The risk assessment and treatment approach in order to provide lan security based on isms standard

Local Area Networks(LAN) at present become an important instrument for organizing of process and information communication in an organization. They provides important purposes such as association of large amount of data, hardware and software resources and expanding of optimum communications. Becase these network do work with valuable information, the problem of security providing is an important issue in organization. So, the stablishment of an information security management system(ISMS) in organization is significant. In this paper, we introduce ISMS and its implementation in LAN scop. The assets of LAN and threats and vulnerabilities of these assets are identified, the risks are evaluated and techniques to reduce them and at result security establishment of the network is expressed.

💡 Research Summary

The paper addresses the growing importance of Local Area Networks (LANs) as the backbone of organizational communication and data exchange, and argues that the security of these networks must be managed through a structured Information Security Management System (ISMS) in line with ISO/IEC 27001 and ISO/IEC 27005 standards. The authors first enumerate LAN assets, categorizing them into hardware (switches, routers, servers, workstations), software (operating systems, network services, applications), data (in‑transit confidential information, logs), and human resources (administrators, end‑users). For each asset, the classic CIA triad—confidentiality, integrity, availability—is used as a lens to identify relevant threats such as physical intrusion, malware infection, insider misuse, denial‑of‑service attacks, and man‑in‑the‑middle eavesdropping.

A vulnerability assessment follows, revealing common gaps: unpatched operating systems and firmware, default passwords, unnecessary open ports, misconfigured VLANs, insufficient logging, and lack of formal security policies. The risk assessment phase adopts the ISO/IEC 27005 methodology: asset value, threat likelihood, and vulnerability severity are quantified, and a risk matrix classifies risks into high, medium, and low categories. High‑risk scenarios include unauthorized access to switch management interfaces, exploitation of server OS vulnerabilities, and illicit exfiltration of critical data.

Risk treatment options—avoidance, transfer, acceptance, and mitigation—are then mapped to each identified risk. The paper emphasizes mitigation for high‑risk items and proposes concrete controls: (1) physical access controls (key cards, CCTV), (2) perimeter firewalls and IDS/IPS, (3) VLAN segmentation and ACLs, (4) regular patch management and vulnerability scanning, (5) strong authentication and password policies, (6) centralized log collection, analysis, and retention, and (7) ongoing security awareness training. These controls are explicitly linked to Annex A of ISO/IEC 27001, ensuring that the LAN security objectives align with recognized governance requirements.

The authors integrate the risk treatment plan into the ISMS lifecycle using the Plan‑Do‑Check‑Act (PDCA) cycle. Security policies, procedures, and technical controls are continuously reviewed through internal audits and external assessments; findings feed back into policy revisions, technical updates, and training programs. Incident response and recovery procedures are also defined to preserve availability in the event of a breach.

Overall, the study demonstrates that applying an ISMS‑based, risk‑centric approach to LAN environments enables organizations to systematically identify, evaluate, and reduce security risks. The methodology is scalable, making it suitable for both small‑to‑medium enterprises and large corporations, and provides a practical roadmap for achieving LAN security that complies with international standards.