ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System

Kristian Beckers; Maritta Heisel; Bjørnar Solhaug; Ketil Stølen

Network of Excellence on Engineering Secure Future Internet Software Services and Systems

Home

Publications

ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System

BibTex:
Research Area:	WP10	Year:	2013
Type of Publication:	Technical Report	Keywords:	security standards, requirements engineering, risk management, ISO27000, ISO27001, compliance, security, CORAS
Authors:	Beckers, Kristian Heisel, Maritta Solhaug, Bjørnar Stølen, Ketil
Institution:	SINTEF
Number:	A25626
Month:

@techreport{A25626, author = "Kristian Beckers and Maritta Heisel and Bj{\o}rnar Solhaug and Ketil St{\o}len", abstract = "Realizing security and risk management standards may be challenging, partly because the descriptions of what to realize are often generic and have to be refined by security experts. Removing this ambiguity is time intensive for security experts, because the experts have to interpret all the required tasks in the standard on their own. In our previous work we showed how to use security requirements engineering methods for the development and documentation of the ISO 27001 security standard. In this paper we (i) create an extension of the CORAS methodology for risk management that supports the ISO 27001 standard, (ii) validate the method by comparing its resulting artifacts to the artifacts of an industrial ISO 27001 application, and (iii) discuss the advantages of our method compared to the industrial state-of-the-art. We apply our method to a smart grid scenario provided by the industrial partners of the NESSoS project.", institution = "SINTEF", keywords = "security standards, requirements engineering, risk management, ISO27000, ISO27001, compliance, security, CORAS", note = "partners: UDE, SINTEF; projects: NESSoS, citations: 0", number = "A25626", title = "{ISMS}-{CORAS}: {A} {S}tructured {M}ethod for {E}stablishing an {ISO} 27001 {C}ompliant {I}nformation {S}ecurity {M}anagement {S}ystem", year = "2013", }
Note:	partners: UDE, SINTEF; projects: NESSoS, citations: 0
Abstract:	Realizing security and risk management standards may be challenging, partly because the descriptions of what to realize are often generic and have to be refined by security experts. Removing this ambiguity is time intensive for security experts, because the experts have to interpret all the required tasks in the standard on their own. In our previous work we showed how to use security requirements engineering methods for the development and documentation of the ISO 27001 security standard. In this paper we (i) create an extension of the CORAS methodology for risk management that supports the ISO 27001 standard, (ii) validate the method by comparing its resulting artifacts to the artifacts of an industrial ISO 27001 application, and (iii) discuss the advantages of our method compared to the industrial state-of-the-art. We apply our method to a smart grid scenario provided by the industrial partners of the NESSoS project.
[Bibtex]

[ Back ]

Network of Excellence on Engineering Secure Future Internet Software Services and Systems

Surveys

Main Menu

ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System