Information security management standards: Problems and solutions

Mikko Siponen; Robert Willison

doi:10.1016/j.im.2008.12.007

Information security management standards: Problems and solutions

Mikko Siponen^*, Robert Willison

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

244 Citations (Scopus)

Abstract

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

Original language	English
Pages (from-to)	267-270
Number of pages	4
Journal	Information and Management
Volume	46
Issue number	5
DOIs	https://doi.org/10.1016/j.im.2008.12.007
Publication status	Published - Jun 2009
Externally published	Yes

Keywords

Information security certification
Information security management
Information security management guidelines
Information security management standards
Information systems security

Access to Document

10.1016/j.im.2008.12.007

Cite this

@article{b4271c75c3ce4834b7621fb8032de319,

title = "Information security management standards: Problems and solutions",

abstract = "International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.",

keywords = "Information security certification, Information security management, Information security management guidelines, Information security management standards, Information systems security",

author = "Mikko Siponen and Robert Willison",

year = "2009",

month = jun,

doi = "10.1016/j.im.2008.12.007",

language = "English",

volume = "46",

pages = "267--270",

journal = "Information and Management",

issn = "0378-7206",

number = "5",

}

TY - JOUR

T1 - Information security management standards

T2 - Problems and solutions

AU - Siponen, Mikko

AU - Willison, Robert

PY - 2009/6

Y1 - 2009/6

N2 - International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

AB - International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

KW - Information security certification

KW - Information security management

KW - Information security management guidelines

KW - Information security management standards

KW - Information systems security

UR - http://www.scopus.com/inward/record.url?scp=67651102640&partnerID=8YFLogxK

U2 - 10.1016/j.im.2008.12.007

DO - 10.1016/j.im.2008.12.007

M3 - Article

AN - SCOPUS:67651102640

SN - 0378-7206

VL - 46

SP - 267

EP - 270

JO - Information and Management

JF - Information and Management

IS - 5

ER -

Information security management standards: Problems and solutions

Abstract

Keywords

Access to Document

Other files and links

Cite this