Abstract
Establishing an information security management system (ISMS) compliant to the ISO 27001 standard is a way for companies to gain their customers trust with regard to information security. Key challenges of establishing an ISO 27001 compliant ISMS are removing the standards’ ambiguities and providing an acceptable risk management approach. Risk management is vital to an ISMS establishment, because the aim of an ISMS is to manage security threats based on risk assessment. The security requirements engineering approach CORAS provides a structured way to implement risk management for a given company. We present an extension to this method called ISMS-CORAS, which enables security engineers to create an ISO 27001 compliant ISMS including the needed documentation. ISMS-CORAS uses another CORAS extension called Legal CORAS, which helps to be compliant to legal demands as well. The method is applied to a smart grid scenario provided by the industrial partners of the NESSoS project.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The NESSoS project: http://www.nessos-project.eu.
- 2.
- 3.
Note that in the CORAS terminology threats are attackers, persons, or other elements that cause unwanted incidents. This is different from other terminologies in which threats are actual exploits of vulnerabilities. In this we mean that by the word threatened that an attacker causes an unwanted incident.
- 4.
- 5.
Note that we provide in this work the relation to ISO 27001 and CORAS. The treatment plans consider cost-benefit reasoning by using the CORAS extension proposed in (Tran et al. 2013a).
References
Alberts, C. J., & Dorofee, A. J. (2001, December). OCTAVE Criteria. Technical Report No. CMU/SEI-2001-TR-016. Washington, USA: CERT.
Allen, M. (2006). Social engineering: A means to violate a computer system. SANS Institute White Paper.
ANSSI. (2010). EBIOS 2010—Expression of needs and identification of security objectives. Paris, France: Agence nationale de la sécurité des systémes d’information (ANSSI).
Ardi, S., & Shahmehri, N. (2009). Introducing vulnerability awareness to common criteria’s security targets. In Proceedings of the Fourth International Conference on Software Engineering Advances ICSEA, (pp. 419–424). IEEE Computer Society.
Beckers, K., Fasbender, S., Küster, J.-C., & Schmidt, H. (2012). A pattern-based method for identifying and analyzing laws. In Proceedings of the International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ) (pp. 256–262). Springer.
Beckers, K., Côté, I., Hatebur, D., Fasbender, S., & Heisel, M. (2013a). Common criteria compliant software development (CC-CASD). In Proceedings 28th Symposium on Applied Computing (pp. 937–943). ACM.
Beckers, K., Hatebur, D., & Heisel, M. (2013b). A problem-based threat analysis in compliance with common criteria. In Proceedings of the International Conference on Availability, Reliability and Security (ARES) (pp. 111–120). IEEE Computer Society.
Beckers, K., Heisel, M., Solhaug, B., & Stolen, K. (2013c). ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management Standard. Technical Report. Oslo, Norway: SINTEF ICT.
Beckers, K., Heisel, M., Solhaug, B., & Stolen, K. (2014). ISMS-CORAS: A structured method for establishing an ISO 27001 compliant information security management system. Advances in engineering secure future internet services and systems (pp. 315–344). Springer.
Calder, A. (2009). Implementing information security based on ISO 27001/ISO 27002: A management guide. Van Haren Publishing.
Cheremushkin, D. V., & Lyubimov, A. V. (2010). An application of integral engineering technique to information security standards analysis and refinement. In Proceedings of the International Conference on Security of Information and Networks (pp. 12–18). ACM.
DCSSI. (2004, February). Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS)—Section 2—Approach. General Secretariat of National Defence Central Information Systems Security Division (DCSSI).
Faßbender, S., & Heisel, M. (2013). From problems to laws in requirements engineering using model-transformation. In ICSOFT 2013—Proceedings of the 8th International Conference on Software Paradigm Trends (pp. 447–458). SciTePress.
ISO. (2009). ISO 31000 risk management—Principles and guidelines Geneva. Switzerland: International Organization for Standardization (ISO).
ISO/IEC. (2005). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2008). Information technology—security techniques—information security risk management (ISO/IEC 27005). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2012). Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2013). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Karg, M. (2009). Datenschutzrechtliche Bewertung des Einsatzes von intelligenten Messeinrichtungen fĂĽr die Messung von gelieferter Energie (Smart Meter) Technical Report Kiel, Germany: ULD. (https://www.datenschutzzentrum.de/smartmeter/20090925-smartmeter.html).
Kersten, H., Reuter, J., & Schröder, K.-W. (2011). It-sicherheitsmanagement nach ISO 27001 und grundschutz. Wiesbaden: Vieweg+Teubner.
Klipper, S. (2010). Information security risk management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Wiesbaden: Vieweg+Teubner.
Knyrim, R., & Trieb, G. (2011). Smart metering under eu data protection law. International Data Privacy Law, 1, 121–128.
Lund, M. S., Solhaug, B., & Stolen, K. (2010). Model-driven risk analysis: The CORAS approach (Vol. 1). Berlin: Springer.
Lyubimov, A., Cheremushkin, D., Andreeva, N., & Shustikov, S. (2011). Information security integral engineering technique and its application in isms design. In Proceedings of the international conference on availability, reliability and security (ARES) (p. 585–590). IEEE Computer Society.
Mellado, D., Fernandez-Medina, E., & Piattini, M. (2006a). A comparison of the common criteria with proposals of information systems security requirements. In The first International Conference on Availability, Reliability and Security, ARES (pp. 654–661). IEEE Computer Society.
Mellado, D., Fernández-Medina, E., & Piattini, M. (2006b). Applying a security requirements engineering process. In Proceedings of Computer Security—ES-ORICS 2006. LNCS (Vol. 4189, pp. 192–206). Springer.
Microsoft. (2006). The Security Risk Management Guide. http://technet.microsoft.com/en-us/library/cc163143.aspx.
Montesino, R., & Fenz, S. (2011). Information security automation: How far can we go? In Proceedings of the International Conference on Availability, Reliability and Security (ARES) (pp. 280–285). IEEE Computer Society.
Peltier, T. R. (2010). Information security risk analysis (Vol. 3). Boca Raton: Auerbach Publications.
Raabe, O., Lorenz, M., Pallas, F., Weis, E. (2011). Datenschutz im smart grid und in der elektromobilität Technical Report Karslruhe, Germany: KIT. (http://compliance.zar.kit.edu/21438.php).
Rodden, T. A., Fischer, J. E., Pantidi, N., Bachour, K., & Moran, S. (2013). At home with agents: Exploring attitudes towards future smart energy infrastructures. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 1173–1182). ACM.
Siemens. (2003). CRAMM—The total information security toolkit. http://www.cramm.com/.
Solhaug, B., & Stolen, K. (2013). The CORAS language—Why it is designed the way it is. In Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, Proceedings of 11th International Conference on Structural Safety & Reliability (ICOSSAR’13). CRC Press.
Swiderski, F., & Snyder, W. (2004). Threat modeling. Redmond: Microsoft Press.
Tran, L. M. S., Solhaug, B., & Stolen, K. (2013a). An Approach to select cost-effective risk countermeasures. In Proceeding of the Conference on Data and Application Security and Privacy. LNCS (Vol. 7964, pp. 266–273). Springer.
Tran, L. M. S., Solhaug, B., & Stolen, K. (2013b). An approach to select cost-effective risk countermeasures exemplified in CORAS Technical Report No. A24343. Oslo, Norway: SINTEF ICT.
UML Revision Task Force. (2010, May). OMG unified modeling language: Superstructure.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Beckers, K. (2015). Supporting ISO 27001 Establishment with CORAS. In: Pattern and Security Requirements. Springer, Cham. https://doi.org/10.1007/978-3-319-16664-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-16664-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16663-6
Online ISBN: 978-3-319-16664-3
eBook Packages: Computer ScienceComputer Science (R0)