Abstract
Assembling an information security management system according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation.
We analyse the ISO 27001 standard to determine what techniques and documentation are necessary and instrumental to develop and document systems according to this standard. Based on these insights, we inspect a number of current security requirements engineering approaches to evaluate whether and to what extent these approaches support ISO 27001 system development and documentation. We re-use a conceptual framework originally developed for comparing security requirements engineering methods to relate important terms, techniques, and documentation artifacts of the security requirements engineering methods to the ISO 27001.
Keywords
- Security standards
- requirements engineering
- ISO27000
- ISO27001
- compliance
- security
This research was partially supported by the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980).
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
ISO/IEC: Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2009)
ISO/IEC: Information technology - security techniques - information security risk management. ISO/IEC 27005, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2008)
ISO/IEC: Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2005)
Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering – Special Issue on Security Requirements Engineering 15(1), 7–40 (2010)
Karpati, P., Sindre, G., Opdahl, A.L.: Characterising and analysing security requirements modelling initiatives. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 710–715. IEEE Computer Society (2011)
Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley (2001)
ISO/IEC: Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security. ISO/IEC 13335-1, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2004)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)
van Lamsweerde, A.: Engineering requirements for system reliability and security. In: Broy, M., Grunbauer, J., Hoare, C.A.R. (eds.) Software System Reliability and Security. NATO Security through Science Series - D: Information and Communicarion Security, vol. 9, pp. 196–238 (2007)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach, 1st edn. Springer, Heidelberg (2010)
Schmidt, H., Hatebur, D., Heisel, M.: A pattern- and component-based method to develop secure software. In: Mouratidis, H. (ed.) Software Engineering for Secure Systems: Academic and Industrial Perspectives, pp. 32–74. IGI Global (2011)
Montesino, R., Fenz, S.: Information security automation: how far can we go? In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 280–285. IEEE Computer Society (2011)
Beckers, K., Küster, J.C., Faßbender, S., Schmidt, H.: Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 327–333. IEEE Computer Society (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Beckers, K., Faßbender, S., Heisel, M., Küster, JC., Schmidt, H. (2012). Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-28166-2_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28165-5
Online ISBN: 978-3-642-28166-2
eBook Packages: Computer ScienceComputer Science (R0)
