Practical Assessment of the ISMS Effectiveness in Accordance with the Requirements of the Various Standardization Systems both ISO 27001 and STO Gazprom
Abstract:
This issue briefly covers the need of numerical evaluation for Information Security Management Systems (ISMS) effectiveness in accordance with the requirements of two or more different standardization systems, such as ISO / IEC 27001 series of standards and Information Security Providing System STO Gazprom series 4.2 (ISPS). This problem is important to minimize the violation of IT-security risks and ensure the information processes stability in the information systems. This issue describes methodological difficulties in reconciling the requirements of different Standardization systems both ISO / IEC and ISPS that must be considered when assessing the ISMS effectiveness. The formulas have been proposed to solve the problem for calculating the ISMS effectiveness and discussed practical examples (cases), explaining the calculation for specific situations. These results can be used to create models and methods to provide the ISMS audits and monitoring IT-security facilities both ISMS and / or ISPS Gazprom.
Keywords:Information Security (IT-Security); Information Security Management System (ISMS); Information Security Providing System (ISPS); Effectiveness; Metrics; Object of Protection (ObP); Audit; Controls; PDCA Cycle; Risk Management.
Fulltext:
PDF file (868 kB)