Skip to main content
All Projects

MSc Cybersecurity — Robert Gordon University

Information Security Risk Assessment & ISO 27001 / NIST Gap Analysis

December 2024
CybersecurityISO 27001NIST CSFRisk AssessmentComplianceGovernance

Conducted an enterprise information security risk assessment, developed a risk register, and performed a gap analysis against ISO 27001 and NIST CSF. Designed a 1-year security improvement programme to strengthen cyber hygiene and compliance posture.

Overview

This MSc project applied formal risk management and compliance frameworks to an enterprise security assessment. The output was a structured risk register, a gap analysis against two major frameworks (ISO 27001 and NIST CSF), and a prioritised 1-year security improvement programme — the deliverable format used by information security consultants and GRC professionals.

Scope

The assessment covered the full information security risk landscape of a simulated enterprise, including:

  • Physical and logical access controls
  • Data classification and handling
  • Network security posture
  • Endpoint protection
  • Incident response capability
  • Third-party and supply chain risk
  • Business continuity and disaster recovery

Risk Assessment Methodology

Risk Register Development

  • Identified information assets and their criticality to business operations
  • Assessed threats to each asset: technical, physical, and human
  • Evaluated existing controls and their effectiveness
  • Calculated residual risk (likelihood × impact) for each identified risk
  • Prioritised risks by residual risk rating for treatment planning

ISO 27001 Gap Analysis

Assessed the organisation's current controls against the ISO 27001:2022 Annex A control set. For each control domain:

  • Current state documented
  • Gap identified (fully implemented / partially implemented / not implemented)
  • Priority for remediation assigned

NIST CSF Gap Analysis

Applied the NIST Cybersecurity Framework five functions (Identify, Protect, Detect, Respond, Recover) to assess maturity across the full security lifecycle.

1-Year Security Improvement Programme

The improvement programme was structured in three phases:

Phase 1 (Months 1–3): Foundation

  • Critical risk remediations (highest residual risk items)
  • Asset inventory completion and classification
  • Incident response plan development and testing

Phase 2 (Months 4–6): Control Strengthening

  • ISO 27001 high-priority gap remediations
  • Security awareness training programme
  • Third-party risk assessment process

Phase 3 (Months 7–12): Maturity & Compliance

  • NIST CSF maturity improvements
  • Business continuity plan testing
  • Preparation for ISO 27001 certification audit (if in scope)

Key Learnings

Risk management frameworks like ISO 27001 and NIST CSF are most valuable not as compliance checklists but as structured vocabularies for having honest conversations about where an organisation's security controls are strong, where they are weak, and what the cost of that weakness is in business terms. A gap analysis that produces a list of compliance items without a risk-based prioritisation is not useful; one that translates gaps into residual risk and remediation cost gives leadership something actionable. That translation is the professional skill this project developed.