Goal-Based Establishment of an Information Security Management System Compliant to ISO 27001

It is increasingly difficult for customers to understand complex systems like clouds and to trust them with regard to security. As a result, numerous companies achieved a security certification according to the ISO 27001 standard. However, assembling an Information Security Management System (ISMS) according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation.

[1]  Kristian Beckers,et al.  Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches , 2012, ESSoS.

[2]  Mario Piattini,et al.  Applying a Security Requirements Engineering Process , 2006, ESORICS.

[3]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[4]  Mario Piattini,et al.  A comparison of the Common Criteria with proposals of information systems security requirements , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[5]  Úlfar Erlingsson,et al.  Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.

[6]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[7]  Zbigniew W. Ras,et al.  Advances in Intelligent Information Systems , 2010, Advances in Intelligent Information Systems.

[8]  Kristian Beckers,et al.  Common criteria compliant software development (CC-CASD) , 2013, SAC '13.

[9]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[10]  Dieter Gollmann,et al.  Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings , 2006, ESORICS.

[11]  Fabio Massacci,et al.  From Trust to Dependability through Risk Analysis , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[12]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..

[13]  John Mylopoulos,et al.  Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology , 2010, Advances in Intelligent Information Systems.