Goal-Based Establishment of an Information Security Management System Compliant to ISO 27001

Beckers, Kristian

doi:10.1007/978-3-319-04298-5_10

Kristian Beckers²¹

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8327))

Included in the following conference series:

International Conference on Current Trends in Theory and Practice of Informatics

1522 Accesses
3 Citations

Abstract

It is increasingly difficult for customers to understand complex systems like clouds and to trust them with regard to security. As a result, numerous companies achieved a security certification according to the ISO 27001 standard. However, assembling an Information Security Management System (ISMS) according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation.

Security requirements engineering methods have been used to elicit and analyse security requirements for building software. In this paper, we propose a goal-based security requirements engineering method for creating an ISMS compliant to ISO 27001. We illustrate our method via a smart grid example.

This research was partially supported by the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980). We thank Jorge Cuéller for his valuable feedback on our work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

ISO/IEC: Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2005)
Google Scholar
Massacci, F., Mylopoulos, J., Zannone, N.: Security requirements engineering: The SI* modeling language and the secure tropos methodology. In: Ras, Z.W., Tsay, L.-S. (eds.) Advances in Intelligent Information Systems. SCI, vol. 265, pp. 147–174. Springer, Heidelberg (2010)
Chapter Google Scholar
Beckers, K., Faßbender, S., Heisel, M., Küster, J.-C., Schmidt, H.: Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 14–21. Springer, Heidelberg (2012)
Chapter Google Scholar
Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51, 916–932 (2009)
Article Google Scholar
ISO and IEC: Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2009)
Google Scholar
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (NIST) (2002)
Google Scholar
Beckers, K., Côté, I., Hatebur, D., Faßbender, S., Heisel, M.: Common Criteria CompliAnt Software Development (CC-CASD). In: Proceedings 28th Symposium on Applied Computing, pp. 937–943. ACM (2013)
Google Scholar
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16, 3–32 (2011)
Article Google Scholar
Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: Proceedings of ARES, pp. 19–26 (2007)
Google Scholar
Mellado, D., Fernandez-Medina, E., Piattini, M.: A comparison of the common criteria with proposals of information systems security requirements. In: ARES, pp. 654–661 (April 2006)
Google Scholar
Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Paluno, - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany
Kristian Beckers

Authors

Kristian Beckers
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Dep. Computer Sci., P. J. Šafárik University, Jesenná 5, 04154, Košice, Slovakia
Viliam Geffert
Katholieke Universiteit Leuven, 3001, Leuven-Heverlee, Belgium
Bart Preneel
Department of Computer Science, Comenius University, Mlynska Dolina, 84248, Bratislava, Slovakia
Branislav Rovan
Institute of Computer Science, Academy of Sciences, 18207, Prague, Czech Republic
Július Štuller
Institute of Software Technology, Vienna University of Technology, Favoritenstraße 9-11 / 188, 1040, Vienna, Austria
A Min Tjoa

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Beckers, K. (2014). Goal-Based Establishment of an Information Security Management System Compliant to ISO 27001. In: Geffert, V., Preneel, B., Rovan, B., Štuller, J., Tjoa, A.M. (eds) SOFSEM 2014: Theory and Practice of Computer Science. SOFSEM 2014. Lecture Notes in Computer Science, vol 8327. Springer, Cham. https://doi.org/10.1007/978-3-319-04298-5_10

Download citation

DOI: https://doi.org/10.1007/978-3-319-04298-5_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04297-8
Online ISBN: 978-3-319-04298-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics