Designing a process reference model for information security management systems

Abstract

In spite of growing interest for information security, the adoption of the international standard on information security management (ISO/IEC 27001) is still very low. This standard provides requirements to manage an Information Security Management System. We argue that this standard is too complex to be directly implemented by small structures such as SMEs. We thus propose a process model that aims to describe the processes involved in information security management and facilitate adoption. In order to do this, we reuse process model previously derived from ISO/IEC 20000-1, which is also a management system standard but developed for IT Service Management. In this paper, we determine the generic management system requirements and their corresponding processes by mapping the requirements from ISO/IEC 20000-1 and ISO/IEC 27001 standards. At last, we create the information security specific processes with the remaining ISO/IEC 27001 requirements, and we conclude with the possible uses of the process model. © 2012 Springer-Verlag.