Home Publications

ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System

Research Area: WP10 Year: 2013
Type of Publication: Technical Report Keywords: security standards, requirements engineering, risk management, ISO27000, ISO27001, compliance, security, CORAS
  • Beckers, Kristian
  • Heisel, Maritta
  • Solhaug, Bjørnar
  • Stølen, Ketil
Institution: SINTEF
Number: A25626
partners: UDE, SINTEF; projects: NESSoS, citations: 0
Realizing security and risk management standards may be challenging, partly because the descriptions of what to realize are often generic and have to be refined by security experts. Removing this ambiguity is time intensive for security experts, because the experts have to interpret all the required tasks in the standard on their own. In our previous work we showed how to use security requirements engineering methods for the development and documentation of the ISO 27001 security standard. In this paper we (i) create an extension of the CORAS methodology for risk management that supports the ISO 27001 standard, (ii) validate the method by comparing its resulting artifacts to the artifacts of an industrial ISO 27001 application, and (iii) discuss the advantages of our method compared to the industrial state-of-the-art. We apply our method to a smart grid scenario provided by the industrial partners of the NESSoS project.