Abstract
Established standards on security and risk management provide guidelines and advice to organizations and other stakeholders on how to fulfill their security needs. However, realizing and ensuring compliance with such standards may be challenging. This is partly because the descriptions are very generic and have to be refined and interpreted by security experts, and partly because they lack techniques and practical guidelines. In previous work we showed how existing security requirements engineering methods can be used to support the ISO 27001 information security standard. In this chapter we present ISMS-CORAS, which is an extension of the CORAS method for risk management that supports the ISO 27001 standard. ISMS-CORAS comes with techniques and guidelines necessary for establishing an Information Security Management System (ISMS) compliance with the standard, as well as the artifacts that are needed for the required documentation. We validate the method by applying it to a scenario from the smart grid domain.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Agence nationale de la sécurité des systèmes d’information: EBIOS 2010 – Expression of Needs and Identification of Security Objectives (2010) (in French)
Alberts, C.J., Dorofee, A.J.: OCTAVE Criteria. Tech. Rep. CMU/SEI-2001-TR-016, CERT (2001)
Allen, M.: Social engineering: A means to violate a computer system. SANS Institute Reading Room (2007)
Aloul, F., Al-Ali, A.R., Al-Dalky, R., Al-Mardini, M., El-Hajj, W.: Smart grid security: Threats, vulnerabilities and solutions. International Journal of Smart Grid and Clean Energy 1(1), 1–6 (2012)
Ardi, S., Shahmehri, N.: Introducing vulnerability awareness to Common Criteria’s security targets. In: Fourth International Conference on Software Engineering Advances (ICSEA 2009), pp. 419–424. IEEE Computer Society (2009)
Beckers, K., Côté, I., Hatebur, D., Faßbender, S., Heisel, M.: Common Criteria CompliAnt Software Development (CC-CASD). In: Proceedings of the 28th Symposium on Applied Computing, pp. 937–943. ACM (2013)
Beckers, K., Faßbender, S., Heisel, M., Küster, J.-C., Schmidt, H.: Supporting the development and documentation of ISO 27001 Information Security Management Systems through security requirements engineering approaches. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 14–21. Springer, Heidelberg (2012)
Beckers, K., Faßbender, S., Küster, J.-C., Schmidt, H.: A pattern-based method for identifying and analyzing laws. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 256–262. Springer, Heidelberg (2012)
Beckers, K., Hatebur, D., Heisel, M.: A problem-based threat analysis in compliance with Common Criteria. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2013), pp. 111–120 (2013)
Beckers, K., Heisel, M., Solhaug, B., Stølen, K.: ISMS-CORAS – A structured method for establishing an ISO 27001 compliant information security management system. Tech. Rep. A25626, SINTEF ICT (2013)
Calder, A.: Implementing Information Security based on ISO 27001/ISO 27002: A Management Guide. Haren Van Publishing (2009)
Cheremushkin, D.V., Lyubimov, A.V.: An application of integral engineering technique to information security standards analysis and refinement. In: Proceedings of the 3rd International Conference on Security of Information and Networks (SIN 2010), pp. 12–18. ACM (2010)
Evaluation of general requirements according state of the art. OpenNode project deliverable D1.2 (2010)
Faßbender, S., Heisel, M.: From problems to laws in requirements engineering – Using model-transformation. In: International Conference on Software Paradigm Trends (ICSOFT 2013), pp. 447–458. SciTePress (2013)
FREE ISO27k Toolkit, http://www.iso27001security.com/html/iso27k_toolkit.html (accessed January 21, 2014)
Functional use cases. OpenNode project deliverable D1.3 (2010)
Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press (2003)
International Organization for Standardization: ISO 31000 – Risk management – Principles and guidelines (2009)
International Organization for Standardization / International Electrotechnical Commission: ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements (2005)
International Organization for Standardization / International Electrotechnical Commission: ISO/IEC 27005 – Information technology – Security techniques - Information security risk management (2008)
International Organization for Standardization / International Electrotechnical Commission: ISO/IEC 15408 – Common Criteria for Information Technology Security Evaluation (2009)
Karg, M.: Datenschutzrechtliche Bewertung des Einsatzes von “intelligenten” Messeinrichtungen für die Messung von gelieferter Energie (Smart Meter). Tech. rep., Unabhängiges Landeszentrum für Datenschutz (ULD) (2009) (in German)
Kersten, H., Reuter, J., Schröder, K.W.: IT-Sicherheitsmanagement nach ISO 27001 und Grundschutz. Vieweg+Teubner (2011) (in German)
Klipper, S.: Information Security Risk Management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Vieweg+Teubner (2010) (in German)
Knyrim, R., Trieb, G.: Smart metering under EU data protection law. International Data Privacy Law 1(2), 121–128 (2011)
Kreutzmann, H., Vollmer, S.: Protection profile for the gateway of a smart metering system (Smart meter gateway PP). Tech. Rep. BSI-CC-PP-0073, Federal Office for Information Security, version 1.2, Final Release (2013)
Lin, H., Fang, Y.: Privacy-aware profiling and statistical data extraction for smart sustainable energy systems. IEEE Transactions on Smart Grid 4(1), 332–340 (2013)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer (2011)
Lyubimov, A., Cheremushkin, D., Andreeva, N., Shustikov, S.: Information security integral engineering technique and its application in ISMS design. In: Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 585–590. IEEE Computer Society (2011)
Mahler, T.: Legal Risk Management – Developing and Evaluating Elements of a Method for Proactive Legal Analyses, With a Particular Focus on Contracts. Ph.D. thesis, University of Oslo (2010)
Mellado, D., Fernandez-Medina, E., Piattini, M.: A comparison of the Common Criteria with proposals of information systems security requirements. In: The First International Conference on Availability, Reliability and Security (ARES 2006), pp. 654–661. IEEE Computer Society (2006)
Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006)
Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence: The Security Risk Management Guide (2006)
Montesino, R., Fenz, S.: Information security automation: How far can we go? In: Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 280–285. IEEE Computer Society (2011)
Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS), http://www.nessos-project.eu/ (accessed December 19, 2013)
Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure. Version 2.3, OMG Document: formal/2010-05-03 (2010)
Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51, 916–932 (2009)
Peltier, T.R.: Information Security Risk Analysis, 3rd edn. Auerbach Publications (2010)
Raabe, O., Lorenz, M., Pallas, F., Weis, E.: Datenschutz im Smart Grid und in der Elektromobilität. Tech. rep., Karlsruher Institut für Technologie, KIT (2011) (in German)
Report on the identification and specification of functional, technical, economical and general requirements of advanced multi-metering infrastructure, including security requirements. OPEN meter project deliverable D1.1 (2009)
Rodden, T.A., Fischer, J.E., Pantidi, N., Bachour, K., Moran, S.: At home with agents: Exploring attitudes towards future smart energy infrastructures. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2013, pp. 1173–1182. ACM (2013)
Siemens: CRAMM – The total information security toolkit, http://www.cramm.com/ (accessed: January 15, 2013)
Siemens: No longer a one-way street, http://www.siemens.com/innovation/apps/pof_microsite/_pof-spring-2011/_html_en/smart-grids.html (accessed December 19, 2013)
Sindre, G., Opdahl, A.L.: Templates for misuse case description. In: Procedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ 2001), pp. 4–5 (2001)
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press (2004)
Tran, L.M.S., Solhaug, B., Stølen, K.: An approach to select cost-effective risk countermeasures. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 266–273. Springer, Heidelberg (2013)
verinice, http://www.verinice.org (accessed January 21, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Beckers, K., Heisel, M., Solhaug, B., Stølen, K. (2014). ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-07452-8_13
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07451-1
Online ISBN: 978-3-319-07452-8
eBook Packages: Computer ScienceComputer Science (R0)