Quantitative Information Security and Risk Assessment Model using ISO 27001:2005
Abstract
IT security incidents pose a major threat to the efficient execution of corporate strategies. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. The information security model provides a transparent representation of the status of an organisation’s Information Security Management System, as it uses a scoring level based on the Eleven Domains of ISO/IEC 27001:2005 and performs benchmarking based on globally accepted standard. As a maturity model, it provides an architecture model applicable at any security maturity Level (Level 1 to 5) of any size of the organization. Our maturity level scoring tool is easy for top level management authorities to understand. Benchmarking helps top level management in understanding what is acceptable industry's good practice, and at which level they stand with regard to these practices. In our model we have prepared a questionnaire which is presented to managers and based upon the answers of managers an evaluation is performed and the managers are shown the maturity level to which their organization belongs as well as benchmarking is also performed for their organization and it is presented in graphical format. Since our model quantifies risks associated with the information security management system, it becomes very easy for a manger to understand the entire scenario without going through detailed analysis. The information security model has been implemented using J2EE, Jfreechart, MySQL.
Introduction
Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in...