's Plan-Do-Check-Act (PDCA) cycle. The author recommends completing policies for medium and low risks, implementing policies, and following the compliance roadmap for future work. It also recommends conducting a detailed risk assessment, creating an enterprise information security policy (EISP), and engaging with an accredited certification body for an external audit to achieve ISO 27001 certification.

Keywords: Information Security, ISO 27001:2013, Issue-specific security policies, gap analysis, high-level risk assessment, compliance roadmap

Abstract Format






Physical Description

195, [5] leaves


Information technology; Computer security; Electronic data processing--Security measures

Upload Full Text


Embargo Period


Available for download on Monday, April 01, 2024