Abstract
In spite of growing interest for information security, the adoption of the international standard on information security management (ISO/IEC 27001) is still very low. This standard provides requirements to manage an Information Security Management System. We argue that this standard is too complex to be directly implemented by small structures such as SMEs. We thus propose a process model that aims to describe the processes involved in information security management and facilitate adoption. In order to do this, we reuse process model previously derived from ISO/IEC 20000-1, which is also a management system standard but developed for IT Service Management. In this paper, we determine the generic management system requirements and their corresponding processes by mapping the requirements from ISO/IEC 20000-1 and ISO/IEC 27001 standards. At last, we create the information security specific processes with the remaining ISO/IEC 27001 requirements, and we conclude with the possible uses of the process model.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
ISO 9001:2008 quality management systems – requirements (2008)
ISO/IEC 15504-2:2003 software engineering — process assessment — part 2: Performing an assessment
ISO/IEC 20000-1:2011 information technology – service management – part 1: Service management system requirements
ISO/IEC 27001:2005 information technology – security techniques – information security management systems – requirements
ISO/IEC TR 20000-4:2010 information technology – service management – part 4: Process reference model
ISO/IEC TR 24774:2010 systems and software engineering – life cycle management – guidelines for process description
Barafort, B., Humbert, J.P., Poggi, S.: Information security management and ISO/IEC 15504: the link opportunity between security and quality. In: SPICE Conference, Luxembourg (2006)
Barafort, B., Renault, A., Picard, M., Cortina, S.: A transformation process for building prms and pams based on a collection of requirements – example with ISO/IEC 20000. In: SPICE Conference, Nuremberg, Germany (2008)
Barlette, Y., Fomin, V.V.: Exploring the suitability of is security management standards for smes. In: Annual International Conference on System Sciences, Hawaii, USA, vol. 41, p. 308 (2008)
Coletta, A.: An industrial experience in assessing the capability of non-software processes using ISO/IEC 15504. Software Process: Improvement and Practice 12(4), 315–319 (2007)
Di Renzo, B., Valoggia, P.: Assessment and improvement of firm’s knowledge management capabilities by using a KM process assessment compliant to ISO/IEC 15504. A case study. In: SPICE Conference, Seoul, South Korea (2007)
Hilbert, R., Renault, A.: Assessing IT service management processes with AIDA experience feedback. In: EuroSPI, Postdam, Germany (2007)
Ivanyos, J.: Implementing process assessment model of internal financial control. In: The International SPICE Days, Frankfurt/Main, Germany (2007)
Jokela, J.: Long term utilisation of spice in an it service company. In: SPICE Conference, Turku, Finland (2009)
Malzahn, D.: A service extension for spice? In: SPICE Conference, Seoul, South Korea (2007)
Medina-Mora, R., Winograd, T., Flores, R., Flores, F.: The action workflow approach to workflow management technology. In: ACM Conference on Computer-Supported Cooperative Work, Toronto, Canada, pp. 281–288 (1992)
Picard, M., Renault, A., Cortina, S.: How to Improve Process Models for Better ISO/IEC 15504 Process Assessment. In: Riel, A., O’Connor, R., Tichkiewitch, S., Messnarz, R. (eds.) EuroSPI 2010. CCIS, vol. 99, pp. 130–141. Springer, Heidelberg (2010)
Rifaut, A., Dubois, E.: Using goal-oriented requirements engineering for improving the quality of ISO/IEC 15504 based compliance assessment frameworks. In: 16th IEEE International Requirements Engineering Conference, Barcelona, Spain, vol. 16, pp. 33–42. IEEE Computer Society (2008)
Silva, J.V.L., Nabuco, O.F., Salviano, C.F., Reis, M.C., Maciel Filho, R.: Towards an iso/iec 15504-based process capability model for public university’s research laboratory. In: SPICE Conference, Seoul, South Korea, vol. 2007, pp. 12–21 (2007)
Van Lamsweerde, A.: Goal-oriented requirements engineering: A guided tour. In: Fifth IEEE International Symposium on Requirements Engineering, Toronto, Canada, pp. 249–262. IEEE (2001)
Walker, A.: Towards ISO 9001:201x: Transitioning from process quality to product quality. In: South African Committee for the Certification of Quality System Auditors Conference, vol. 12 (2009)
Wiedemann, A.: Evaluation methodology for assessing management system establishment support tools. Open Software Engineering Journal 3, 9–14 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mangin, O., Barafort, B., Heymans, P., Dubois, E. (2012). Designing a Process Reference Model for Information Security Management Systems. In: Mas, A., Mesquida, A., Rout, T., O’Connor, R.V., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2012. Communications in Computer and Information Science, vol 290. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30439-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-30439-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30438-5
Online ISBN: 978-3-642-30439-2
eBook Packages: Computer ScienceComputer Science (R0)