AbstractInformation is fast becoming a vital instrument in business operations, with the last two decades have seen a growing trend in information security breaches. The principles of ISO/IEC 27001 Standard provide a significant area of interest for organisations to preserve the confidentiality, integrity, and availability of information. The standard is a set of interlinked requirements under one process known as Information Security Management Systems (ISMS). It has been an increasing interest in conforming with the standard from a wide range of industries in the past decade. Along with this growth in the standard, however, organisations have accentuated an increasing concern on understanding the requirements of the standard.
This thesis observed a decline in methods to enable implementation of ISMS despite the high interest from industries. Results from the investigation of the literature conclusively reported, that the existing research has been restricted to limited aspects of the standard and most of the studies suffered from lack of a robust theoretical framework to address all or most parts of the ISMS. This thesis adopts a methodological approach found by evaluating the current gap in the literature, explores the underlying needs of organisations, and an in-depth analysis of the standard. A novel technique utilised, integrating concepts from the security requirements engineering and specifications of the standard to propose INtegratable Framework for mOdelling Requirements of Management Systems (INFORMS).
A model-driven framework for organisations to gain further understanding of the standard and to support analysis and implementation of information security management systems. This thesis uses security-oriented goal models to coherently capture the multi-faceted structure of organisations, steered by a set of explicit rules from the standard. The key outcome of this research contributes towards two main directions of a modelling language and a framework, an original approach to model the requirements of the standard. The evaluation of INFORMS indicated that the developed framework provides a holistic approach to information security practitioners, developers, and top management to protect information assets.
|Date of Award
|Haralambos Mouratidis (Supervisor) & Saeed Malekshahi Gheytassi (Supervisor)