A Structured Comparison of Security Standards

  • Kristian Beckers
  • Isabelle Côté
  • Stefan Fenz
  • Denis Hatebur
  • Maritta Heisel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8431)


A number of different security standards exist and it is difficult to choose the right one for a particular project or to evaluate if the right standard was chosen for a certification. These standards are often long and complex texts, whose reading and understanding takes up a lot of time. We provide a conceptual model for security standards that relies upon existing research and contains concepts and phases of security standards. In addition, we developed a template based upon this model, which can be instantiated for given security standard. These instantiated templates can be compared and help software and security engineers to understand the differences of security standards. In particular, the instantiated templates explain which information and what level of detail a system document according to a certain security standard contains. We applied our method to the well known international security standards ISO 27001 and Common Criteria, and the German IT-Grundschutz standards, as well.


structured comparison security standards conceptual model template 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    International Organization for Standardization (ISO), International Electrotechnical Commission (IEC): Information technology - Security techniques - Information security management systems - Requirements (2005)Google Scholar
  2. 2.
    ISO/IEC: Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2012)Google Scholar
  3. 3.
    ISO/IEC: Risk management Principles and guidelines. ISO/IEC 31000, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2009)Google Scholar
  4. 4.
    Sunyaev, A.: Health-Care Telematics in Germany - Design and Application of a Security Analysis Method. Gabler (2011)Google Scholar
  5. 5.
    Bundesamt für Sicherheit in der Informationstechnik (BSI): Standard 100-3 Risk Analysis based on IT-Grundschutz, Version 2.5 (2008)Google Scholar
  6. 6.
    JASON: Science of Cyber-Security. Technical report, The MITRE Corporation, JSR-10-102 (2010)Google Scholar
  7. 7.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930 (July 2002)Google Scholar
  8. 8.
    Beckers, K., Eicker, S., Faßbender, S., Heisel, M., Schmidt, H., Schwittek, W.: Ontology-based identification of research gaps and immature research areas. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) CD-ARES 2012. LNCS, vol. 7465, pp. 1–16. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering – Special Issue on Security Requirements Engineering 15(1), 7–40 (2010)Google Scholar
  10. 10.
    Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley (2001)Google Scholar
  11. 11.
    Gollmann, D.: Computer Security, 2nd edn. John Wiley & Sons (2005)Google Scholar
  12. 12.
    Bishop, M.: Computer Security: Art and science, 1st edn. Pearson (2003)Google Scholar
  13. 13.
    Viega, J., McGraw, G.: Building secure software: How to avoid security problems the right way, 1st edn. Addison-Wesley (2001)Google Scholar
  14. 14.
    Firesmith, D.: Common concepts underlying safety, security, and survivability engineering. Technical report sei-2003-tn-033, Carnegie Melon University (2003)Google Scholar
  15. 15.
    ISO/FDIS: ISO/IEC 27799:2007(E), Health Informatics - Information Security Management in health using ISO/IEC 27002 (November 2007)Google Scholar
  16. 16.
    Stallinger, M.: CRISAM - Coporate Risk Application Method - Summary V2.0 (2004)Google Scholar
  17. 17.
    Farquhar, B.: One approach to risk assessment. Computers and Security 10(10), 21–23 (1991)CrossRefGoogle Scholar
  18. 18.
    Karabacak, B., Sogukpinar, I.: Isram: Information security risk analysis method. Computers & Security 24(2), 147–159 (2005)CrossRefGoogle Scholar
  19. 19.
    Japan Information Processing Development Corporation and The Medical Information System Development Center: ISMS User’s Guide for Medical Organizations (2004)Google Scholar
  20. 20.
    Standards Australia International; Standards New Zealand: Guidelines for managing risk in healthcare sector: Australian/ New Zealand handbook, Standards Australian International (2001)Google Scholar
  21. 21.
    Food and Drug Administration: Guideline for Industry, Q9 Quality Risk Management (2006); In US Department of Health and Human ServicesGoogle Scholar
  22. 22.
    ISO/IEC: ISO/IEC 27005: 2007, Information technology - Security techniques - Information security risk management (November 2007)Google Scholar
  23. 23.
    DCSSI: Expression des Besoins et Identification des Objectifs de Scurit (EBIOS) - Section 2 - Approach. General Secretariat of National Defence Central Information Systems Security Division (DCSSI) (February 2004)Google Scholar
  24. 24.
    Sharp, H., Finkelstein, A., Galal, G.: Stakeholder identification in the requirements engineering process. In: DEXA Workshop, pp. 387–391 (1999)Google Scholar
  25. 25.
    Pouloudi, A.: Aspects of the stakeholder concept and their implications for information systems development. In: HICSS (1999)Google Scholar
  26. 26.
    Bundesamt für Sicherheit in der Informationstechnik (BSI): Standard 100-1 Information Security Management Systems (ISMS), Version 1.5 (2008)Google Scholar
  27. 27.
    BSI: IT-Grundschutz-Vorgehensweise. BSI standard 100-2, Bundesamt für Sicherheit in der Informationstechnik (BSI) (2008)Google Scholar
  28. 28.
    BSI: BSI Standard 100-4 Business Continuity Management, Version 1.0. BSI standard 100-4, Bundesamt für Sicherheit in der Informationstechnik (BSI) (2009)Google Scholar
  29. 29.
    BSI: Protection Profile for the Gateway of a Smart Metering System (Gateway PP). Version 01.01.01 (final draft), Bundesamt für Sicherheit in der Informationstechnik (BSI) - Federal Office for Information Security Germany, Bonn, Germany (2011),
  30. 30.
    Schwittek, W., Schmidt, H., Eicker, S., Heisel, M.: Towards a Common Body of Knowledge for Engineering Secure Software and Services. In: Proceedings of the International Conference on Knowledge Management and Information Sharing (KMIS), pp. 369–374. SciTePress - Science and Technology Publications (2011)Google Scholar
  31. 31.
    U.S. Department of Energy: A comparison of cross-sector cyber security standards. Technical report, Idaho National Laboratory (2005)Google Scholar
  32. 32.
    Siponen, M., Willison, R.: Information security management standards: Problems and solutions. Inf. Manage 46(5), 267–270 (2009)CrossRefGoogle Scholar
  33. 33.
    Sommestad, T., Ericsson, G., Nordlander, J.: Scada system cyber security: A comparison of standards. In: 2010 IEEE Power and Energy Society General Meeting, pp. 1–8 (July 2010)Google Scholar
  34. 34.
    Phillips, T., Karygiannis, T., Kuhn, R.: Security standards for the rfid market. IEEE Security Privacy 3(6), 85–89 (2005)CrossRefGoogle Scholar
  35. 35.
    Kuligowski, C.: Comparison of IT Security Standards. Technical report (2009),
  36. 36.
    NIST: A Comparison of the Security Requirements For Cryptographic Modules In FIPS 140-1 and FIPS 140-2. Nist special publication 800-29, National Institute of Standards and Technology (NIST), Gaithersburg, United States (2001)
  37. 37.
    HKSAR: An Overview of Information Security Standards. Technical report, The Government of the Hong Kong Special Administrative Region (HKSAR), Hong Kong, China (2008),
  38. 38.
    Arora, V.: Comparing different information security standards: COBIT vs. ISO 27001. Technical report, Carnegie Mellon University, Qatar, United States (2010),

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Kristian Beckers
    • 1
  • Isabelle Côté
    • 3
  • Stefan Fenz
    • 2
  • Denis Hatebur
    • 1
    • 3
  • Maritta Heisel
    • 1
  1. 1.paluno - The Ruhr Institute for Software TechnologyUniversity of Duisburg-EssenGermany
  2. 2.Vienna University of TechnologyAustria
  3. 3.ITESYSDortmundGermany

Personalised recommendations