This project reflects the type of work I support in real-world engagements. The documentation consolidates insights from that experience alongside my ongoing self-directed study. All materials use synthetic data—no client information is reproduced—and the templates are either self-developed or properly licensed and are not proprietary to any organisation.
Played a supporting role in the design and implementation of an ISO 27001 ISMS for a Nigerian payment service provider, securing payment systems, aligning with PCI DSS and CBN regulations, and establishing a scalable, trust-based foundation for growth.
-
Context & Scope: Defined business environment, regulatory obligations, and a moderate risk appetite.
-
Governance: Used a RACI model to assign accountability, designating the CTO as the operational security owner.
-
Operational Processes: Established procedures for communication, document control, and risk assessment using a 3x3 matrix.
-
Assurance: Closed the PDCA loop with an internal audit program and a metrics calendar to track KPIs and drive improvement.
-
Incomplete Risk Treatments: Vendor delays slowed remediation, as flagged in the Metrics Calendar. Highlighted the need for stronger vendor management.
-
Security Awareness Gaps: New hires and shift staff missed training, underscoring the need for onboarding-integrated sessions.
-
Procedural Lapses: Controls like the emergency contact list were informal, validating the need for enforced document control.
The project confirmed that an effective ISMS is an operational enabler. Clear ownership, repeatable processes, and measurable outcomes create a system that finds and fixes its own gaps.