Abstract
The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the “correct” system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Standardization definition, http://en.wikipedia.org/wiki/Standardization
Guijarro, L.: ICT standardisation and public procurement in the United States and in the European Union: Influence on egovernment deployment. Telecommunications Policy 33(5-6), 285–295 (2009)
International Organization for Standardization, http://www.iso.org/iso/home.htm
ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements (2005)
ISO/IEC 13335-1:2004. Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)
ISO/IEC TR 13335-2:1997. Information technology – Guidelines for the management of IT Security – Part 2: Managing and planning IT Security (1997)
ISO/IEC TR 13335-3:1998. Information technology – Guidelines for the management of IT Security – Part 3: Techniques for the management of IT Security (1998)
ISO/IEC TR 13335-4:2000. Information technology – Guidelines for the management of IT Security – Part 4: Selection of safeguards (2000)
ISO/IEC 27005:2008. Information technology – Security techniques – Information security risk management (2008)
ISO/IEC TR 13335-5:2001. Information technology – Guidelines for the management of IT Security – Part 5: Management guidance on network security (2001)
ISO/IEC 18028-1:2006. Information technology – Security techniques – IT network security – Part 1: Network security management (2006)
ISO/IEC 27000:2009. Information technology – Security techniques – Information security management systems – Overview and vocabulary (2009)
ISO/IEC 27002:2005. Information technology – Security techniques – Code of practice for information security management (2005)
ISO/IEC 17799:2005. Information technology – Security techniques – Code of practice for information security management (2005)
ISO/IEC FCD 27003. Information technology – Security techniques – Information security management system implementation guidance
ISO/IEC 27011:2008. Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 (2008)
ISO/IEC WD 27007. Information technology – Security techniques – Guidelines for information security management systems auditing
ISO/IEC 27006:2007. Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems (2007)
ISO/IEC 17021:2006. Conformity assessment – Requirements for bodies providing audit and certification of management systems (2006)
ISO/IEC FCD 27033-1. Information technology – Security techniques – IT network security – Part 1: Guidelines for network security
ISO/IEC 18028-2:2006. Information technology – Security techniques – IT network security – Part 2: Network security architecture (2006)
ISO/IEC WD 27033-2. Information technology – Security techniques – IT network security – Part 2: Guidelines for the design and implementation of network security
ISO/IEC 18028-3:2005. Information technology – Security techniques – IT network security – Part 3: Securing communications between networks using security gateways (2005)
ISO/IEC NP 27033-4. Information technology – Security techniques – IT network security – Part 4: Securing communications between networks using security gateways - Risks, design techniques and control issues
ISO/IEC 18028-4:2005. Information technology – Security techniques – IT network security – Part 4: Securing remote access (2005)
ISO/IEC NP 27033-5. Information technology – Security techniques – IT network security – Part 5: Securing Remote Access - Risks, design techniques and control issues
ISO/IEC 18028-5:2006. Information technology – Security techniques – IT network security – Part 5: Securing communications across networks using virtual private networks (2006)
ISO/IEC NP 27033-6. Information technology – Security techniques – IT network security – Part 6: Securing communications across networks using Virtual Private Networks (VPNs) – Risks, design techniques and control issues
ISO/IEC WD 27033-3. Information technology – Security techniques – IT network security – Part 3: Reference networking scenarios – Risks, design techniques and control issues
ISO/IEC 18043:2006. Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (2006)
ISO/IEC 18014-1:2008. Information technology – Security techniques – Time-stamping services – Part 1: Framework (2008)
ISO/IEC 18014-2:2002. Information technology – Security techniques – Time-stamping services – Part 2: Mechanisms producing independent tokens (2002)
ISO/IEC 18014-3:2004. Information technology – Security techniques – Time-stamping services – Part 3: Mechanisms producing linked tokens (2004)
ISO/IEC TR 14516:2002. Information technology – Security techniques – Guidelines for the use and management of Trusted Third Party services (2002)
ISO/IEC 15945:2002. Information technology – Security techniques – Specification of TTP services to support the application of digital signatures (2002)
ISO/IEC 14888-1:2008. Information technology – Security techniques – Digital signatures with appendix – Part 1: General (2008)
ISO/IEC 14888-2:2008. Information technology – Security techniques – Digital signatures with appendix – Part 2: Integer factorization based mechanisms (2008)
ISO/IEC 14888-3:2006. Information technology – Security techniques – Digital signatures with appendix – Part 3: Discrete logarithm based mechanisms (2006)
ISO/IEC 9796-2:2002. Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)
ISO/IEC 9796-3:2006. Information technology – Security techniques – Digital signature schemes giving message recovery – Part 3: Discrete logarithm based mechanisms (2006)
ISO/IEC 9796-1:1991, Information technology–Security techniques–Digital signature scheme giving message recovery –Part 1: Mechanisms using redundancy (1991)
ISO/IEC 15816:2002. Information technology – Security techniques – Security information objects for access control (2002)
ISO/IEC 9798-1:1997. Information technology – Security techniques – Entity authentication – Part 1: General (1997)
ISO/IEC 9798-2:2008. Information technology – Security techniques – Entity authentication – Part 2: Mechanisms using symmetric encipherment algorithms (2008)
ISO/IEC 9798-3:1998. Information technology – Security techniques – Entity authentication – Part 3: Mechanisms using digital signature techniques (1998)
ISO/IEC 9798-4:1999. Information technology – Security techniques – Entity authentication – Part 4: Mechanisms using a cryptographic check function (1999)
ISO/IEC 9798-5:2004. Information technology – Security techniques – Entity authentication – Part 5: Mechanisms using zero-knowledge techniques (2004)
ISO/IEC 9798-6:2005. Information technology – Security techniques – Entity authentication – Part 6: Mechanisms using manual data transfer (2005)
ISO/IEC 18033-1:2005. Information technology – Security techniques – Encryption algorithms – Part 1: General (2005)
ISO/IEC 18033-2:2006. Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers (2006)
ISO/IEC 18033-3:2005. Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers (2005)
ISO/IEC 18033-4:2005. Information technology – Security techniques – Encryption algorithms – Part 4: Stream ciphers (2005)
ISO/IEC 11770-1:1996. Information technology – Security techniques – Key management – Part 1: Framework (1996)
ISO/IEC CD 11770-1.Information technology – Security techniques – Key management – Part 1: Framework
ISO/IEC 11770-2:2008. Information technology – Security techniques – Key management – Part 2: Mechanisms using symmetric techniques (2008)
ISO/IEC 11770-3:2008. Information technology – Security techniques – Key management – Part 3: Mechanisms using asymmetric techniques (2008)
ISO/IEC 11770-4:2006. Information technology – Security techniques – Key management – Part 4: Mechanisms based on weak secrets (2006)
ISO/IEC 9797-1:1999. Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher (1999)
ISO/IEC 9797-2:2002. Information technology – Security techniques – Message Authentication Codes (MACs) – Part 2: Mechanisms using a dedicated hash-function (2002)
ISO/IEC 10118-1:2000. Information technology – Security techniques – Hash-functions – Part 1: General (2000)
ISO/IEC 10118-2:2000. Information technology – Security techniques – Hash-functions – Part 2: Hash-functions using an n-bit block cipher (2000)
ISO/IEC 10118-3:2004. Information technology – Security techniques – Hash-functions – Part 3: Dedicated hash-functions (2004)
ISO/IEC 10118-4:1998. Information technology – Security techniques – Hash-functions – Part 4: Hash-functions using modular arithmetic (1998)
ISO/IEC 21827:2008. Information technology – Security techniques – Systems Security Engineering – Capability Maturity Model® (SSE-CMM®) (2008)
ISO/IEC TR 18044:2004. Information technology – Security techniques – Information security incident management (2004)
ISO/IEC 24762:2008. Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services (2008)
ISO/IEC 13888-1:2004. IT security techniques – Non-repudiation – Part 1: General (2004)
ISO/IEC 13888-2:1998. Information technology – Security techniques – Non-repudiation – Part 2: Mechanisms using symmetric techniques (1998)
ISO/IEC 13888-3:1997. Information technology – Security techniques – Non-repudiation – Part 3: Mechanisms using asymmetric techniques (1997)
ISO/IEC 18045:2008. Information technology – Security techniques – Methodology for IT security evaluation (2008)
ISO/IEC FCD 15408-1.3. Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model
ISO/IEC 15408-1:2005. Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model (2005)
ISO/IEC 15408-2:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional components (2008)
ISO/IEC 15408-3:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components (2008)
ISO/IEC TR 19791:2006. Information technology – Security techniques – Security assessment of operational systems (2006)
ISO/IEC TR 15443-1:2005. Information technology – Security techniques – A framework for IT security assurance – Part 1: Overview and framework (2005)
ISO/IEC TR 15443-2:2005. Information technology – Security techniques – A framework for IT security assurance – Part 2: Assurance methods (2005)
ISO/IEC TR 15443-3:2007. Information technology – Security techniques – A framework for IT security assurance – Part 3: Analysis of assurance methods (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Tsohou, A., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S. (2010). Information Systems Security Management: A Review and a Classification of the ISO Standards. In: Sideridis, A.B., Patrikakis, C.Z. (eds) Next Generation Society. Technological and Legal Issues. e-Democracy 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 26. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11631-5_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-11631-5_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11629-2
Online ISBN: 978-3-642-11631-5
eBook Packages: Computer ScienceComputer Science (R0)