Skip to main content
SpringerLink
Log in
Book cover

Pattern and Security Requirements pp 139–194Cite as

Supporting ISO 27001 Establishment with CORAS

  • Chapter
  • First Online:

  • 1418 Accesses

Abstract

Establishing an information security management system (ISMS) compliant to the ISO 27001 standard is a way for companies to gain their customers trust with regard to information security. Key challenges of establishing an ISO 27001 compliant ISMS are removing the standards’ ambiguities and providing an acceptable risk management approach. Risk management is vital to an ISMS establishment, because the aim of an ISMS is to manage security threats based on risk assessment. The security requirements engineering approach CORAS provides a structured way to implement risk management for a given company. We present an extension to this method called ISMS-CORAS, which enables security engineers to create an ISO 27001 compliant ISMS including the needed documentation. ISMS-CORAS uses another CORAS extension called Legal CORAS, which helps to be compliant to legal demands as well. The method is applied to a smart grid scenario provided by the industrial partners of the NESSoS project.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The NESSoS project: http://www.nessos-project.eu.

  2. 2.

    http://www.nessos-project.eu.

  3. 3.

    Note that in the CORAS terminology threats are attackers, persons, or other elements that cause unwanted incidents. This is different from other terminologies in which threats are actual exploits of vulnerabilities. In this we mean that by the word threatened that an attacker causes an unwanted incident.

  4. 4.

    The BDSG refers to personal information and according to Knyrim and Trieb (2011), Raabe et al. (2011), Karg (2009) energy consumption data is personal information.

  5. 5.

    Note that we provide in this work the relation to ISO 27001 and CORAS. The treatment plans consider cost-benefit reasoning by using the CORAS extension proposed in (Tran et al. 2013a).

References

  • Alberts, C. J., & Dorofee, A. J. (2001, December). OCTAVE Criteria. Technical Report No. CMU/SEI-2001-TR-016. Washington, USA: CERT.

    Google Scholar 

  • Allen, M. (2006). Social engineering: A means to violate a computer system. SANS Institute White Paper.

    Google Scholar 

  • ANSSI. (2010). EBIOS 2010—Expression of needs and identification of security objectives. Paris, France: Agence nationale de la sécurité des systémes d’information (ANSSI).

    Google Scholar 

  • Ardi, S., & Shahmehri, N. (2009). Introducing vulnerability awareness to common criteria’s security targets. In Proceedings of the Fourth International Conference on Software Engineering Advances ICSEA, (pp. 419–424). IEEE Computer Society.

    Google Scholar 

  • Beckers, K., Fasbender, S., Küster, J.-C., & Schmidt, H. (2012). A pattern-based method for identifying and analyzing laws. In Proceedings of the International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ) (pp. 256–262). Springer.

    Google Scholar 

  • Beckers, K., Côté, I., Hatebur, D., Fasbender, S., & Heisel, M. (2013a). Common criteria compliant software development (CC-CASD). In Proceedings 28th Symposium on Applied Computing (pp. 937–943). ACM.

    Google Scholar 

  • Beckers, K., Hatebur, D., & Heisel, M. (2013b). A problem-based threat analysis in compliance with common criteria. In Proceedings of the International Conference on Availability, Reliability and Security (ARES) (pp. 111–120). IEEE Computer Society.

    Google Scholar 

  • Beckers, K., Heisel, M., Solhaug, B., & Stolen, K. (2013c). ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management Standard. Technical Report. Oslo, Norway: SINTEF ICT.

    Google Scholar 

  • Beckers, K., Heisel, M., Solhaug, B., & Stolen, K. (2014). ISMS-CORAS: A structured method for establishing an ISO 27001 compliant information security management system. Advances in engineering secure future internet services and systems (pp. 315–344). Springer.

    Google Scholar 

  • Calder, A. (2009). Implementing information security based on ISO 27001/ISO 27002: A management guide. Van Haren Publishing.

    Google Scholar 

  • Cheremushkin, D. V., & Lyubimov, A. V. (2010). An application of integral engineering technique to information security standards analysis and refinement. In Proceedings of the International Conference on Security of Information and Networks (pp. 12–18). ACM.

    Google Scholar 

  • DCSSI. (2004, February). Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS)—Section 2—Approach. General Secretariat of National Defence Central Information Systems Security Division (DCSSI).

    Google Scholar 

  • Faßbender, S., & Heisel, M. (2013). From problems to laws in requirements engineering using model-transformation. In ICSOFT 2013Proceedings of the 8th International Conference on Software Paradigm Trends (pp. 447–458). SciTePress.

    Google Scholar 

  • ISO. (2009). ISO 31000 risk management—Principles and guidelines Geneva. Switzerland: International Organization for Standardization (ISO).

    Google Scholar 

  • ISO/IEC. (2005). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

    Google Scholar 

  • ISO/IEC. (2008). Information technology—security techniques—information security risk management (ISO/IEC 27005). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

    Google Scholar 

  • ISO/IEC. (2012). Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

    Google Scholar 

  • ISO/IEC. (2013). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

    Google Scholar 

  • Karg, M. (2009). Datenschutzrechtliche Bewertung des Einsatzes von intelligenten Messeinrichtungen für die Messung von gelieferter Energie (Smart Meter) Technical Report Kiel, Germany: ULD. (https://www.datenschutzzentrum.de/smartmeter/20090925-smartmeter.html).

  • Kersten, H., Reuter, J., & Schröder, K.-W. (2011). It-sicherheitsmanagement nach ISO 27001 und grundschutz. Wiesbaden: Vieweg+Teubner.

    Google Scholar 

  • Klipper, S. (2010). Information security risk management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Wiesbaden: Vieweg+Teubner.

    Google Scholar 

  • Knyrim, R., & Trieb, G. (2011). Smart metering under eu data protection law. International Data Privacy Law, 1, 121–128.

    Article  Google Scholar 

  • Lund, M. S., Solhaug, B., & Stolen, K. (2010). Model-driven risk analysis: The CORAS approach (Vol. 1). Berlin: Springer.

    Google Scholar 

  • Lyubimov, A., Cheremushkin, D., Andreeva, N., & Shustikov, S. (2011). Information security integral engineering technique and its application in isms design. In Proceedings of the international conference on availability, reliability and security (ARES) (p. 585–590). IEEE Computer Society.

    Google Scholar 

  • Mellado, D., Fernandez-Medina, E., & Piattini, M. (2006a). A comparison of the common criteria with proposals of information systems security requirements. In The first International Conference on Availability, Reliability and Security, ARES (pp. 654–661). IEEE Computer Society.

    Google Scholar 

  • Mellado, D., Fernández-Medina, E., & Piattini, M. (2006b). Applying a security requirements engineering process. In Proceedings of Computer Security—ES-ORICS 2006. LNCS (Vol. 4189, pp. 192–206). Springer.

    Google Scholar 

  • Microsoft. (2006). The Security Risk Management Guide. http://technet.microsoft.com/en-us/library/cc163143.aspx.

  • Montesino, R., & Fenz, S. (2011). Information security automation: How far can we go? In Proceedings of the International Conference on Availability, Reliability and Security (ARES) (pp. 280–285). IEEE Computer Society.

    Google Scholar 

  • Peltier, T. R. (2010). Information security risk analysis (Vol. 3). Boca Raton: Auerbach Publications.

    Book  Google Scholar 

  • Raabe, O., Lorenz, M., Pallas, F., Weis, E. (2011). Datenschutz im smart grid und in der elektromobilität Technical Report Karslruhe, Germany: KIT. (http://compliance.zar.kit.edu/21438.php).

  • Rodden, T. A., Fischer, J. E., Pantidi, N., Bachour, K., & Moran, S. (2013). At home with agents: Exploring attitudes towards future smart energy infrastructures. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 1173–1182). ACM.

    Google Scholar 

  • Siemens. (2003). CRAMM—The total information security toolkit. http://www.cramm.com/.

  • Solhaug, B., & Stolen, K. (2013). The CORAS language—Why it is designed the way it is. In Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, Proceedings of 11th International Conference on Structural Safety & Reliability (ICOSSAR’13). CRC Press.

    Google Scholar 

  • Swiderski, F., & Snyder, W. (2004). Threat modeling. Redmond: Microsoft Press.

    Google Scholar 

  • Tran, L. M. S., Solhaug, B., & Stolen, K. (2013a). An Approach to select cost-effective risk countermeasures. In Proceeding of the Conference on Data and Application Security and Privacy. LNCS (Vol. 7964, pp. 266–273). Springer.

    Google Scholar 

  • Tran, L. M. S., Solhaug, B., & Stolen, K. (2013b). An approach to select cost-effective risk countermeasures exemplified in CORAS Technical Report No. A24343. Oslo, Norway: SINTEF ICT.

    Google Scholar 

  • UML Revision Task Force. (2010, May). OMG unified modeling language: Superstructure.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. paluno-The Ruhr Institute for Software Technology, University of Duisburg-Essen, Duisburg, Germany

    Kristian Beckers

Authors
  1. Kristian Beckers
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kristian Beckers .

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Beckers, K. (2015). Supporting ISO 27001 Establishment with CORAS. In: Pattern and Security Requirements. Springer, Cham. https://doi.org/10.1007/978-3-319-16664-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16664-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16663-6

  • Online ISBN: 978-3-319-16664-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation