Advertisement

Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches

  • Kristian Beckers
  • Stephan Faßbender
  • Maritta Heisel
  • Jan-Christoph Küster
  • Holger Schmidt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7159)

Abstract

Assembling an information security management system according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation.

We analyse the ISO 27001 standard to determine what techniques and documentation are necessary and instrumental to develop and document systems according to this standard. Based on these insights, we inspect a number of current security requirements engineering approaches to evaluate whether and to what extent these approaches support ISO 27001 system development and documentation. We re-use a conceptual framework originally developed for comparing security requirements engineering methods to relate important terms, techniques, and documentation artifacts of the security requirements engineering methods to the ISO 27001.

Keywords

Security standards requirements engineering ISO27000 ISO27001 compliance security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    ISO/IEC: Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2009)Google Scholar
  2. 2.
    ISO/IEC: Information technology - security techniques - information security risk management. ISO/IEC 27005, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2008)Google Scholar
  3. 3.
    ISO/IEC: Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2005)Google Scholar
  4. 4.
    Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering – Special Issue on Security Requirements Engineering 15(1), 7–40 (2010)Google Scholar
  5. 5.
    Karpati, P., Sindre, G., Opdahl, A.L.: Characterising and analysing security requirements modelling initiatives. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 710–715. IEEE Computer Society (2011)Google Scholar
  6. 6.
    Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley (2001)Google Scholar
  7. 7.
    ISO/IEC: Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security. ISO/IEC 13335-1, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2004)Google Scholar
  8. 8.
    Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)Google Scholar
  9. 9.
    van Lamsweerde, A.: Engineering requirements for system reliability and security. In: Broy, M., Grunbauer, J., Hoare, C.A.R. (eds.) Software System Reliability and Security. NATO Security through Science Series - D: Information and Communicarion Security, vol. 9, pp. 196–238 (2007)Google Scholar
  10. 10.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach, 1st edn. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  11. 11.
    Schmidt, H., Hatebur, D., Heisel, M.: A pattern- and component-based method to develop secure software. In: Mouratidis, H. (ed.) Software Engineering for Secure Systems: Academic and Industrial Perspectives, pp. 32–74. IGI Global (2011)Google Scholar
  12. 12.
    Montesino, R., Fenz, S.: Information security automation: how far can we go? In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 280–285. IEEE Computer Society (2011)Google Scholar
  13. 13.
    Beckers, K., Küster, J.C., Faßbender, S., Schmidt, H.: Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 327–333. IEEE Computer Society (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kristian Beckers
    • 1
  • Stephan Faßbender
    • 1
  • Maritta Heisel
    • 1
  • Jan-Christoph Küster
    • 2
  • Holger Schmidt
    • 1
  1. 1.paluno - The Ruhr Institute for Software TechnologyUniversity of Duisburg-EssenGermany
  2. 2.Fraunhofer Institut for Software and Systems Engineering ISSTGermany

Personalised recommendations