Supporting the development and documentation of ISO 27001 information security management systems through security requirements engineering approaches

Authors:
Kristian Beckers;Stephan Faßbender;Maritta Heisel;Jan-Christoph Küster;Holger Schmidt
Affiliations:
paluno - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany;paluno - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany;paluno - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany;Fraunhofer Institut for Software and Systems Engineering ISST, Germany;paluno - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany
Venue:
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Year:
2012

Citing 6
Cited 0

Problem frames: analyzing and structuring software development problems

Problem frames: analyzing and structuring software development problems
A comparison of security requirements engineering methods

Requirements Engineering - Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos Mouratidis
Model-Driven Risk Analysis: The CORAS Approach

Model-Driven Risk Analysis: The CORAS Approach
Information Security Automation: How Far Can We Go?

ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Pattern-Based Support for Context Establishment and Asset Identification of the ISO 27000 in the Field of Cloud Computing

ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Characterising and Analysing Security Requirements Modelling Initiatives

ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Assembling an information security management system according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation. We analyse the ISO 27001 standard to determine what techniques and documentation are necessary and instrumental to develop and document systems according to this standard. Based on these insights, we inspect a number of current security requirements engineering approaches to evaluate whether and to what extent these approaches support ISO 27001 system development and documentation. We re-use a conceptual framework originally developed for comparing security requirements engineering methods to relate important terms, techniques, and documentation artifacts of the security requirements engineering methods to the ISO 27001.