| Abstract [eng] |
This thesis examines the problem of information security management in a small agricultural enterprise where due to limited human and financial resources, security measures are often implemented only partially, while information security is treated as an additional cost, even though customer, supplier, and other financial data are processed on a daily basis. The aim of the thesis is to apply the principles of ISO 27001 and ISO 27005 standards to the management of information system risks and security methods in the company. The theoretical part reviews the fundamentals of the ISO 27000 series standards, the concept of risk and the logic of risk assessment, and also discusses the legal and guidance context (GDPR, NKSC, NIST). The practical part includes an analysis of the company’s information environment, the definition of assessment boundaries, the identification of threats and vulnerabilities, the development of a risk matrix and a risk register, and the preparation of a risk management plan. It also analyzes typical incident scenarios such as phishing emails, point-of-sale computer disruptions, or the loss of NVR recordings, and defines monitoring and incident logging principles. Based on the obtained results, an information security improvement model is presented, which is focused on minimally sufficient but consistent management according to the PDCA cycle, a clear allocation of responsibilities, the selection of priority controls in line with ISO 27001, a minimal set of documents, and an implementation plan that enables the assessment of before-and-after changes and residual risk. |
