Essay Writing Service

Advantages & Disadvantages of Obtaining ISO 27001 Certification: Case Study

Executive Summary

The first part of the report investigates a case study and to identify the risks, threats, vulnerabilities and how these negative things impact Wolverhampton Technology’s productivity and to utilize the correct risk treatments to lessen the impacts that have been implemented by Wolverhampton Technology. The second part of the report contains advantages & disadvantages of obtaining ISO 27001 certification for Wolverhampton technology. The last part of the report will contain how companies can handle major incidents and also discuss  about the roles that are needed to control major incidents.

Table of Contents

1 Introduction………………………………………………………………………………………








2 Risk assessment table

3. What is ISO 27001?

3 ISO 20071

4 Use

4.1 Sub paragraphs

4.1.1 Sub sub paragraphs

5 Numbering

5.1 Table numbering

5.2 Page numbering

6 Critical Evaluation

7 Conclusions

8 References

8.1 Books

8.2 Journals

8.3 Electronic sources

9 Bibliography

10 Glossary

11 Appendix 1 – Map of Wolverhampton Student Union

12 Appendix 2 –

13 Appendix 3 –

1  Introduction

This report examines and identifies the risks in a case study given. By highlighting the risks and to find the best treatments available to lessen the risk. Also, to recognize any other risks that are affecting other organizations by looking into the most common threats and find ways to lessen the risks as well.  The first part of the report will contain a risk assessment table that will cover the things that have been mentioned (risks, threats, treatment options). The second part of the report contains ISO 27001 and why companies use ISO 27001 what are the advantages for organizations implementing ISO 27001 and what are its disadvantages. Lastly, the report will shed light on how companies can handle major incidents and what policies and procedures are needed to be in place when the incident occurs and to ensure that the incident does not show any reoccurrence in the organization’s future or at least to reduce its effects.

2  Risk assessment table

This table identifies the risks, vulnerabilities and treatments options available for Wolverhampton Technology and other organizations.

Risk Identified Person that is harmed Likelihood Consequences Risk treatment options Further action  required
Information sent to the wrong email (Breach of confidentiality) Employees and clients High Information is given to a third party, the third party can misuse the information. The company reputation can be ruined.  Data can easily be made public if work accounts are treated inappropriately.   Wolverhampton Technology are at risks of private documents being leaked online. To train employees how to secure confidential records and vital information. Wolverhampton Technology should make it an essential requirement that   computers have screen savers with passwords and vital documents are restricted to one location and   that are safely secure from unauthorized access. Create a confidentiality policy for Wolverhampton Technology and the employees should be required to sign off that they accept, and be able to read and understand the confidentiality policy. This policy can be used to deter employees from punishment if they break the confidentiality policy.
Backups are taken via removable hard disks 

(No effective backup strategy)

Employees and clients High Hardware failure is a worrying factor. Hardware failure is a frequent incident. Possible effects like deletion, file, theft, natural disasters, accidental damage, catastrophic virus or spyware infections. Also, file corrupted or deleted during system upgrades. Wolverhampton Technology should implement logical security this process works by securing the company’s networks with, running antispyware, firewalls and virus-detection programs on servers and network-addressed storage systems. Cloud Backup. 

Employees of Wolverhampton Technology should consider online backup, this application has many benefits including its added convenience, security and low cost.

Majority of computer running Windows 7,Microsoft office 2010 and XP at Wolverhampton Technology 

(Outdated software)


Wolverhampton Technology is implementing   old systems, there are no security updates. If continuing running Windows XP it is highly vulnerable of encountering malware infection. Criminals will be fully aware of the security holes in the systems because of no security updates. Such malware can be used by malicious hackers. Upgrading computer software is vital for Wolverhampton Technology. They solve problems with the software. For example, no software is perfect and runs smoothly all the time, but the software manufacturer often identifies problems due to feedback received. Also, it will solve security holes in the software. If Wolverhampton Technology PCs are unable to upgrade to newer versions then it’s vital to upgrade their computer systems to the required specification In order to run updated software. Today’s PCs are considerably more powerful, lighter in weight and less expensive than just half a decade ago.
MD unaware of data encryption 

(No Data encryption)


Wolverhampton Technology’s data is unencrypted which is in high risk of data breaches. Malicious hackers are targeting small to mid-sized business these network are more vulnerable to target. Even multinational companies failed to protect their customers’ data either by not encrypting the data, or failing to protect the encryption keys. Wolverhampton Technology should consider Pretty Good Privacy (PGP), a tool that adds a layer of encryption to emails. It creates a public and private encryption key and it attaches to an email address. The MD can publish the public key for employees to see and the MD should keep the private key to his/her self. The MD needs to understand the importance of data encryption, and how it can protect vital information.  To encrypt you can use the free, open-source, cross-platform called TrueCrypt which works with Windows.
PA reminds MD’s password PA has to potential to access to unauthorized accounts they could employ malicious actions and take vital information from the workplace and misuse the sensitive information.  Without the MD’s attention. The PA can potentially leak sensitive information which can harm the organization and shows lack of security. The MD can simply fix this by creating password from a   memorable sentence 

Coming up with a sentence and building an acronym is a great way to create a unique password that can be remembered.

The MD can also create a code by replacing a few letters with numbers purposefully misspelling words or use abbreviations are a way to create a ‘code’ which makes passwords unique and more importantly harder to compromise.
Organization lacks 

information security policy


employees The company doesn’t have a security policy which means employees will likely to leak important information to third parties. Without security policies in place the Wolverhampton technology will not be able to have to guidelines to use the information carefully. To Implement information security   policies which highlights what should be expected from employees within an organization with respect to information systems. The goal is to provide guidelines on how to control the use of systems to reduce the risk to information assets. The Wolverhampton technology should gather information so they can draft a security policy and consult with its stakeholders and finalize the security policy. 

Implementing security polices to minimize data leak and protects the organization from malicious users.

 MD of the company has no  additional security systems ,software or policy  being used with mobile devices (mobile devices 

security device policy)


Wolverhampton Technology’s  senior managers have no mobile security device  policy for its smartphones and tablets. These devices pose a significant risk to information security and data security. The effect of not placing the appropriate security applications and procedures they can create a channel for unauthorized access to Wolverhampton Technology’s data and IT infrastructure.  This can eventually lead to data leakage and system infection. electronic devices must be able to store 

all user-saved passwords in an encrypted password store.

The electronic

Devices must be equipped with a secure password that follows with Wolverhampton Technology’s password policy. The password itself has to be unique as any other credentials used within the organization

With the exception of those devices managed by IT, devices are not allowed to be connected directly to the internal corporate network.

Employees of Wolverhampton Technology must only load data essential to their role onto their mobile devices. 

The employees should report all lost or stolen devices to IT immediately.

If an employee sees something strange like unauthorized access to company data has taken place via a mobile device the employee  must report the incident in alignment with Wolverhampton Technology policy.

(No plans to respond to loss of server) Loss of server can cause data loss. Personal information or the company’s information can be lost on a computer server. Wolverhampton Technology should consider The Windows Server Backup. This program provides a solution to the company day-to-day backup and recovery. 

This tool ensures to back up a full server, It can recover files and documents from the case of disasters like hard disk failures, the user simply performs a system recovery, which will restore the complete system onto the new hard disk.

Virtual full backups use a database to track and manage backed-up data, which helps avoid some of the pitfalls of other backup methods.
MD not complying with  GDPR . Not complying with DPA and GDPR has serious consequences. Including: 

Prosecutions and prison sentences. Organizations have to face course of action in order to further improve their compliance and avoid further consequences from the ICO. Organizations that breach legislation need to have steps in order to follow the law. This is detrimental to an organization because it cause them to shut for a period of time, which can deter employees from working there.  Leaving the company facing hefty fines. Also before any of this can happen, malicious hackers could intercept and steal important data from the work place. Employees will be unaware due to lack of regulations and procedures

One of the big priorities for organizations’ executives  is making sure employers are fully aware of new policies and procedures and know the consequences of not following then. Staff will then become more thoughtful and diligent around the use of data. MD should consider how the business should meet the new requirements for example, data protection protect, data identity, notify of data breaches, and monitoring data usage.
Viruses & Spyware A worm is an example  that can be used to exploit security vulnerabilities which can spread to other computers. Trojan is a program that appears to be harmless but it contains malicious contents. Trojan is known for executing many malicious and criminals tasks. Viruses will harm computer system’s performance or stored data. Some can be  noticeable to the  user,  but many attacks run in the background and hidden from the user. There are number of security products that are free to attain for personal or non-commercial use.  However most of time the free products are no-frills versions of purchasable products.  This will make the manufacturer optimistic that the user will upgrade to in the future. The protection is however is likely to be equivalent to the paid-for version, but they may be limited in terms of no technical support and reduced functionality.  Employees need to be aware to avoid opening files which are attached to an email from suspicious, unknown and untrustworthy source. 

Also, uninstall one antivirus program before you installing a latest one. Important to know that prevention is better than cure.

Downloading  and file sharing Unintentionally allowing viruses on to computers   from untrusted websites and person-to-person file sharing programs. Unintentionally  installing adware that  causes irritating  popup advertisements. 

Installing spyware that allows culprits  to unlawfully take  private information for financial gain or identity theft.

Having firewall breached, especially person-to-person file sharing programs.

Downloading illegal material or viruses that hide itself as something else.

If the organization must use file-sharing software,  it’s vital to pick a safe software, install it safely and use it properly. 

Only install file sharing applications when systems have  updated antivirus or antispyware software and firewall running.  Organizations to consider paying high-end  versions that is not funded by advertising to ensure to lessen the risk of adware being installed on to systems.

Organizations to consider download software from manufacturers  or legitimate, authorized reseller’s website

To not let internal or external users to browse organization’s files directly, and to configure programs cautiously to ensure that individuals can share the files they wish and keep other files and personal information private.

Organizations need to ensure they have updated antivirus/antispyware software and firewall running  before proceeding to downloading. 

To download  executable files (.exe) with  caution. These are files commonly used by programs to run on your computer. However, they are also very commonly  used in viruses.

To use trusted download sites instead of person-to-person system to aquire programs.

Be fully aware of downloading anything as people could edit the names of their files. Something that appears to look like a clip from a new action movie could be mistaken for a    virus-infected file.

Organizations to safely  dispose computers Data on computer systems can easily be accessed   whether the organization chooses to sell, scrap, give away or donate it. Even data that has being deleted can be retrieved by criminals. The information stored in files on computer systems   can be accessed by criminals and use for illicit activity. Passwords stored on the system  could give  criminals access to secure websites holding  personal and financial information. Organizations to consider copying vital data that’s needed in the future, on to a new system or storage device. Or back it up in online cloud . 

To completely erase hard disks so no personal information is stored on the system. Just by deleting files is not enough to permanently erase them.  Organizations to consider a dedicated file deletion program or services. Or to destroy the hard drive physically  to make the hard drive unusable.

Organizations should consider that if computer system is at the end of its life and they don’t wish to sell it or give it away they should take it to a  proper disposal facility, which guarantees that is dismantled  and the parts are recycled correctly.
Wireless network  & Hotspots The security risk associated with using organization’s Wi-Fi is that unauthorized people can intercept anything the employees are doing online.  Example could be capturing passwords and reading private emails. This can happen if there’s a connection between the organization’s device and the Wi-Fi is not encrypted, or the hacker creates a spoof hotspot which tricks them into thinking it’s a legitimate one. To ensure that   the wireless hub/router/dongle that employees wish to connect to is safely secured.  To check this simply search for available wireless networks, and see if they have a padlock symbol which indicates that the networks are secured. Employees of the organization to consider that having a new router, hub or dongle, is usually given with security turned on as the default.  There are three main encryption stages available (WEP, WPA and WPA2), WEP being the lowest. Majority of hubs or routers gives the person an option of selecting a higher stage, it is important to note that older devices may not be match with higher levels.
Physical Security Organizations are at risk if computer system equipment is not well protected it is not difficult for criminals to either steal data or infect computer systems without needing online access – or to steal or damage the equipment itself. In spite of the sophisticated online methods now used by criminals. Keep office doors and windows locked. 

Only give keys to trusted colleagues.

Employees should be careful who enters the workplace

To keep work documents or personal documents.

Install cctv cameras in the workplace to keep close attention on computer system or other vital documents.

Employees to consider locking cables make it difficult for criminals to obtain a computer.

Employees to avoid bags that resembles a laptop bag  for example a bag with a manufacturer’s logo on it. 

To keep laptops beside them at all time whenever possible When it is unattended – for example on a business trip and staying in a hotel room or at a meeting room.  Keep the devices out of sight or locked up. Carry laptops in hand baggage on an aircraft or coach.

Never leave laptops or other devices on a car seat. Laptops can be vulnerable when cars are stationary

3  3. What is ISO 27001?

According to Kosutic (2016, p.19 )  ‘‘  it provides a comprehensive framework that will help you with this crucial process. It gives you the necessary guidance and building blocks for protecting your company’’.

ISO 27001 is a certification document that tells business owners where they can start from, how to run an organization’s project, and be able to  adapt the security to the specifics of the  company, how to control what the IT and security experts are doing.

3.1  Advantages of ISO 27001

These are the advantages  Wolverhampton Technology obtaining ISO 27001 including, keeping existing customers, new polices Keeps confidential information secure, Shows compliance, Improves reputation, Increases security awareness and much more.

3.2 Keep existing customers

According to Calder (2012, p.35) ‘‘An accredited certificate tells existing customers and potential customers  that the organization has defined and put in  place effective information security processes, thus helping create a trusting relationship’’

Implementing an ISO 27001 helps Wolver Hampton technology by improving security practices which will increase working relationships with existing customers and potential customers because they. It also gives Wolverhampton Technology an advantage in the marketing side against Wolverhampton Technology’s competitors.

3.3 New policies

According to Calder (2012, p.35) ‘‘A certification process also helps the organization focus continuously improving its information security process’’

Implementing  an ISO 27001 will give Wolverhampton Technology new objectives in security policies in order to meet the  certification requirements  the Wolverhampton Technology has to constantly keeps its information security up to scratch.

3.4 Keeps confidential information secure

Obtaining the ISO 27001 certification Wolverhampton Technology customer will feel secure knowing the fact that the company has policies and procedures in place to protect customer’s data from malicious attacks. Also, this certificate will increase and protect of assets’ such as financial information, employee’s personal details and intellectual property.

3.5 Shows compliance

The certification provides Wolverhampton Technology a framework for managing information security risks, which enables the employee to take in account the regulatory and legal requirements.

3.6 Improves reputation

According to warren (2013) ‘‘Protect and enhance brand reputation – avoid costly damage to your hard won reputation and brand values.’’

Protects Wolverhampton Technology brand by requiring employees to identify possible risk to sensitive information and execute security measure to manage and reduce them. It also helps to ensure that the company implements policies and procedures to allow them to react quickly to detection of security breaches. The certification is based around continual improvement and requires the company to regularly review the effectives of their information security managements system and plan to take action to address new security risks.

3.7 Increases security awareness

It enables authorized users to have access to sensitive information only when they need it. It also shows that information security is at the top of the list of priorities, whilst reassuring stakeholders of the business that best security practice system is in place.. it makes the business constantly improve information security as well.

According to Warren (2013) ‘‘Ability to demonstrate compliance – giving confidence to interested parties including your customers.’’

3.8 Displays confidence in the business’s security arrangements.

Gives the business a framework and recognize  any risk to information security, and be able to implement any management and technical controls. And delivers a good affordable level of information security

According to Warren (2013) ‘‘Build trust (internal + external) – by increasing visibility and comprehension of IT security issues.’’

3.9 Reduce third party scrutiny of your information security

It gives businesses a way of ensuring that a common set of policies, procedures and controls are in place to manage risks to information security. It also gives businesses a simple, straightforward way to respond tender requirements around information governance. It ensures senior management recognize information security as a priority and motivate managers by requiring a training and awareness programme throughout the organization.  It requires employers to define information security management system (ISMS) roles & responsibilities to make sure that employee are proficient to carry out their job roles.

4. Disadvantages of ISO 27001

There are

4.1 Not a security standard

According to N. (2009) ‘‘The main issue of ISO 27001 is mainly a management standard and not a security standard.’’

The ISO 27001 provides a framework for the management security of a business. However, it does not provide the ‘perfect standard’ for security. If implemented,  it will ensure  the security of an organization.  ISO 27001 executes a risk assessment approach. A security risk assessment is used for the purpose of identify the security requirement of the business and to implement security controls to lessen the risk to an acceptable level for the business. Once the security controls have been identified, ISO 27001 shows certain requirements to ensure that a) these security controls are implemented and are effective; and b) that the controls continue to meet the organization’s security needs.

4.2 lacks risk assessment methods

Only the organization can make the decision on what stage of security it needs. So it’s entirely a management decision on the level of risk is acceptable   – ISO 27001 does not deliver the acceptable level of risk. If the employer wishes to execute a major risk of compromising    personal information and made it acceptable to the organization, then ISO 27001 will provide a   framework to support that.  The purpose of a risk assessment is to evaluate risks and minimize it or completely remove it by the organization. Unfortunately, ISO 27001 lacks giving the risk assessment methods to be used. The guideline they provide to the organizations is the employer has to document the method, and use it. So it leaves entirely to the organization to choose   the security methods for the organization’s needs,  based on the risk assessment and the organization’s acceptable level of risk.

4.3 ISO 2001 just delivers a framework

According to James (2009) ‘‘ISO 27001 gives you a best practice management framework for implementing and maintaining security. It also gives you a baseline against which to work – either to show compliance or for external certification against the standard.’’

The organization needs to decides on what risk method and implement a risk assessment, the employers have to select security controls and ensure that these are enough to meet the security needs of the organization .This requires information risk management and security expertise to implement. ISO 27001 does have the information on how to do this, but it gives a framework within which to do it.  According to James (2009) ‘‘whilst ISO 27001 provides a list of controls in Annex A, this list is not meant to be exhaustive. In conjunction with ISO 27002 (ISO 17799) it provides guidance on the controls that you should consider. ‘’

4.4 Insufficient guidance

According to James (2009) ‘‘whilst ISO 27001 provides a list of controls in Annex A, this list is not meant to be exhaustive. In conjunction with ISO 27002 (ISO 17799) it provides guidance on the controls that you should consider. ‘’

Therefore, it does not provide the adequate guidance for the organization, the information and the system the organization use. Again security knowledge and expertise is required to implement an information security risk assessment and to explain the required security controls. It is possible to execute an ISO 27001-compliant information security management system without enough security information.

4.5 Lacks support for threats

If an organization is obeys ISO20071 the company is still vulnerable to potential threats because the company is basically  following security in line with the standards, which leave to the seniors to think what level they think is appropriate to the organization.

James (2009) ‘‘This can either be ‘designed in’ to the ISMS by management accepting high risks (rare); or can arise from inadequate risk assessment or poor selection or implementation of security controls (common).’’

If the organization’s  risk assessment is terrible flawed, and the individuals lacks   security and assessment skills, or the company lacks   the management and organization commitment  to execute security then it is possible to be   fully compliant with the standard, but be in a stage of  insecure.

According to james (2009) ‘‘ an organization will only implement information security effectively if there is a culture of understanding the value of information and protecting it. This requires visible management commitment and individual ownership and responsibility, backed up with effective security education and awareness. Without this, an ISO 27001 ISMS is unlikely to be effective, and hence information will not be appropriately protected.’’

5. What’s missing with ISO 27001?

ISO 27001 gives the organization a good practice management framework for the purpose of executing and maintaining security.

However, complying   to ISO 27001 does not mean the organization is secure, it means that you are controlling security in line with the standard  given, and to a stage the employers think that is suitable to the company.  If the company’s risk assessment contains many shortcomings, the employers or employees lacks security and risk assessment skills, or the company lacks management and organizational commitment to execute security then it is perfectly fine for the organization to be fully compliant  with the standard but they will left insecure. Executing ISO 27001 is a step forward to deliver security of an organization. However to be fully secure, it’s important to construct the necessities of assessing information and to protect it.

Some Include:

  1. Having good commitment to  information security
  2. Individual ownership and responsibility for information security
  3. Good information security education and awareness.

6. What is a major incident?

According to Topalovic (2015) ‘‘In theory, a major incident is a highest-impact, highest-urgency incident. It affects a large number of users, depriving the business of one or more crucial services.’’

6.1 6.1 Understanding a major incident

A major incident is an unfortunate case where an organization has to deal with a catastrophic incident that can cause excessive impact on the organization. Some example include:

• Timescale disruption

• Numerous  Service Desk calls

• Infuriated customers

• Rage of the management,

• Panic.

A separate procedure is needed with short timescales and great responses must be used for major incidents.

It needs to include what constitutes the major incident and departments must come to an agreement and to map out the overall incident

prioritization system. If necessary the procedure should contain a separate establishment team of a major incident team which should be compliant to the incident manager and to fully focus on this incident alone and to make sure that they have enough resources for finding a quick resolution.

According to Topalovic (2015) ‘‘In theory, a major incident is a highest-impact, highest-urgency incident. It affects a large number of users, depriving the business of one or more crucial services. Business and IT have to agree on what constitutes a major incident.’’

If the service desk manager also wishes to fulfill the role of an incident manager then a separate person is needed to lead the major investigation team and to ensure they avoid conflict of time and priorities. They also have to report back to the incident manager.  If the cause of the incident requires further investigation, the problem manager needs to be involved, but the incident manager has to ensure that server restoration and underlying cause are kept separate. Throughout the investigation, the service desk needs to ensure all activities are recorded and the users are informed and kept up-to-date of the progress.

According to Topalovic (2015) ‘‘Problem manager. This role will often have to be involved, since major incident resolution usually requires finding the underlying cause (root cause analysis) of the major incident.’’

The problem manager should also be informed if not aware and to make a meeting with vendor support staff, support staff and IT services management. The purpose of this interview is to review the progress and find the best course of action.  The service desk manager need to attend the meetings to ensure that they kept a file of the actions and decisions that are made.

If the problem manager is unavailable, the incident management executive and the major incident team has to work together to solve the major incidents.

6.2 Example major incident procedure

A procedure has to take place to control all aspect of a major incident including communication and resources. It needs to describe how the organization is handling major incidents. Though the investigation process and to make a final report.

Some of the areas to be covered in the major incident policy and procedure are:

  • Purpose
  • Scope
  • Definition
  • Policy
  • Roles and responsibilities


The purpose of implementing the major incident policy and procedure.

For example:

“This procedure  have been put in place to implement a  document that describes the organization’s essential requirements to  respond to and investigating major incidents.”


The document should contain the exact scope of the major incident procedure and policy.

For example:

“This procedure applies to all Incidents that displays their status of impact  to the organization, have been prioritized as a major incident.”


A major incident has to be defined  as an occurrence which displays significant impact for the organization and demands a response  beyond the routine incident management process.   a major incident that will be an incident  either explained in the major incident procedure or have a potential cause to have a significant impact on the organization’s vital services or systems, or have it could be an incident that can impact the organization’s reputation, legal compliance or regulation.


The organizations’ needs to have a policy that is effective and efficient system for responding to major incidents, which is appropriate to the individual circumstances.

Some examples are:

‘‘ to implement an effective communication system across the company when a major incident occurs. ‘’

To make sure that the organizations  has an appropriate incident manger or a management group to control future major incidents.

To  employ appropriate arrangements to make sure  that major incidents are informed  instantly  to the  incident management and technical groups,  so they can implement the required resource to solve the issue.

To provide information about the causes of the major incidents and to keep a record of any findings from investigations.

„ the organization  has to conduct a review for each incident that has been fixed and to look at the root of  the cause and find solutions to prevent the reoccurrence of the same major incidents

To create reviews of major of major incident investigation policy  independent of the major incident. to investigate and construct a report of anything that to be learned from from the policy review will be taking into account, and to implement the best action and to make sure any improvements to existing arrangement are executed within  specified timescale.

Roles and responsibilities

The following roles are needed at least to solve and manage major incidents:

„ The Incident Manager

„ The Problem Manager

„ If no Problem Manager exists, the role of Root Cause Analyst

„ Major Incident Investigation Board

„ Investigation Team/investigation resources (technical staff)

„ The service desk

„ Service level managers/IT account managers

„ Any other relevant groups who will act as part of the Major Incident Team

„ Changes to appropriate processes

4  Numbering

This template numbers the headings in an outline numbered format.

The numbers in the headings are updated in the table of contents when you right click on the table, select update field and then update entire table.

Figure 2 – Update Table of Contents

From the menu select Insert, reference and caption; this will give the opportunity to select table or figure.  Remember to give it a name as above so it will appear in the list and will read – “Figure 2 – Update Table of Contents” in the list as well as the above caption.

4.1   Table numbering

The below table has a caption inserted below it in the same way as the figures.

This Is A

Table 1 – An Example of a Table

The table has a caption inserted in the same was as the figures have.

4.2   Page numbering

All pages are automatically numbered.

5  Critical Evaluation

An evaluation of how the work was carried out and what could be done to improve it in the future.  Perhaps some relevant examples of the Harvard Referencing system included in this report as an aide memoir.

6  Conclusions

This report template will save you time on formatting allowing more time to concentrate on the subject matter.

You will gain experience of creating professional looking reports which may aid you in future employment.

The layout may prompt you to remember sections that are often forgotten.

7  References

Use the Harvard Referencing system available on the University of Wolverhampton web site.  Available at


7.1   Books

CHESTER, M. and ATWALL, 2002 A. Basic Information Systems analysis and Design. Berkshire: McGraw-Hill Education.
DATE C.J. 1983 An Introduction to Database Systems, Volume 2., Reading, Massachusetts: Addison-Wesley Publishing.
HEATHCOTE, P.M. 2000 Successful ICT Projects in Access, 2nd Edition.,Ipswich: Payne-Gallway Publishers Ltd.
HEATHCOTE, P.M. 2000 Successful ICT Projects in Excel, 2nd Edition.,Ipswich: Payne-Gallway Publishers Ltd.  
HOFFER, J.A.  GEORGE, J.F. VALACICH, J.S. 1999 Modern Systems Analysis and Design, 2nd Edition.,Addison-Wesley Longman Inc.
KULIK, P. 1996 What is Software Risk Management? Routledge Falmer.
TUDOR, D.J. TUDOR, I.J. 1997 Systems Analysis and Design Basingstoke: Macmillan Press Ltd.
WEAVER, P. LAMBROU, N. WALKLEY, M. 2002 Practical Business Systems Development Using SSADM, 3rd Edition., Essex, Pearson Education Ltd.

7.2   Journals

Burns, M. 2004 Time to upgrade your office?. CA Magazine [online] Jan/Feb 2004 [cited 31 Oct 2004], Vol. 137 1. p16. Accessed via EBSCO Host Research Database at: < >. ISSN 0317-6878
Hatlestad, L. 2004 Network Security Gets Physical. VARBusiness [online] Aug 2004 [cited 19 Nov 2004], Vol. 20 3. Pp37-39. Accessed via EBSCO Host Research Database at: < >. ISSN 0894-5802
Howard, L. 2004 Infonetics Research [online]. Bromley: Infonetics Research, no date [cited 08 Jan 2005]. 


Hubbard, C. 2002 Storage without borders. Computing Canada [online] Feb 2001 [cited 19 Nov 2004], Vol. 27 4. pp14-15. Accessed via EBSCO Host Research Database at: < >. ISSN 0319-0161
Shim, R. 2004 Wi-Fi Market Surges On Consumer Sales [online]. London: ZNet, Feb 10 2004 [cited 17 Nov 2004]. <>.
Vroom, C and Solms, R. 2004 2004 Towards information security behavioural compliance. Computers & Security [online]. May 2004 [cited 17 Nov 2004], Vol. 23 3. pp 191-198. Accessed via EBSCO Host Research Database at: < >. ISSN 1067-4048

7.3   Electronic sources

ACM SIGCHI Curricula for Human-Computer Interaction, HEWETT, BAECKER, CARD, CAREY, GASEN, MANTEI, PERLMAN, STRONG and VERPLANK no date [online].  [cited 21st November 2008] <>
SCRUM Software Development Process no date [online].  [cited 21st November 2008] <>
Crystal Methodologies Process no date [online].  [cited 21st November 2008] <>
CMS CMS Change Management Procedures 2002 [online]. [Cited 21st November 2008] <>
Governor’s Office for Technology GOT Change Management Policy/Procedure [online]. 2001. [Cited 21st November 2008]. <>
The Data Protection Act 1998. Her Majesties Stationary Office, [online]. 2001. [Cited 21st November 2008]. <>
Office of the E-Envoy Change Control procedures for e-Government resources [online]. 2002. [Accessed 21st November 2008]. <>

8  Bibliography

This is where you would indicate your extensive reading prior to compiling the report.  It lists the items you read and perhaps even why you omitted them from the report.

Article Author Source Comments

9  Glossary

The following may assist the reader in understanding names, acronyms and abbreviations used in this report.

C. Chapter pertinent to chapters in Acts of Parliament
CARS Credibility, Accuracy, Reasonable and Supported
DB Database
DIY Do It Yourself
DVD Digital Video Disk
EU European Union
Google Internet Search Engine
HLC Harrison Learning Centre
HMSO Her Majesty’s Stationary Office
IEEE The Institute of Electrical and Electronics Engineers
Lexis-Nexis Law DB requiring an Athens account
MS Microsoft Corporation
No. Number
OPAC Online Public Access Catalogue
Re: Reference
TLC Telford Learning Centre
U of W University of Wolverhampton
ULC University’s Learning Centre’s
Yahoo Internet Search Engine
URL Universal Resource Locator web address

10  Appendix 1 – Map of Wolverhampton Student Union

Source:  Google Maps

11  Appendix 2 –

12  Appendix 3 –

With Our Resume Writing Help, You Will Land Your Dream Job
Resume Writing Service, Resume101
Trust your assignments to an essay writing service with the fastest delivery time and fully original content.
Essay Writing Service, EssayPro
Nowadays, the PaperHelp website is a place where you can easily find fast and effective solutions to virtually all academic needs
Universal Writing Solution, PaperHelp
Professional Custom
Professional Custom Essay Writing Services
In need of qualified essay help online or professional assistance with your research paper?
Browsing the web for a reliable custom writing service to give you a hand with college assignment?
Out of time and require quick and moreover effective support with your term paper or dissertation?