@techreport{A25626, author = "Kristian Beckers and Maritta Heisel and Bj{\o}rnar Solhaug and Ketil St{\o}len", abstract = "Realizing security and risk management standards may be challenging, partly because the descriptions of what to realize are often generic and have to be refined by security experts. Removing this ambiguity is time intensive for security experts, because the experts have to interpret all the required tasks in the standard on their own. In our previous work we showed how to use security requirements engineering methods for the development and documentation of the ISO 27001 security standard. In this paper we (i) create an extension of the CORAS methodology for risk management that supports the ISO 27001 standard, (ii) validate the method by comparing its resulting artifacts to the artifacts of an industrial ISO 27001 application, and (iii) discuss the advantages of our method compared to the industrial state-of-the-art. We apply our method to a smart grid scenario provided by the industrial partners of the NESSoS project.", institution = "SINTEF", keywords = "security standards, requirements engineering, risk management, ISO27000, ISO27001, compliance, security, CORAS", note = "partners: UDE, SINTEF; projects: NESSoS, citations: 0", number = "A25626", title = "{ISMS}-{CORAS}: {A} {S}tructured {M}ethod for {E}stablishing an {ISO} 27001 {C}ompliant {I}nformation {S}ecurity {M}anagement {S}ystem", year = "2013", }