ISMS-CORAS: A structured method for establishing an ISO 27001 compliant information security management system

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8431, Issue , 2014, Pages 315-344

  Beckers, Kristian ^a   Heisel, Maritta ^a   Solhaug, Bjornar ^b   Stolen, Ketil ^b,c  

^a UNIVERSITY OF DUISBURG ESSEN   (Germany)

^b SINTEF ICT   (Norway)

^c UNIVERSITY OF OSLO   (Norway)

Author keywords

CORAS; Information security; ISO 27001; Risk analysis; Security standard compliance

Indexed keywords

INDUSTRIAL MANAGEMENT; ISO STANDARDS; REGULATORY COMPLIANCE; RISK ANALYSIS; RISK ASSESSMENT; RISK MANAGEMENT; SECURITY OF DATA; INFORMATION MANAGEMENT; MOBILE SECURITY;

CORAS; INFORMATION SECURITY MANAGEMENT SYSTEMS; ISO 27001; PRACTICAL GUIDELINES; SECURITY EXPERTS; SECURITY REQUIREMENTS ENGINEERING; SECURITY STANDARDS; STRUCTURED METHOD;

INFORMATION MANAGEMENT; SECURITY OF DATA;

EID: 84908632947     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-07452-8_13     Document Type: Article

References (47)

1. Agence nationale de la sécurité des systèmes d'information: EBIOS 2010 – Expression of Needs and Identification of Security Objectives (2010) (in French).
2. Alberts, C.J., Dorofee, A.J.: OCTAVE Criteria. Tech. Rep. CMU/SEI-2001-TR- 016, CERT (2001).
3. Allen, M.: Social engineering: A means to violate a computer system. SANS Institute Reading Room (2007).
4. Aloul, F., Al-Ali, A.R., Al-Dalky, R., Al-Mardini, M., El-Hajj, W.: Smart grid security: Threats, vulnerabilities and solutions. International Journal of Smart Grid and Clean Energy 1(1), 1–6 (2012).
5. Ardi, S., Shahmehri, N.: Introducing vulnerability awareness to Common Criteria’s security targets. In: Fourth International Conference on Software Engineering Advances (ICSEA 2009), pp. 419–424. IEEE Computer Society (2009).
6. Beckers, K., Côté, I., Hatebur, D., Fasbender, S., Heisel, M.: Common Criteria CompliAnt Software Development (CC-CASD). In: Proceedings of the 28th Symposium on Applied Computing, pp. 937–943. ACM (2013).
7. Beckers, K., Fasbender, S., Heisel, M., Küster, J.-C., Schmidt, H.: Supporting the development and documentation of ISO 27001 Information Security Management Systems through security requirements engineering approaches. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 14–21. Springer, Heidelberg (2012).
8. Beckers, K., Fasbender, S., Küster, J.-C., Schmidt, H.: A pattern-based method for identifying and analyzing laws. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 256–262. Springer, Heidelberg (2012).
9. Beckers, K., Hatebur, D., Heisel, M.: A problem-based threat analysis in compliance with Common Criteria. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2013), pp. 111–120 (2013).
10. Beckers, K., Heisel, M., Solhaug, B., Stolen, K.: ISMS-CORAS - A structured method for establishing an ISO 27001 compliant information security management system. Tech. Rep. A25626, SINTEF ICT (2013).
11. Calder, A.: Implementing Information Security based on ISO 27001/ISO 27002: A Management Guide. Haren Van Publishing (2009).
12. Cheremushkin, D.V., Lyubimov, A.V.: An application of integral engineering technique to information security standards analysis and refinement. In: Proceedings of the 3rd International Conference on Security of Information and Networks (SIN 2010), pp. 12–18. ACM (2010).
13. Evaluation of general requirements according state of the art. OpenNode project deliverable D1.2 (2010).
14. Fasbender, S., Heisel, M.: From problems to laws in requirements engineering – Using model-transformation. In: International Conference on Software Paradigm Trends (ICSOFT 2013), pp. 447–458. SciTePress (2013).
15. FREE ISO27k Toolkit, http://www.iso27001security.com/html/iso27k_toolkit.html (accessed January 21, 2014).
16. Functional use cases. OpenNode project deliverable D1.3 (2010).
17. Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press (2003).
18. International Organization for Standardization: ISO 31000 - Risk management – Principles and guidelines (2009).
19. International Organization for Standardization/International Electrotechnical Commission: ISO/IEC 27001 - Information technology - Security techniques - Information security management systems - Requirements (2005).
20. International Organization for Standardization/International Electrotechnical Commission: ISO/IEC 27005 - Information technology - Security techniques - Information security risk management (2008).
21. International Organization for Standardization/International Electrotechnical Commission: ISO/IEC 15408 – Common Criteria for Information Technology Security Evaluation (2009).
22. Karg, M.: Datenschutzrechtliche Bewertung des Einsatzes von "intelligenten" Messeinrichtungen für die Messung von gelieferter Energie (Smart Meter). Tech. rep., Unabh¨angiges Landeszentrum f¨ur Datenschutz (ULD) (2009) (in German).
23. Kersten, H., Reuter, J., Schröder, K.W.: IT-Sicherheitsmanagement nach ISO 27001 und Grundschutz. Vieweg+Teubner (2011) (in German).
24. Klipper, S.: Information Security Risk Management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Vieweg+Teubner (2010) (in German).
25. Knyrim, R., Trieb, G.: Smart metering under EU data protection law. International Data Privacy Law 1(2), 121–128 (2011).
26. Kreutzmann, H., Vollmer, S.: Protection profile for the gateway of a smart metering system (Smart meter gateway PP). Tech. Rep. BSI-CC-PP-0073, Federal Office for Information Security, version 1.2, Final Release (2013).
27. Lin, H., Fang, Y.: Privacy-aware profiling and statistical data extraction for smart sustainable energy systems. IEEE Transactions on Smart Grid 4(1), 332–340 (2013).
28. Lund, M.S., Solhaug, B., Stolen, K.: Model-Driven Risk Analysis - The CORAS Approach. Springer (2011).
29. Lyubimov, A., Cheremushkin, D., Andreeva, N., Shustikov, S.: Information security integral engineering technique and its application in ISMS design. In: Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 585–590. IEEE Computer Society (2011).
30. Mahler, T.: Legal Risk Management – Developing and Evaluating Elements of a Method for Proactive Legal Analyses, With a Particular Focus on Contracts. Ph.D. thesis, University of Oslo (2010).
31. Mellado, D., Fernandez-Medina, E., Piattini, M.: A comparison of the Common Criteria with proposals of information systems security requirements. In: The First International Conference on Availability, Reliability and Security (ARES 2006), pp. 654–661. IEEE Computer Society (2006).
32. Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006).
33. Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence: The Security Risk Management Guide (2006).
34. Montesino, R., Fenz, S.: Information security automation: How far can we go? In: Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 280–285. IEEE Computer Society (2011).
35. Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS), http://www.nessos-project.eu/ (accessed December 19, 2013).
36. Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure. Version 2.3, OMG Document: formal/2010-05-03 (2010).
37. Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51, 916–932 (2009).
38. Peltier, T.R.: Information Security Risk Analysis, 3rd edn. Auerbach Publications (2010).
39. Raabe, O., Lorenz, M., Pallas, F., Weis, E.: Datenschutz im Smart Grid und in der Elektromobilität. Tech. rep., Karlsruher Institut für Technologie, KIT (2011) (in German).
40. Report on the identification and specification of functional, technical, economical and general requirements of advanced multi-metering infrastructure, including security requirements. OPEN meter project deliverable D1.1 (2009).
41. Rodden, T.A., Fischer, J.E., Pantidi, N., Bachour, K., Moran, S.: At home with agents: Exploring attitudes towards future smart energy infrastructures. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2013, pp. 1173–1182. ACM (2013).
42. Siemens: CRAMM - The total information security toolkit, http://www.cramm.com/ (accessed: January 15, 2013).
43. Siemens: No longer a one-way street, http://www.siemens.com/innovation/apps/pofmicrosite/ pof-spring-2011/html en/smart-grids.html (accessed December 19, 2013).
44. Sindre, G., Opdahl, A.L.: Templates for misuse case description. In: Procedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ 2001), pp. 4–5 (2001).
45. Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press (2004).
46. Tran, L.M.S., Solhaug, B., Stolen, K.: An approach to select cost-effective risk countermeasures. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 266–273. Springer, Heidelberg (2013).
47. verinice, http://www.verinice.org (accessed January 21, 2014).