Interactive Selection of ISO 27001 Controls under Multiple Objectives

T. Neubauer, A. Ekelhart,S. Fenz:
"Interactive Selection of ISO 27001 Controls under Multiple Objectives";
Vortrag: 23rd International Information Security Conference (IFIP SEC 2008), Milan; 08.09.2008 - 10.09.2008; in:"Proceedings of the 23rd International Information Security Conference (SEC 2008)", Springer-Verlag GmbH, Vol 278 (2008), ISBN: 978-0-387-09698-8; S. 477 - 492.

[ Publication Database ]


IT security incidents pose a major threat to the efficient execution of corporate strategies. Although, information security standards provide a holistic approach to mitigate these threats and legal acts demand their implementation, companies often refrain from the implementation of information security standards, especially due to high costs and the lack of evidence for a positive cost/benefit ratio. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. Therefore, it uses input data from a security ontology that allows the standardized integration of rules which are necessary to model potential countermeasure combinations based on the ISO 27001 standard controls. The approach was implemented into a tool and tested by means of a case study. It not only supports decision makers in defining the controls needed for certification but also provides them with information regarding the efficiency of the chosen controls with regard to multiple definable objectives.