This project draws on real consulting work, with all company details fully anonymised.
Carried out a targeted information security risk assessment for Luxburgers Limited, focusing on high-impact personnel, customer data, and POS systems.
The goal was to identify critical operational threats, such as reliance on single individuals, unsecured communications, and procedural weaknesses, that could disrupt business continuity and compromise sensitive data.
The methodology was anchored in the ISO 27001:2022 framework.
- Built the Information Asset Register (Sheet 6) to catalogue critical assets, from key personnel to POS machines.
- These were mapped to relevant threats from the Threat Catalogue (Sheet 7).
- Risks were scored using the Risk Matrix (Sheets 4 & 5) and assigned named owners.
- The final Risk Assessment-Treatment Plan (Sheet 3) defined specific actions, linked them to ISO controls, and set deadlines.
-
Critical Single Point of Failure: The General Manager was the sole custodian of supplier contacts and financial knowledge. Recommendation: Create a cloud-hosted supplier database, cross-train staff, and appoint alternate bank signatories.
-
Human-Fuelled Insider Threat: POS terminals were at high risk of tampering by disgruntled staff due to delayed salaries. Recommendation: Enforce a Hardware Security Policy, ensure timely salary payments, and provide targeted security awareness training.
-
Systemic Procedural Violation: Staff habitually used unapproved software and personal email. Recommendation: Implement software whitelisting, Data Loss Prevention (DLP) controls, and mandate automatic file syncing to secure cloud storage.
The project highlighted that the most significant risks are often enabled by process, not a lack of technology. A policy is ineffective if daily habits bypass it.
For future assessments, conducting pre-assessment stakeholder interviews would better uncover these cultural realities, leading to more accurate risk scoring and directly actionable treatments.