Goal-Based Establishment of an Information Security Management System Compliant to ISO 27001 | SpringerLink
Skip to main content
Springer Nature Link
Log in

Goal-Based Establishment of an Information Security Management System Compliant to ISO 27001

  • Conference paper
SOFSEM 2014: Theory and Practice of Computer Science (SOFSEM 2014)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8327))

  • 1613 Accesses

Abstract

It is increasingly difficult for customers to understand complex systems like clouds and to trust them with regard to security. As a result, numerous companies achieved a security certification according to the ISO 27001 standard. However, assembling an Information Security Management System (ISMS) according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation.

Security requirements engineering methods have been used to elicit and analyse security requirements for building software. In this paper, we propose a goal-based security requirements engineering method for creating an ISMS compliant to ISO 27001. We illustrate our method via a smart grid example.

This research was partially supported by the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980). We thank Jorge Cuéller for his valuable feedback on our work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. ISO/IEC: Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2005)

    Google Scholar 

  2. Massacci, F., Mylopoulos, J., Zannone, N.: Security requirements engineering: The SI* modeling language and the secure tropos methodology. In: Ras, Z.W., Tsay, L.-S. (eds.) Advances in Intelligent Information Systems. SCI, vol. 265, pp. 147–174. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  3. Beckers, K., Faßbender, S., Heisel, M., Küster, J.-C., Schmidt, H.: Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 14–21. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51, 916–932 (2009)

    Article  Google Scholar 

  5. ISO and IEC: Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2009)

    Google Scholar 

  6. Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (NIST) (2002)

    Google Scholar 

  7. Beckers, K., Côté, I., Hatebur, D., Faßbender, S., Heisel, M.: Common Criteria CompliAnt Software Development (CC-CASD). In: Proceedings 28th Symposium on Applied Computing, pp. 937–943. ACM (2013)

    Google Scholar 

  8. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16, 3–32 (2011)

    Article  Google Scholar 

  9. Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: Proceedings of ARES, pp. 19–26 (2007)

    Google Scholar 

  10. Mellado, D., Fernandez-Medina, E., Piattini, M.: A comparison of the common criteria with proposals of information systems security requirements. In: ARES, pp. 654–661 (April 2006)

    Google Scholar 

  11. Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Paluno, - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany

    Kristian Beckers

Authors
  1. Kristian Beckers
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dep. Computer Sci., P. J. Šafárik University, Jesenná 5, 04154, Košice, Slovakia

    Viliam Geffert

  2. Katholieke Universiteit Leuven, 3001, Leuven-Heverlee, Belgium

    Bart Preneel

  3. Department of Computer Science, Comenius University, Mlynska Dolina, 84248, Bratislava, Slovakia

    Branislav Rovan

  4. Institute of Computer Science, Academy of Sciences, 18207, Prague, Czech Republic

    Július Štuller

  5. Institute of Software Technology, Vienna University of Technology, Favoritenstraße 9-11 / 188, 1040, Vienna, Austria

    A Min Tjoa

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Beckers, K. (2014). Goal-Based Establishment of an Information Security Management System Compliant to ISO 27001. In: Geffert, V., Preneel, B., Rovan, B., Štuller, J., Tjoa, A.M. (eds) SOFSEM 2014: Theory and Practice of Computer Science. SOFSEM 2014. Lecture Notes in Computer Science, vol 8327. Springer, Cham. https://doi.org/10.1007/978-3-319-04298-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04298-5_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04297-8

  • Online ISBN: 978-3-319-04298-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics