A process framework for information security management

Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

[1]  Margareth Stoll An Information Security Model for Implementing the New ISO 27001 , 2019, Censorship, Surveillance, and Privacy.

[2]  Vladimir Stantchev,et al.  ISMS Core Processes: A Study , 2016 .

[3]  Vladimir Stantchev,et al.  Security Management Standards: A Mapping , 2016 .

[4]  Ricardo Colomo Palacios,et al.  ITIL in small to medium‐sized enterprises software companies: towards an implementation sequence , 2015, J. Softw. Evol. Process..

[5]  Qurat-ul-ain Mastoi,et al.  Information security aligned to enterprise management , 2015 .

[6]  Jan Muntermann,et al.  The Economic Impact of Privacy Violations and Security Breaches , 2014, Bus. Inf. Syst. Eng..

[7]  Vladimir Stantchev,et al.  Governance of Cloud Computing Services for the Life Sciences , 2014, IT Professional.

[8]  Wolter Pieters,et al.  Cost-effectiveness of Security Measures: A model-based Framework , 2014 .

[9]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[10]  Ricardo Colomo Palacios,et al.  Implementing an IT service information management framework: The case of COTEMAR , 2012, Int. J. Inf. Manag..

[11]  H. Susanto,et al.  Information Security Management System Standards : A Comparative Study of the Big Five , 2011 .

[12]  Maria Teresa Baldassarre,et al.  A process for driving the harmonization of models , 2010, PROFES '10.

[13]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[14]  Alan Calder Information Security based on ISO 27001/ISO 27002: A Management Guide - Best Practice , 2009 .

[15]  Alexander Alvaro Sicherheit in der Informationsgesellschaft , 2009 .

[16]  Wolfgang Boehmer,et al.  Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001 , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[17]  Shamsul Sahibuddin,et al.  Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations , 2008, 2008 Second Asia International Conference on Modelling & Simulation (AMS).

[18]  Lawrence A. Gordon,et al.  Budgeting process for information security expenditures , 2006, CACM.

[19]  Jan H. P. Eloff,et al.  Information security architecture , 2005 .

[20]  Sebastiaan H. von Solms,et al.  Information Security governance: COBIT or ISO 17799 or both? , 2005, Comput. Secur..

[21]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[22]  Gail Ridley,et al.  COBIT and its utilization: a framework from the literature , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[23]  Per Oscarson,et al.  Information Security Fundamentals , 2019, World Conference on Information Security Education.

[24]  Varun Grover,et al.  Shaping Agility through Digital Options: Reconceptualizing the Role of Information Technology in Contemporary Firms , 2003, MIS Q..

[25]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[26]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .