Abstract
Established standards on security and risk management provide
guidelines and advice to organizations and other stakeholders on how to fulfill their security needs. However, realizing and ensuring compliance with such standards may be challenging. This is partly because
the descriptions are very generic and have to be refined and interpreted by security experts, and partly because they lack techniques and practical guidelines. In previous work we showed how existing security requirements
engineering methods can be used to support the ISO 27001
information security standard. In this chapter we present ISMS-CORAS, which is an extension of the CORAS method for risk management that supports the ISO 27001 standard. ISMS-CORAS comes with techniques and guidelines necessary for establishing an Information Security Management System (ISMS) compliance with the standard, as well as the artifacts that are needed for the required documentation. We validate the method by applying it to a scenario from the smart grid domain.
guidelines and advice to organizations and other stakeholders on how to fulfill their security needs. However, realizing and ensuring compliance with such standards may be challenging. This is partly because
the descriptions are very generic and have to be refined and interpreted by security experts, and partly because they lack techniques and practical guidelines. In previous work we showed how existing security requirements
engineering methods can be used to support the ISO 27001
information security standard. In this chapter we present ISMS-CORAS, which is an extension of the CORAS method for risk management that supports the ISO 27001 standard. ISMS-CORAS comes with techniques and guidelines necessary for establishing an Information Security Management System (ISMS) compliance with the standard, as well as the artifacts that are needed for the required documentation. We validate the method by applying it to a scenario from the smart grid domain.