Skip to main content

ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System

  • Chapter
Engineering Secure Future Internet Services and Systems

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8431))

Abstract

Established standards on security and risk management provide guidelines and advice to organizations and other stakeholders on how to fulfill their security needs. However, realizing and ensuring compliance with such standards may be challenging. This is partly because the descriptions are very generic and have to be refined and interpreted by security experts, and partly because they lack techniques and practical guidelines. In previous work we showed how existing security requirements engineering methods can be used to support the ISO 27001 information security standard. In this chapter we present ISMS-CORAS, which is an extension of the CORAS method for risk management that supports the ISO 27001 standard. ISMS-CORAS comes with techniques and guidelines necessary for establishing an Information Security Management System (ISMS) compliance with the standard, as well as the artifacts that are needed for the required documentation. We validate the method by applying it to a scenario from the smart grid domain.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Agence nationale de la sécurité des systèmes d’information: EBIOS 2010 – Expression of Needs and Identification of Security Objectives (2010) (in French)

    Google Scholar 

  2. Alberts, C.J., Dorofee, A.J.: OCTAVE Criteria. Tech. Rep. CMU/SEI-2001-TR-016, CERT (2001)

    Google Scholar 

  3. Allen, M.: Social engineering: A means to violate a computer system. SANS Institute Reading Room (2007)

    Google Scholar 

  4. Aloul, F., Al-Ali, A.R., Al-Dalky, R., Al-Mardini, M., El-Hajj, W.: Smart grid security: Threats, vulnerabilities and solutions. International Journal of Smart Grid and Clean Energy 1(1), 1–6 (2012)

    Article  Google Scholar 

  5. Ardi, S., Shahmehri, N.: Introducing vulnerability awareness to Common Criteria’s security targets. In: Fourth International Conference on Software Engineering Advances (ICSEA 2009), pp. 419–424. IEEE Computer Society (2009)

    Google Scholar 

  6. Beckers, K., Côté, I., Hatebur, D., Faßbender, S., Heisel, M.: Common Criteria CompliAnt Software Development (CC-CASD). In: Proceedings of the 28th Symposium on Applied Computing, pp. 937–943. ACM (2013)

    Google Scholar 

  7. Beckers, K., Faßbender, S., Heisel, M., Küster, J.-C., Schmidt, H.: Supporting the development and documentation of ISO 27001 Information Security Management Systems through security requirements engineering approaches. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 14–21. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  8. Beckers, K., Faßbender, S., Küster, J.-C., Schmidt, H.: A pattern-based method for identifying and analyzing laws. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 256–262. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Beckers, K., Hatebur, D., Heisel, M.: A problem-based threat analysis in compliance with Common Criteria. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2013), pp. 111–120 (2013)

    Google Scholar 

  10. Beckers, K., Heisel, M., Solhaug, B., Stølen, K.: ISMS-CORAS – A structured method for establishing an ISO 27001 compliant information security management system. Tech. Rep. A25626, SINTEF ICT (2013)

    Google Scholar 

  11. Calder, A.: Implementing Information Security based on ISO 27001/ISO 27002: A Management Guide. Haren Van Publishing (2009)

    Google Scholar 

  12. Cheremushkin, D.V., Lyubimov, A.V.: An application of integral engineering technique to information security standards analysis and refinement. In: Proceedings of the 3rd International Conference on Security of Information and Networks (SIN 2010), pp. 12–18. ACM (2010)

    Google Scholar 

  13. Evaluation of general requirements according state of the art. OpenNode project deliverable D1.2 (2010)

    Google Scholar 

  14. Faßbender, S., Heisel, M.: From problems to laws in requirements engineering – Using model-transformation. In: International Conference on Software Paradigm Trends (ICSOFT 2013), pp. 447–458. SciTePress (2013)

    Google Scholar 

  15. FREE ISO27k Toolkit, http://www.iso27001security.com/html/iso27k_toolkit.html (accessed January 21, 2014)

  16. Functional use cases. OpenNode project deliverable D1.3 (2010)

    Google Scholar 

  17. Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press (2003)

    Google Scholar 

  18. International Organization for Standardization: ISO 31000 – Risk management – Principles and guidelines (2009)

    Google Scholar 

  19. International Organization for Standardization / International Electrotechnical Commission: ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements (2005)

    Google Scholar 

  20. International Organization for Standardization / International Electrotechnical Commission: ISO/IEC 27005 – Information technology – Security techniques - Information security risk management (2008)

    Google Scholar 

  21. International Organization for Standardization / International Electrotechnical Commission: ISO/IEC 15408 – Common Criteria for Information Technology Security Evaluation (2009)

    Google Scholar 

  22. Karg, M.: Datenschutzrechtliche Bewertung des Einsatzes von “intelligenten” Messeinrichtungen für die Messung von gelieferter Energie (Smart Meter). Tech. rep., Unabhängiges Landeszentrum für Datenschutz (ULD) (2009) (in German)

    Google Scholar 

  23. Kersten, H., Reuter, J., Schröder, K.W.: IT-Sicherheitsmanagement nach ISO 27001 und Grundschutz. Vieweg+Teubner (2011) (in German)

    Google Scholar 

  24. Klipper, S.: Information Security Risk Management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Vieweg+Teubner (2010) (in German)

    Google Scholar 

  25. Knyrim, R., Trieb, G.: Smart metering under EU data protection law. International Data Privacy Law 1(2), 121–128 (2011)

    Article  Google Scholar 

  26. Kreutzmann, H., Vollmer, S.: Protection profile for the gateway of a smart metering system (Smart meter gateway PP). Tech. Rep. BSI-CC-PP-0073, Federal Office for Information Security, version 1.2, Final Release (2013)

    Google Scholar 

  27. Lin, H., Fang, Y.: Privacy-aware profiling and statistical data extraction for smart sustainable energy systems. IEEE Transactions on Smart Grid 4(1), 332–340 (2013)

    Article  Google Scholar 

  28. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer (2011)

    Google Scholar 

  29. Lyubimov, A., Cheremushkin, D., Andreeva, N., Shustikov, S.: Information security integral engineering technique and its application in ISMS design. In: Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 585–590. IEEE Computer Society (2011)

    Google Scholar 

  30. Mahler, T.: Legal Risk Management – Developing and Evaluating Elements of a Method for Proactive Legal Analyses, With a Particular Focus on Contracts. Ph.D. thesis, University of Oslo (2010)

    Google Scholar 

  31. Mellado, D., Fernandez-Medina, E., Piattini, M.: A comparison of the Common Criteria with proposals of information systems security requirements. In: The First International Conference on Availability, Reliability and Security (ARES 2006), pp. 654–661. IEEE Computer Society (2006)

    Google Scholar 

  32. Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  33. Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence: The Security Risk Management Guide (2006)

    Google Scholar 

  34. Montesino, R., Fenz, S.: Information security automation: How far can we go? In: Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 280–285. IEEE Computer Society (2011)

    Google Scholar 

  35. Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS), http://www.nessos-project.eu/ (accessed December 19, 2013)

  36. Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure. Version 2.3, OMG Document: formal/2010-05-03 (2010)

    Google Scholar 

  37. Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51, 916–932 (2009)

    Article  Google Scholar 

  38. Peltier, T.R.: Information Security Risk Analysis, 3rd edn. Auerbach Publications (2010)

    Google Scholar 

  39. Raabe, O., Lorenz, M., Pallas, F., Weis, E.: Datenschutz im Smart Grid und in der Elektromobilität. Tech. rep., Karlsruher Institut für Technologie, KIT (2011) (in German)

    Google Scholar 

  40. Report on the identification and specification of functional, technical, economical and general requirements of advanced multi-metering infrastructure, including security requirements. OPEN meter project deliverable D1.1 (2009)

    Google Scholar 

  41. Rodden, T.A., Fischer, J.E., Pantidi, N., Bachour, K., Moran, S.: At home with agents: Exploring attitudes towards future smart energy infrastructures. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2013, pp. 1173–1182. ACM (2013)

    Google Scholar 

  42. Siemens: CRAMM – The total information security toolkit, http://www.cramm.com/ (accessed: January 15, 2013)

  43. Siemens: No longer a one-way street, http://www.siemens.com/innovation/apps/pof_microsite/_pof-spring-2011/_html_en/smart-grids.html (accessed December 19, 2013)

  44. Sindre, G., Opdahl, A.L.: Templates for misuse case description. In: Procedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ 2001), pp. 4–5 (2001)

    Google Scholar 

  45. Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press (2004)

    Google Scholar 

  46. Tran, L.M.S., Solhaug, B., Stølen, K.: An approach to select cost-effective risk countermeasures. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 266–273. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  47. verinice, http://www.verinice.org (accessed January 21, 2014)

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Beckers, K., Heisel, M., Solhaug, B., Stølen, K. (2014). ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07452-8_13

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07451-1

  • Online ISBN: 978-3-319-07452-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics