Skip to main content
SpringerLink
Log in

Information Systems Security Management: A Review and a Classification of the ISO Standards

  • Conference paper
Next Generation Society. Technological and Legal Issues (e-Democracy 2009)

Included in the following conference series:

Abstract

The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the “correct” system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Standardization definition, http://en.wikipedia.org/wiki/Standardization

  2. Guijarro, L.: ICT standardisation and public procurement in the United States and in the European Union: Influence on egovernment deployment. Telecommunications Policy 33(5-6), 285–295 (2009)

    Article  Google Scholar 

  3. International Organization for Standardization, http://www.iso.org/iso/home.htm

  4. ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements (2005)

    Google Scholar 

  5. ISO/IEC 13335-1:2004. Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)

    Google Scholar 

  6. ISO/IEC TR 13335-2:1997. Information technology – Guidelines for the management of IT Security – Part 2: Managing and planning IT Security (1997)

    Google Scholar 

  7. ISO/IEC TR 13335-3:1998. Information technology – Guidelines for the management of IT Security – Part 3: Techniques for the management of IT Security (1998)

    Google Scholar 

  8. ISO/IEC TR 13335-4:2000. Information technology – Guidelines for the management of IT Security – Part 4: Selection of safeguards (2000)

    Google Scholar 

  9. ISO/IEC 27005:2008. Information technology – Security techniques – Information security risk management (2008)

    Google Scholar 

  10. ISO/IEC TR 13335-5:2001. Information technology – Guidelines for the management of IT Security – Part 5: Management guidance on network security (2001)

    Google Scholar 

  11. ISO/IEC 18028-1:2006. Information technology – Security techniques – IT network security – Part 1: Network security management (2006)

    Google Scholar 

  12. ISO/IEC 27000:2009. Information technology – Security techniques – Information security management systems – Overview and vocabulary (2009)

    Google Scholar 

  13. ISO/IEC 27002:2005. Information technology – Security techniques – Code of practice for information security management (2005)

    Google Scholar 

  14. ISO/IEC 17799:2005. Information technology – Security techniques – Code of practice for information security management (2005)

    Google Scholar 

  15. ISO/IEC FCD 27003. Information technology – Security techniques – Information security management system implementation guidance

    Google Scholar 

  16. ISO/IEC 27011:2008. Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 (2008)

    Google Scholar 

  17. ISO/IEC WD 27007. Information technology – Security techniques – Guidelines for information security management systems auditing

    Google Scholar 

  18. ISO/IEC 27006:2007. Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems (2007)

    Google Scholar 

  19. ISO/IEC 17021:2006. Conformity assessment – Requirements for bodies providing audit and certification of management systems (2006)

    Google Scholar 

  20. ISO/IEC FCD 27033-1. Information technology – Security techniques – IT network security – Part 1: Guidelines for network security

    Google Scholar 

  21. ISO/IEC 18028-2:2006. Information technology – Security techniques – IT network security – Part 2: Network security architecture (2006)

    Google Scholar 

  22. ISO/IEC WD 27033-2. Information technology – Security techniques – IT network security – Part 2: Guidelines for the design and implementation of network security

    Google Scholar 

  23. ISO/IEC 18028-3:2005. Information technology – Security techniques – IT network security – Part 3: Securing communications between networks using security gateways (2005)

    Google Scholar 

  24. ISO/IEC NP 27033-4. Information technology – Security techniques – IT network security – Part 4: Securing communications between networks using security gateways - Risks, design techniques and control issues

    Google Scholar 

  25. ISO/IEC 18028-4:2005. Information technology – Security techniques – IT network security – Part 4: Securing remote access (2005)

    Google Scholar 

  26. ISO/IEC NP 27033-5. Information technology – Security techniques – IT network security – Part 5: Securing Remote Access - Risks, design techniques and control issues

    Google Scholar 

  27. ISO/IEC 18028-5:2006. Information technology – Security techniques – IT network security – Part 5: Securing communications across networks using virtual private networks (2006)

    Google Scholar 

  28. ISO/IEC NP 27033-6. Information technology – Security techniques – IT network security – Part 6: Securing communications across networks using Virtual Private Networks (VPNs) – Risks, design techniques and control issues

    Google Scholar 

  29. ISO/IEC WD 27033-3. Information technology – Security techniques – IT network security – Part 3: Reference networking scenarios – Risks, design techniques and control issues

    Google Scholar 

  30. ISO/IEC 18043:2006. Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (2006)

    Google Scholar 

  31. ISO/IEC 18014-1:2008. Information technology – Security techniques – Time-stamping services – Part 1: Framework (2008)

    Google Scholar 

  32. ISO/IEC 18014-2:2002. Information technology – Security techniques – Time-stamping services – Part 2: Mechanisms producing independent tokens (2002)

    Google Scholar 

  33. ISO/IEC 18014-3:2004. Information technology – Security techniques – Time-stamping services – Part 3: Mechanisms producing linked tokens (2004)

    Google Scholar 

  34. ISO/IEC TR 14516:2002. Information technology – Security techniques – Guidelines for the use and management of Trusted Third Party services (2002)

    Google Scholar 

  35. ISO/IEC 15945:2002. Information technology – Security techniques – Specification of TTP services to support the application of digital signatures (2002)

    Google Scholar 

  36. ISO/IEC 14888-1:2008. Information technology – Security techniques – Digital signatures with appendix – Part 1: General (2008)

    Google Scholar 

  37. ISO/IEC 14888-2:2008. Information technology – Security techniques – Digital signatures with appendix – Part 2: Integer factorization based mechanisms (2008)

    Google Scholar 

  38. ISO/IEC 14888-3:2006. Information technology – Security techniques – Digital signatures with appendix – Part 3: Discrete logarithm based mechanisms (2006)

    Google Scholar 

  39. ISO/IEC 9796-2:2002. Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)

    Google Scholar 

  40. ISO/IEC 9796-3:2006. Information technology – Security techniques – Digital signature schemes giving message recovery – Part 3: Discrete logarithm based mechanisms (2006)

    Google Scholar 

  41. ISO/IEC 9796-1:1991, Information technology–Security techniques–Digital signature scheme giving message recovery –Part 1: Mechanisms using redundancy (1991)

    Google Scholar 

  42. ISO/IEC 15816:2002. Information technology – Security techniques – Security information objects for access control (2002)

    Google Scholar 

  43. ISO/IEC 9798-1:1997. Information technology – Security techniques – Entity authentication – Part 1: General (1997)

    Google Scholar 

  44. ISO/IEC 9798-2:2008. Information technology – Security techniques – Entity authentication – Part 2: Mechanisms using symmetric encipherment algorithms (2008)

    Google Scholar 

  45. ISO/IEC 9798-3:1998. Information technology – Security techniques – Entity authentication – Part 3: Mechanisms using digital signature techniques (1998)

    Google Scholar 

  46. ISO/IEC 9798-4:1999. Information technology – Security techniques – Entity authentication – Part 4: Mechanisms using a cryptographic check function (1999)

    Google Scholar 

  47. ISO/IEC 9798-5:2004. Information technology – Security techniques – Entity authentication – Part 5: Mechanisms using zero-knowledge techniques (2004)

    Google Scholar 

  48. ISO/IEC 9798-6:2005. Information technology – Security techniques – Entity authentication – Part 6: Mechanisms using manual data transfer (2005)

    Google Scholar 

  49. ISO/IEC 18033-1:2005. Information technology – Security techniques – Encryption algorithms – Part 1: General (2005)

    Google Scholar 

  50. ISO/IEC 18033-2:2006. Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers (2006)

    Google Scholar 

  51. ISO/IEC 18033-3:2005. Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers (2005)

    Google Scholar 

  52. ISO/IEC 18033-4:2005. Information technology – Security techniques – Encryption algorithms – Part 4: Stream ciphers (2005)

    Google Scholar 

  53. ISO/IEC 11770-1:1996. Information technology – Security techniques – Key management – Part 1: Framework (1996)

    Google Scholar 

  54. ISO/IEC CD 11770-1.Information technology – Security techniques – Key management – Part 1: Framework

    Google Scholar 

  55. ISO/IEC 11770-2:2008. Information technology – Security techniques – Key management – Part 2: Mechanisms using symmetric techniques (2008)

    Google Scholar 

  56. ISO/IEC 11770-3:2008. Information technology – Security techniques – Key management – Part 3: Mechanisms using asymmetric techniques (2008)

    Google Scholar 

  57. ISO/IEC 11770-4:2006. Information technology – Security techniques – Key management – Part 4: Mechanisms based on weak secrets (2006)

    Google Scholar 

  58. ISO/IEC 9797-1:1999. Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher (1999)

    Google Scholar 

  59. ISO/IEC 9797-2:2002. Information technology – Security techniques – Message Authentication Codes (MACs) – Part 2: Mechanisms using a dedicated hash-function (2002)

    Google Scholar 

  60. ISO/IEC 10118-1:2000. Information technology – Security techniques – Hash-functions – Part 1: General (2000)

    Google Scholar 

  61. ISO/IEC 10118-2:2000. Information technology – Security techniques – Hash-functions – Part 2: Hash-functions using an n-bit block cipher (2000)

    Google Scholar 

  62. ISO/IEC 10118-3:2004. Information technology – Security techniques – Hash-functions – Part 3: Dedicated hash-functions (2004)

    Google Scholar 

  63. ISO/IEC 10118-4:1998. Information technology – Security techniques – Hash-functions – Part 4: Hash-functions using modular arithmetic (1998)

    Google Scholar 

  64. ISO/IEC 21827:2008. Information technology – Security techniques – Systems Security Engineering – Capability Maturity Model® (SSE-CMM®) (2008)

    Google Scholar 

  65. ISO/IEC TR 18044:2004. Information technology – Security techniques – Information security incident management (2004)

    Google Scholar 

  66. ISO/IEC 24762:2008. Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services (2008)

    Google Scholar 

  67. ISO/IEC 13888-1:2004. IT security techniques – Non-repudiation – Part 1: General (2004)

    Google Scholar 

  68. ISO/IEC 13888-2:1998. Information technology – Security techniques – Non-repudiation – Part 2: Mechanisms using symmetric techniques (1998)

    Google Scholar 

  69. ISO/IEC 13888-3:1997. Information technology – Security techniques – Non-repudiation – Part 3: Mechanisms using asymmetric techniques (1997)

    Google Scholar 

  70. ISO/IEC 18045:2008. Information technology – Security techniques – Methodology for IT security evaluation (2008)

    Google Scholar 

  71. ISO/IEC FCD 15408-1.3. Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model

    Google Scholar 

  72. ISO/IEC 15408-1:2005. Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model (2005)

    Google Scholar 

  73. ISO/IEC 15408-2:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional components (2008)

    Google Scholar 

  74. ISO/IEC 15408-3:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components (2008)

    Google Scholar 

  75. ISO/IEC TR 19791:2006. Information technology – Security techniques – Security assessment of operational systems (2006)

    Google Scholar 

  76. ISO/IEC TR 15443-1:2005. Information technology – Security techniques – A framework for IT security assurance – Part 1: Overview and framework (2005)

    Google Scholar 

  77. ISO/IEC TR 15443-2:2005. Information technology – Security techniques – A framework for IT security assurance – Part 2: Assurance methods (2005)

    Google Scholar 

  78. ISO/IEC TR 15443-3:2007. Information technology – Security techniques – A framework for IT security assurance – Part 3: Analysis of assurance methods (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Information and Communication Systems Engineering, University of the Aegean, Samos, GR-83200, Greece

    Aggeliki Tsohou, Spyros Kokolakis, Costas Lambrinoudakis & Stefanos Gritzalis

Authors
  1. Aggeliki Tsohou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Spyros Kokolakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Costas Lambrinoudakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefanos Gritzalis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Informatics Laboratory, Agricultural University of Athens, 75, Iera Odos Street, Botanikos, 11855, Athens, Greece

    Alexander B. Sideridis  & Charalampos Z. Patrikakis  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Tsohou, A., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S. (2010). Information Systems Security Management: A Review and a Classification of the ISO Standards. In: Sideridis, A.B., Patrikakis, C.Z. (eds) Next Generation Society. Technological and Legal Issues. e-Democracy 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 26. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11631-5_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11631-5_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11629-2

  • Online ISBN: 978-3-642-11631-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation