Litcius/Paper detail

A process framework for information security management

Knut Haufe, Ricardo Colomo‐Palacios, Srdan Dzombeta, Knud Brandis, Vladimir Stantchev

2022International journal of information systems and project management32 citationsDOIOpen Access PDF

Abstract

Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Topics & Concepts

COBITComputer scienceProcess (computing)Knowledge managementInformation securityInformation security management systemITIL security managementInformation Technology Infrastructure LibraryProcess managementRisk analysis (engineering)Information technologyComputer securityBusinessSecurity information and event managementSecurity serviceCloud computing securityOperating systemNetwork security policyCloud computingInformation and Cyber SecurityCybercrime and Law Enforcement StudiesNetwork Security and Intrusion Detection
A process framework for information security management | Litcius