2019 14th Iberian Conference on Information Systems and Tech.docx

2019 14th Iberian Conference on Information Systems and
Technologies (CISTI)
19 – 22 June 2019, Coimbra, Portugal
ISBN: 978-989-98434-9-3
How ISO 27001 can help achieve GDPR compliance
Isabel Maria Lopes
Polytechnic Institute of Bragança, Bragança, Portugal
UNIAG, Polytechnic Institute of Bragança, Portugal
ALGORITMI Centre, Minho University, Guimarães,
Portugal
[email protected]
Pedro Oliveira
[email protected]
Teresa Guarda
Universidad Estatal Península de Santa Elena – UPSE, La
Libertad, Ecuador
Universidad de las Fuerzas Armadas – ESPE, Sangolqui,
Quito, Equador
Portugal

[email protected]
Abstract — Personal Data Protection has been among the most
discussed topics lately and a reason for great concern among
organizations. The EU General Data Protection Regulation
(GDPR) is the most important change in data privacy regulation
in 20 years. The regulation will fundamentally reshape the way
in
which data is handled across every sector. The organizations
had
two years to implement it. As referred by many authors, the
implementation of the regulation has not been an easy task for
companies. The question we aim to answer in this study is how
far
the implementation of ISO 27001 standards might represent a
facilitating factor to organizations for an easier compliance with
the regulation. In order to answer this question, several
websites
(mostly of consulting companies) were analyzed, and the
aspects
considered as facilitating are listed in this paper.
Keywords - regulation (EU) 2016/679; general data protection
regulation; ISO/IEC 27001.
I. INTRODUCTION
In recent years, data protection has become a forefront issue
in cyber security. The issues introduced by recurring
organizational data breaches, social media and the Internet of
Things (IoT) have raised the stakes even further [1, 2]. The EU
GDPR, enforced from May 25 2018, is an attempt to address
such data protection. The GDPR makes for stronger, unified
data
protection throughout the EU.

The EU GDPR states that organizations must adopt
appropriate policies, procedures and processes to protect the
personal data they hold.
The International Organization for Standardization (ISO)
/International Electrotechnical Commission (IEC) 27000 series
is a set of information security standards that provide best-
practice recommendations for information security management
[3].
This international standard for information security, ISO
27001, provides an excellent starting point for achieving the
technical and operational requirements necessary to reduce the
risk of a breach.
Not all data is protected by the GDPR, since it is only
applicable to personal data. This is defined in Article 4 as
follows [4]:
“personal data” means any information relating to an
identified or identifiable natural person (’data subject’); an
identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that natural person.
The structure of the present work consists of an introduction,
followed by a desk review on the general data protection
regulation and the desk review of ISO 27001, the international
standard for information security. Section 4 focuses on the
research methodology. Before presenting the results the
discussion is made, focusing on the relationship between ISO
27001 and GDPR. The results of the study are presented in

section 6 and section 7 consists of the conclusions drawn from
the study. Finally, the limitations of this research work are
identified and possible future studies are proposed.
II. GENERAL DATA PROTECTION REGULATION
The enforcement of the GDPR on natural persons’ protection
regarding personal data treatment and movement, which repeals
the Directive 95/46/CE of October 24 1995, poses innumerable
challenges to both public and private entities as well as to all
the
agents whose activities involve the treatment of personal data.
Although the full application of the new GDPR has been set
for May 25 2018, date from which the directive 95/46/CE was
effectively repealed, its enforcement on May 25 2016 dictated
the need for an adaptation to all the aspects changed or
introduced by the regulation. Such adaptation of the present
systems and models as well as of best practices regarding
personal data treatment and protection by companies is now an
imperative stemming from the regulation in order to safeguard
its full applicability. In Fig.1, we can see all the stages which
the
GDPR has undergone.
The GDPR mandates a baseline set of standards for
companies that handle EU citizens’ data to better safeguard the
processing and movement of citizens’ personal data.

ISBN: 978-989-98434-9-3
Figure 1. Stages of the GDPR [5]
According to author [6], the main innovations of the General
Data Protection Regulation are:
1. New rights for citizens: the right to be forgotten and the
right to a user’s data portability from one electronic system to
another.
2. The creation of the post of Data Protection Officer (DPO).
3. Obligation to carry out Risk Analyses and Impact
Assessments to determine compliance with the regulation.
4. Obligation of the Data Controller and Data Processor to
document the processing operations.
5. New notifications to the Supervisory Authority: security
breaches and prior authorization for certain kinds of processing.
6. New obligations to inform the data subject by means of a
system of icons that are harmonized across all the countries of
the EU.
7. An increase in the size of sanctions.
8. Application of the concept ‘One-stop-shop’ so that data
subjects can carry out procedures even though this affects
authorities in other member states.

9. Establishment of obligations for new special categories of
data.
10. New principles in the obligations over data: transparency
and minimization of data.
All organizations, including small to medium-sized
companies and large enterprises, must be aware of all the GDPR
requirements and be prepared to comply.
III. ISO/IEC 27001
Information security risks threaten the ability of
organizations to reach their operational and strategic goals.
Increasing diversification of the information security landscapes
makes addressing all risks a challenging task. Information
security standards have positioned themselves as generic
solutions to tackle a broad range of risks and try to guide
security
managers in their endeavors [7].
The ISO 27001 standard represents the international
framework for information security management.
The ISO 27001 standard has undergone continuous
improvements over the years and stems from a previous set of
standards, namely BS7799-2 and the BS7799 (British
Standards). In fact, its primary origin is a document published
in
1992 by a department of the British government which
established a code of practices regarding the management of
Information Security.
The adoption of ISO 27001 results in the companies’

adoption of an adequate model to establish, implement, operate,
monitor, revise and manage an Information Security
Management System.
ISO 27001:2013 is part of the management system in an
organization based on a business risk approach that purposed to
build, implement, operate, observe, maintain and improve
information security. The application of ISO/IEC 27001 allows
the organization or company to compare the competition and
give relevant information about IT security [8].
ISO 27001 outlines three essential aspects or ‘pillars’ of
effective information security: people, processes and
technology. This three-pronged approach helps organizations
defend themselves from both highly organized attacks and
common internal threats, such as accidental breaches and human
error [9].
The implementation of an information security management
system according to ISO/IEC 27001 has the following
advantages to organizations:
It enables the identification and elimination of threats
and vulnerabilities;
It provides security and trust to all stakeholders (clients,
partners and others);
It improves security awareness;
It increases the capacity to foresee, manage and survive
a disaster;
It deepens the knowledge regarding the organization
and its processes, assets and liabilities;

It provides real knowledge of the risk that the
organization faces;
It ensures business continuity;
It contributes to a reduction in costs and to the
improvement of the processes and services;
It ensures compliance with the legislation in force;
It reduces costs associated with ‘non security’.
ISO 27001: 2013 provides specifications for information
security management systems along with practice [10].
ISO 27001: 2013 has 14 security control clauses that contain
a total of 35 control objectives and 114 controls [11]. The 14
security control clauses are as follows:
Information security policies,
Organization of information security,
Human resource security,
Asset management,
Access control,

ISBN: 978-989-98434-9-3
Cryptography,
Physical and environmental security,
Operations security,
Communications security,
System acquisition, development, and maintenance,
Supplier relationships,
Information security incident management,
Information security aspects of business continuity
management,
Compliance.
The implementation of ISO 27001 implies a high commitment
to information protection, which represents a considerable level
of comfort for the organizations that interact with the certified
entity.
IV. RESEARCH METHODOLOGY
The use of a research method is paramount since it represents
the means to an end. A research methodology does not look for
solutions but chooses the way to find them, integrating
knowledge through the methods which are applicable to the
various scientific or philosophical subjects. Although there are
several ways to classify them, research approaches are normally
distinguished between quantitative and qualitative [12].

It is acknowledged that the choice of the method must be
made according to the nature of the problem being addressed.
Therefore, we considered it appropriate to follow a quantitative
research method (traditional scientific research), based on the
positivist rational thought according to which, through
empirical
observations, we build theories (expressed in a deductive way)
that try to explain what is observed. Among the possible
research
methods to use, we applied the content analysis.
Content analysis is a method which differs from the other
research methods because instead of interviewing or observing
people, the researcher deals with pre-existing records and
interferes based on those records.
Content analysis is a research technique for the objective,
systematic, and quantitative description of manifest content of
communications. So that this description can be objective, it
requires a precise definition of the analysis categories, in order
to enable different researchers to use them and get the same
results. So that it is systematic, the whole relevant content must
be analyzed in relation to all the meaningful categories. Finally,
quantification allows the provision of more precise and
objective
information concerning the occurrence frequency of content
features [13].
V. DISCUSION
The similarities between the ISO 27001 framework and the
GDPR requirements mean that organizations which certify to
the
Standard are already halfway to GDPR compliance.

Its requirements (ISO 27001) are similar in many places to
the GDPR, but whereas the Regulation only occasionally
suggests specific practices (such as encryption), ISO 27001
clearly lays out what organizations need to do in order to
remain
secure [9].
Article 42 of the GDPR details demonstrating compliance
with the regulation through; “data protection certification
processes”. ISO 27001 compliant Information Security
Management Systems follow a risk based approach addressing
specific security threats faced by organizations considering
people, processes and technology [14].
How ISO 27001 can help meet GDPR requirements [15]:
1 - Assurance
The GDPR recommends the use of certification schemes
such as ISO 27001 as a way of providing the necessary
assurance
that the organization is effectively managing its information
security risks.
2 - Not just personal data
ISO 27001 follows international best practices and will help
companies put processes in place that protect not only customer
information but also all the information assets, including
information that is stored electronically and in hard copy
format.
3 - Controls and security framework

The GDPR stipulates that organizations should select
appropriate technical and organizational controls to mitigate the
identified risks. The majority of the GDPR data protection
arrangements and controls are also recommended by ISO 27001
4 - People, Processes and technology
ISO 27001 encompasses the three essential aspects of
information security: people, processes and technology, which
means companies can protect their business not only from
technology - based risks but also other and more common
threats, such as poorly informed staff or ineffective procedures.
5 - Accountability
ISO 27001 requires companies’ security regime to be
supported by top leadership and incorporated into the
organization´s culture and strategy. It also requires the
appointment of a senior individual who takes accountability for
the ISMS. The GDPR mandates clear accountability for data
protection across the organization.
6 - Risk assessments
ISO 27001 compliance means conducting regular risk
assessments to identify threats and vulnerabilities that can
affect
organizations’ information assets, and to take steps to protect
that data. The GDPR specifically requires a risk assessment to
ensure that an organization has identified risks that can impact
personal data.
7 - Continual improvement
ISO 27001 requires that the companies’ ISMS is constantly
monitored, updated and reviewed, meaning that it evolves as

their business evolves using a process of continual
improvement. This means that the ISMS will adapt to changes -
ISBN: 978-989-98434-9-3
both internal and external - as companies continually identify
and reduce risks.
8 - Testing and audits
Being GDPR - compliant means that an organization needs
to carry out regular testing and audits to prove that its security
regime is working effectively. An ISO 27001 - compliant ISMS
needs to be regularly assessed according to the internal audit
guidelines provided by the standard.
9 - Certification
The GDPR requires organizations to take the necessary steps
to ensure the security controls work as designed. Achieving
accredited certification to ISO 27001 delivers an independent,
expert assessment of whether organizations have implemented
adequate measures to protect their data.
The link between ISO/IEC 27001 and GDPR is [16]:
ISO/IEC 27001 and GDPR at their core have in common the
commitment to properly process and store the sensitive and

confidential data. Therefore, the implementation of the
ISO/IEC
27001 comprehensive framework steers compliance with the EU
GDPR, as many of the EU GDPR requirements are covered by
ISO/IEC 27001. However, particular controls have to be
adjusted to address the protection of personal data within the
Information Security Management System.
If organizations already have an ISO/IEC 27001 framework
in place, they will not face duplication of effort, cost and time
to
comply with the GDPR requirements.
The ISO/IEC 27001 certification supports organizations in
creating better business efficiency, safeguards the valuable
assets such as personal data, protects staff and organizations’
reputation, and simultaneously facilitates the attainment of
compliance objectives. Some of the GDPR requirements are not
directly covered in ISO/IEC 27001; however, ISO/IEC 27001
provides the means to push companies one step closer to
accomplishing conformity to the regulation.
In case that an organization is not ISO/IEC 27001 certified,
then the GDPR may be a good catalyst in considering
implementing such scheme for higher information protection
assurance. Thus, by being ISO/IEC 27001 compliant, companies
demonstrate that the data owned and used is managed based on
data protection regulations.
Does compliance with ISO 27001 guarantee GDPR
compliance [17]?
Certification with ISO 27001 can simplify the process of
achieving GDPR compliance. However, there are several
differences between these standards. The GDPR is a global
standard that provides a strategic vision of how organizations

need to ensure data privacy. ISO 27001 is a set of best practices
with a narrow focus on information security; it provides
practical
advice on how to protect information and reduce cyber threats.
Unlike the GDPR, it does not directly cover the following issues
associated with data privacy, which are outlined in Chapter 3 of
the GDPR (Data Subject Rights):
Consent,
Data portability,
The right to be forgotten,
The right to restriction of processing,
Right to object,
International transfers of personal data.
As we can see, the GDPR focuses on data privacy and
the protection of personal information; it requires
organizations to put more effort into obtaining explicit
consent for data collection and ensuring that all data is
processed lawfully. However, it lacks technical details on
how to maintain an appropriate level of data security or
mitigate internal and external threats. In this regard, ISO
27001 comes in handy: It provides practical guidance on
how to develop clear, comprehensive policies to minimize
security risks that might lead to security incidents.
Although conforming to ISO 27001 does not guarantee
GDPR compliance, it is a valuable step. Organizations
should consider pursuing ISO 27001 certification to ensure
that their security measures are strong enough to protect
sensitive data.

VI. RESULTS
According to the GDPR, personal data is critical information
that all organizations need to protect [6, 14, 15]. Therefore, we
analyzed the content of the 15 websites, and after the above
discussion, we will summarily present some aspects which we
believe deserve to be highlighted when assessing whether the
implementation of ISO 27001 might be a facilitating factor for
organizations to comply with the GDPR.
After analyzing the websites with regard to the following
statement: if the implementation of ISO 27001 identifies
personal data as an information security asset, we found that in
9 (60%) sites there is information agreeing with this statement
and in the other 6 (40%), there is no mention whatsoever to this
respect (see Fig. 2).
Figure 2. GDPR compliance.
Considering the aspects highlighted in the previous section
for being in compliance with the GDPR through the ISO 27001
ISBN: 978-989-98434-9-3
implementation, we can see in Fig.3 the ones which were more
or less focused in the websites under analysis.

From the Fig. 3, three aspects stand out as deserving most
attention: People, Processes and technology, which takes
security beyond the people only, Certification, which proves
that the measures were implemented in that organization, and
Controls and security framework, which are paramount in any
organization.
Figure 3. How to be in compliance.
When analyzing the aspect which are highly detailed in the
GDPR but barely focused in ISO 27001, we found the data
presented in Fig. 4.
Figure 4. Aspects highly focused in the RGPD
The aspects which stand out are those concerning consent
and penalties. Data controllers have to prove that data subjects
have agreed to the processing of their personal data (Articles 7
and 8). The request for consent must be given in an easily
accessible form, with the purpose for data processing attached.
Data subjects also have the right to withdraw their consent at
any
time.
The GDPR establishes a sanction application framework
which is quite heavy on companies which do not comply with
the new data protection legislation requirements.
Lastly, is The ISO 27001 standard an excellent framework
for compliance with the EU GDPR? The results regarding this
aspect are presented in Fig. 5.
As we can see, 11 sites (73%) agree that the ISO 27001

standard is an excellent framework for compliance with the EU
GDPR, 3 (20%) do not mention this aspect, and only 1 (7%) of
the websites analyzed shows to be in disagreement.
Figure 5. ISO 27001 is an excellent framework for compliance
with GDPR
From these findings, we can conclude that it is consensual
that although ISO 27001 does not comprise certain important
controls, its implementation is considered to be a facilitating
factor for organizations to be in compliance with the new
personal data regulation.
VII. CONCLUSION
The implementation of the GDPR by organizations should
be seen in the context of achieving their business goals. There
is
a clear need to emphasize its benefits for organizations and the
values adding to business. It is absolutely wrong to understand
the GDPR as another restriction to the operating environment.
The GDPR is a tool for generating a strategic advantage based
on trust between the organization, its employees, clients and
partners [18].
The GDPR encourages the use of certifications such as ISO
27001 in order to show that the organization is actively
managing its data security according to international best
practices.
Our findings allow concluding that any organization that has
already implemented or is in the process of implementing
ISO/IEC 27001 is in an excellent position to show compliance
with the new GDPR requirements.

The new regulation of data protection introduces a set of
rules, which require organizations to implement controls. The
implementation of ISO 27001 will help organizations respond to
these requirements.
As a possible future work, we suggest assessing
organizations by means of a survey on how far the certification
of the information security management system by ISO 27001
grants companies’ compliance with the GDPR, since the
implementation of an information security management system
by a company must ensure that all the relevant controls of risk
ISBN: 978-989-98434-9-3
containment associated with confidentiality, integrity and
availability are implemented and kept functional.
ACKNOWLEDGMENT
UNIAG, R&D unit funded by the FCT – Portuguese
Foundation for the Devel-opment of Science and Technology,
Ministry of Science, Technology and Higher Education. .
Project n. º UID/GES/4752/2019.
This work has been supported by FCT – Fundação para a
Ciência e Tecnologia within the Project Scope:
UID/CEC/00319/2019.

REFERENCES
[1] J. Mäkinen, Data quality, sensitive data and joint controller
ship as
examples of grey areas in the existing data protection
framework for the
Internet of Things. Information & Communications Technology
Law 24,
3, 2015, pp. 262–277.
[2] JRC. Nurse, S. Creese, S and D. De Roure, Security risk
assessment in
Internet of Things systems. IEEE IT Professional 19, 5, 2017,
pp. 20–26.
[3] T. Clements and S. Milton, Maintaining Data Protection and
Privacy
Beyond GDPR Implementation, ISACA, 2018.
[4] European Parliament and Council, Regulation (EU)
2016/679 of the
European Parliament and of the Council of 27 April 2016,
Official Journal
of the European Union (2016).
[5] Goubau, T.: How GDPR Will Change Personal Data Control
and Personal
Data Control an Affect Everyone in Construction.
https://www.aproplan.com/blog/construction-news/gdpr-
changes-
personal-data-control-construction, last accessed 2018/07/20.
[6] E. Díaz, Díaz, The new European Union General Regulation
on Data
Protection and the legal consequences for institutions, Church,
Communication and Culture, v. 1, 2016, pp. 206-239.

[7] D. Milicevic and M. Goeken, Ontology-Based Evaluation of
ISO 27001.
In: Cellary W., Estevez E. (eds) Software Services for e-World.
I3E 2010.
IFIP Advances in Information and Communication Technology,
vol 341.
Springer, 2010.
[8] E. Bilbao, A. Bilbao and K. Pecina, Physical Logical
Security Risk
Analysis Model. IEEE, 2011, pp. 1-7.
[9] L. Irwi n, How ISO 27001 can help you achive GDPR
compliance, IT
Governance, 2018.
[10] A. Calder and S. Watkins, IT GOVERNANCE, 2008.
[11] I. 27001:2013, INTERNATIONAL STANDARD ISO / IEC
Information
technology — Security techniques — Information security
management
systems — Requirement s, vol. 2013, 2013.
[12] M. D. Myers, Qualitative Research in Information Systems
ACM
Computing Surveys (CSUR), MISQ Discovery, 1997.
[13] B. Berelson, Content Analysis in Communications
Research. Free Press,
New York, 1952.
[14] NQA, GDPR and ISO 27001 - how do they map?
https://www.nqa.com/certification/standards/iso-27001/gdpr-
and-iso-

27001, last accessed 2019/01/18.
[15] L. Dattani, GDPR and ISO 27001 - how to be compliant.
https://www.slideshare.net/IleshDattani/gdpr-and-iso-27001-
how-to-be-
compliant, last accessed 2019/01/25.
[16] M. Middleton-Leal, GDPR and ISO 27001 Mapping: Is ISO
27001
Enough for GDPR Compliance?, netwrix.
https://blog.net wrix.com/2018/04/26/gdpr-and-iso-27001-
mapping-is-
iso-27001-enough-for-gdpr-compliance/, last accessed
2019/01/27.
[17] PECB, The link between ISO/IEC 27001 and GDPR,
https://koolitus.ee/images/sisu_pildid/ISO_GDPR_link.pdf, last
accesed
2019/01/26
[18] T. Tzolov, One Model For Implementation GDPR Based On
ISO
Standards, International Conference on Information
Technologies
(InfoTech-2018), 2018, pp. 1-3.
SITES STUDIED
http://vexillum.pt/como-iso-27001-pode-ajudar-alcancar-
conformidade-
rgpd/
https://www.itgovernance.co.uk/gdpr-and-iso-27001
https://www.nqa.com/en-gb/certification/standards/iso-27001
https://www.itgovernance.co.uk/blog/how-iso-27001-can-help-

you-
achieve-gdpr-compliance
and-iso-
27001
how-to-be-
compliant
https://www.27001.pt/iso27001_5.html
https://koolitus.ee/images/sisu_pildid/ISO_GDPR_link.pdf
https://iso9001mgtsystem.files.wordpress.com/2017/02/how_iso
_27001
_can_help_eu_gdpr_compliance_en-1.pdf
https://blogs.manageengine.com/it-security/2018/01/15/how-iso-
27001-
helps-you-comply-with-the-gdpr.ht ml
https://blog.net wrix.com/2018/04/26/gdpr-and-iso-27001-
mapping-is-
iso-27001-enough-for-gdpr-compliance/
https://www.privacycompliancehub.com/gdpr-resources/does-
being-
certified-in-iso-27001-really-ensure-that-you-are-gdpr-
compliant/
https://www.differentia.consulting/article/iso-27001-and-
gdpr/?cli_action=1548614370.003
iso27001guide.com/annex-a/compliance/compliance-with-legal-

and-
contractual-requirements/i so-27001-and-gdpr/
https://ins2outs.com/i mplement-information-security-
management-
system/
ISBN: 978-989-98434-9-3
How ISO 27001 can help achieve GDPR compliance
Isabel Maria Lopes
UNIAG, Polytechnic Institute of Bragança, Portugal
Portugal
[email protected]
Pedro Oliveira
[email protected]
Teresa Guarda
Universidad Estatal Península de Santa Elena – UPSE, La

Libertad, Ecuador
Universidad de las Fuerzas Armadas – ESPE, Sangolqui,
Quito, Equador
Portugal
[email protected]
Abstract — Personal Data Protection has been among the most
discussed topics lately and a reason for great concern among
organizations. The EU General Data Protection Regulation
(GDPR) is the most important change in data privacy regulation
in 20 years. The regulation will fundamentally reshape the way
in
which data is handled across every sector. The organizations
had
two years to implement it. As referred by many authors, the
implementation of the regulation has not been an easy task for
companies. The question we aim to answer in this study is how
far
the implementation of ISO 27001 standards might represent a
facilitating factor to organizations for an easier compliance with
the regulation. In order to answer this question, several
websites
(mostly of consulting companies) were analyzed, and the
aspects
considered as facilitating are listed in this paper.
Keywords - regulation (EU) 2016/679; general data protection
regulation; ISO/IEC 27001.
I. INTRODUCTION
In recent years, data protection has become a forefront issue

in cyber security. The issues introduced by recurring
organizational data breaches, social media and the Internet of
Things (IoT) have raised the stakes even further [1, 2]. The EU
GDPR, enforced from May 25 2018, is an attempt to address
such data protection. The GDPR makes for stronger, unified
data
protection throughout the EU.
The EU GDPR states that organizations must adopt
appropriate policies, procedures and processes to protect the
personal data they hold.
The International Organization for Standardization (ISO)
/International Electrotechnical Commission (IEC) 27000 series
is a set of information security standards that provide best-
practice recommendations for information security management
[3].
This international standard for information security, ISO
27001, provides an excellent starting point for achieving the
technical and operational requirements necessary to reduce the
risk of a breach.
Not all data is protected by the GDPR, since it is only
applicable to personal data. This is defined in Article 4 as
follows [4]:
“personal data” means any information relating to an
identified or identifiable natural person (’data subject’); an
identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that natural person.

The structure of the present work consists of an introduction,
followed by a desk review on the general data protection
regulation and the desk review of ISO 27001, the international
standard for information security. Section 4 focuses on the
research methodology. Before presenting the results the
discussion is made, focusing on the relationship between ISO
27001 and GDPR. The results of the study are presented in
section 6 and section 7 consists of the conclusions drawn from
the study. Finally, the limitations of this research work are
identified and possible future studies are proposed.
II. GENERAL DATA PROTECTION REGULATION
The enforcement of the GDPR on natural persons’ protection
regarding personal data treatment and movement, which repeals
the Directive 95/46/CE of October 24 1995, poses innumerable
challenges to both public and private entities as well as to all
the
agents whose activities involve the treatment of personal data.
Although the full application of the new GDPR has been set
for May 25 2018, date from which the directive 95/46/CE was
effectively repealed, its enforcement on May 25 2016 dictated
the need for an adaptation to all the aspects changed or
introduced by the regulation. Such adaptation of the present
systems and models as well as of best practices regarding
personal data treatment and protection by companies is now an
imperative stemming from the regulation in order to safeguard
its full applicability. In Fig.1, we can see all the stages which
the
GDPR has undergone.
The GDPR mandates a baseline set of standards for
companies that handle EU citizens’ data to better safeguard the
processing and movement of citizens’ personal data.

ISBN: 978-989-98434-9-3
Figure 1. Stages of the GDPR [5]
According to author [6], the main innovations of the General
Data Protection Regulation are:
1. New rights for citizens: the right to be forgotten and the
right to a user’s data portability from one electronic system to
another.
2. The creation of the post of Data Protection Officer (DPO).
3. Obligation to carry out Risk Analyses and Impact
Assessments to determine compliance with the regulation.
4. Obligation of the Data Controller and Data Processor to
document the processing operations.
5. New notifications to the Supervisory Authority: security
breaches and prior authorization for certain kinds of processing.
6. New obligations to inform the data subject by means of a
system of icons that are harmonized across all the countries of
the EU.

7. An increase in the size of sanctions.
8. Application of the concept ‘One-stop-shop’ so that data
subjects can carry out procedures even though this affects
authorities in other member states.
9. Establishment of obligations for new special categories of
data.
10. New principles in the obligations over data: transparency
and minimization of data.
All organizations, including small to medium-sized
companies and large enterprises, must be aware of all the GDPR
requirements and be prepared to comply.
III. ISO/IEC 27001
Information security risks threaten the ability of
organizations to reach their operational and strategic goals.
Increasing diversification of the information security landscapes
makes addressing all risks a challenging task. Information
security standards have positioned themselves as generic
solutions to tackle a broad range of risks and try to guide
security
managers in their endeavors [7].
The ISO 27001 standard represents the international
framework for information security management.
The ISO 27001 standard has undergone continuous
improvements over the years and stems from a previous set of
standards, namely BS7799-2 and the BS7799 (British
Standards). In fact, its primary origin is a document published
in
1992 by a department of the British government which

established a code of practices regarding the management of
Information Security.
The adoption of ISO 27001 results in the companies’
adoption of an adequate model to establish, implement, operate,
monitor, revise and manage an Information Security
Management System.
ISO 27001:2013 is part of the management system in an
organization based on a business risk approach that purposed to
build, implement, operate, observe, maintain and improve
information security. The application of ISO/IEC 27001 allows
the organization or company to compare the competition and
give relevant information about IT security [8].
ISO 27001 outlines three essential aspects or ‘pillars’ of
effective information security: people, processes and
technology. This three-pronged approach helps organizations
defend themselves from both highly organized attacks and
common internal threats, such as accidental breaches and human
error [9].
The implementation of an information security management
system according to ISO/IEC 27001 has the following
advantages to organizations:
It enables the identification and elimination of threats
and vulnerabilities;
It provides security and trust to all stakeholders (clients,
partners and others);
It improves security awareness;
It increases the capacity to foresee, manage and survive

a disaster;
It deepens the knowledge regarding the organization
and its processes, assets and liabilities;
It provides real knowledge of the risk that the
organization faces;
It ensures business continuity;
It contributes to a reduction in costs and to the
improvement of the processes and services;
It ensures compliance with the legislation in force;
It reduces costs associated with ‘non security’.
ISO 27001: 2013 provides specifications for information
security management systems along with practice [10].
ISO 27001: 2013 has 14 security control clauses that contain
a total of 35 control objectives and 114 controls [11]. The 14
security control clauses are as follows:
Information security policies,
Organization of information security,
Human resource security,
Asset management,
Access control,

ISBN: 978-989-98434-9-3
Cryptography,
Physical and environmental security,
Operations security,
Communications security,
System acquisition, development, and maintenance,
Supplier relationships,
Information security incident management,
Information security aspects of business continuity
management,
Compliance.
The implementation of ISO 27001 implies a high commitment
to information protection, which represents a considerable level
of comfort for the organizations that interact with the certified
entity.
IV. RESEARCH METHODOLOGY
The use of a research method is paramount since it represents
the means to an end. A research methodology does not look for
solutions but chooses the way to find them, integrating
knowledge through the methods which are applicable to the

various scientific or philosophical subjects. Although there are
several ways to classify them, research approaches are normally
distinguished between quantitative and qualitative [12].
It is acknowledged that the choice of the method must be
made according to the nature of the problem being addressed.
Therefore, we considered it appropriate to follow a quantitative
research method (traditional scientific research), based on the
positivist rational thought according to which, through
empirical
observations, we build theories (expressed in a deductive way)
that try to explain what is observed. Among the possible
research
methods to use, we applied the content analysis.
Content analysis is a method which differs from the other
research methods because instead of interviewing or observing
people, the researcher deals with pre-existing records and
interferes based on those records.
Content analysis is a research technique for the objective,
systematic, and quantitative description of manifest content of
communications. So that this description can be objective, it
requires a precise definition of the analysis categories, in order
to enable different researchers to use them and get the same
results. So that it is systematic, the whole relevant content must
be analyzed in relation to all the meaningful categories. Finally,
quantification allows the provision of more precise and
objective
information concerning the occurrence frequency of content
features [13].
V. DISCUSION
The similarities between the ISO 27001 framework and the
GDPR requirements mean that organizations which certify to

the
Standard are already halfway to GDPR compliance.
Its requirements (ISO 27001) are similar in many places to
the GDPR, but whereas the Regulation only occasionally
suggests specific practices (such as encryption), ISO 27001
clearly lays out what organizations need to do in order to
remain
secure [9].
Article 42 of the GDPR details demonstrating compliance
with the regulation through; “data protection certification
processes”. ISO 27001 compliant Information Security
Management Systems follow a risk based approach addressing
specific security threats faced by organizations considering
people, processes and technology [14].
How ISO 27001 can help meet GDPR requirements [15]:
1 - Assurance
The GDPR recommends the use of certification schemes
such as ISO 27001 as a way of providing the necessary
assurance
that the organization is effectively managing its information
security risks.
2 - Not just personal data
ISO 27001 follows international best practices and will help
companies put processes in place that protect not only customer
information but also all the information assets, including
information that is stored electronically and in hard copy
format.

3 - Controls and security framework
The GDPR stipulates that organizations should select
appropriate technical and organizational controls to mitigate the
identified risks. The majority of the GDPR data protection
arrangements and controls are also recommended by ISO 27001
4 - People, Processes and technology
ISO 27001 encompasses the three essential aspects of
information security: people, processes and technology, which
means companies can protect their business not only from
technology - based risks but also other and more common
threats, such as poorly informed staff or ineffective procedures.
5 - Accountability
ISO 27001 requires companies’ security regime to be
supported by top leadership and incorporated into the
organization´s culture and strategy. It also requires the
appointment of a senior individual who takes accountability for
the ISMS. The GDPR mandates clear accountability for data
protection across the organization.
6 - Risk assessments
ISO 27001 compliance means conducting regular risk
assessments to identify threats and vulnerabilities that can
affect
organizations’ information assets, and to take steps to protect
that data. The GDPR specifically requires a risk assessment to
ensure that an organization has identified risks that can impact
personal data.
7 - Continual improvement

ISO 27001 requires that the companies’ ISMS is constantly
monitored, updated and reviewed, meaning that it evolves as
their business evolves using a process of continual
improvement. This means that the ISMS will adapt to changes -
ISBN: 978-989-98434-9-3
both internal and external - as companies continually identify
and reduce risks.
8 - Testing and audits
Being GDPR - compliant means that an organization needs
to carry out regular testing and audits to prove that its security
regime is working effectively. An ISO 27001 - compliant ISMS
needs to be regularly assessed according to the internal audit
guidelines provided by the standard.
9 - Certification
The GDPR requires organizations to take the necessary steps
to ensure the security controls work as designed. Achieving
accredited certification to ISO 27001 delivers an independent,
expert assessment of whether organizations have implemented
adequate measures to protect their data.
The link between ISO/IEC 27001 and GDPR is [16]:
ISO/IEC 27001 and GDPR at their core have in common the

commitment to properly process and store the sensitive and
confidential data. Therefore, the implementation of the
ISO/IEC
27001 comprehensive framework steers compliance with the EU
GDPR, as many of the EU GDPR requirements are covered by
ISO/IEC 27001. However, particular controls have to be
adjusted to address the protection of personal data within the
Information Security Management System.
If organizations already have an ISO/IEC 27001 framework
in place, they will not face duplication of effort, cost and time
to
comply with the GDPR requirements.
The ISO/IEC 27001 certification supports organizations in
creating better business efficiency, safeguards the valuable
assets such as personal data, protects staff and organizations’
reputation, and simultaneously facilitates the attainment of
compliance objectives. Some of the GDPR requirements are not
directly covered in ISO/IEC 27001; however, ISO/IEC 27001
provides the means to push companies one step closer to
accomplishing conformity to the regulation.
In case that an organization is not ISO/IEC 27001 certified,
then the GDPR may be a good catalyst in considering
implementing such scheme for higher information protection
assurance. Thus, by being ISO/IEC 27001 compliant, companies
demonstrate that the data owned and used is managed based on
data protection regulations.
Does compliance with ISO 27001 guarantee GDPR
compliance [17]?
Certification with ISO 27001 can simplify the process of
achieving GDPR compliance. However, there are several
differences between these standards. The GDPR is a global

standard that provides a strategic vision of how organizations
need to ensure data privacy. ISO 27001 is a set of best practices
with a narrow focus on information security; it provides
practical
advice on how to protect information and reduce cyber threats.
Unlike the GDPR, it does not directly cover the following issues
associated with data privacy, which are outlined in Chapter 3 of
the GDPR (Data Subject Rights):
Consent,
Data portability,
The right to be forgotten,
The right to restriction of processing,
Right to object,
International transfers of personal data.
As we can see, the GDPR focuses on data privacy and
the protection of personal information; it requires
organizations to put more effort into obtaining explicit
consent for data collection and ensuring that all data is
processed lawfully. However, it lacks technical details on
how to maintain an appropriate level of data security or
mitigate internal and external threats. In this regard, ISO
27001 comes in handy: It provides practical guidance on
how to develop clear, comprehensive policies to minimize
security risks that might lead to security incidents.
Although conforming to ISO 27001 does not guarantee
GDPR compliance, it is a valuable step. Organizations
should consider pursuing ISO 27001 certification to ensure
that their security measures are strong enough to protect

sensitive data.
VI. RESULTS
According to the GDPR, personal data is critical information
that all organizations need to protect [6, 14, 15]. Therefore, we
analyzed the content of the 15 websites, and after the above
discussion, we will summarily present some aspects which we
believe deserve to be highlighted when assessing whether the
implementation of ISO 27001 might be a facilitating factor for
organizations to comply with the GDPR.
After analyzing the websites with regard to the following
statement: if the implementation of ISO 27001 identifies
personal data as an information security asset, we found that in
9 (60%) sites there is information agreeing with this statement
and in the other 6 (40%), there is no mention whatsoever to this
respect (see Fig. 2).
Figure 2. GDPR compliance.
Considering the aspects highlighted in the previous section
for being in compliance with the GDPR through the ISO 27001
ISBN: 978-989-98434-9-3
implementation, we can see in Fig.3 the ones which were more
or less focused in the websites under analysis.

From the Fig. 3, three aspects stand out as deserving most
attention: People, Processes and technology, which takes
security beyond the people only, Certification, which proves
that the measures were implemented in that organization, and
Controls and security framework, which are paramount in any
organization.
Figure 3. How to be in compliance.
When analyzing the aspect which are highly detailed in the
GDPR but barely focused in ISO 27001, we found the data
presented in Fig. 4.
Figure 4. Aspects highly focused in the RGPD
The aspects which stand out are those concerning consent
and penalties. Data controllers have to prove that data subjects
have agreed to the processing of their personal data (Articles 7
and 8). The request for consent must be given in an easily
accessible form, with the purpose for data processing attached.
Data subjects also have the right to withdraw their consent at
any
time.
The GDPR establishes a sanction application framework
which is quite heavy on companies which do not comply with
the new data protection legislation requirements.
Lastly, is The ISO 27001 standard an excellent framework
for compliance with the EU GDPR? The results regarding this
aspect are presented in Fig. 5.
As we can see, 11 sites (73%) agree that the ISO 27001
standard is an excellent framework for compliance with the EU

GDPR, 3 (20%) do not mention this aspect, and only 1 (7%) of
the websites analyzed shows to be in disagreement.
Figure 5. ISO 27001 is an excellent framework for compliance
with GDPR
From these findings, we can conclude that it is consensual
that although ISO 27001 does not comprise certain important
controls, its implementation is considered to be a facilitating
factor for organizations to be in compliance with the new
personal data regulation.
VII. CONCLUSION
The implementation of the GDPR by organizations should
be seen in the context of achieving their business goals. There
is
a clear need to emphasize its benefits for organizations and the
values adding to business. It is absolutely wrong to understand
the GDPR as another restriction to the operating environment.
The GDPR is a tool for generating a strategic advantage based
on trust between the organization, its employees, clients and
partners [18].
The GDPR encourages the use of certifications such as ISO
27001 in order to show that the organization is actively
managing its data security according to international best
practices.
Our findings allow concluding that any organization that has
already implemented or is in the process of implementing
ISO/IEC 27001 is in an excellent position to show compliance
with the new GDPR requirements.
The new regulation of data protection introduces a set of

rules, which require organizations to implement controls. The
implementation of ISO 27001 will help organizations respond to
these requirements.
As a possible future work, we suggest assessing
organizations by means of a survey on how far the certification
of the information security management system by ISO 27001
grants companies’ compliance with the GDPR, since the
implementation of an information security management system
by a company must ensure that all the relevant controls of risk
ISBN: 978-989-98434-9-3
containment associated with confidentiality, integrity and
availability are implemented and kept functional.
ACKNOWLEDGMENT
UNIAG, R&D unit funded by the FCT – Portuguese
Foundation for the Devel-opment of Science and Technology,
Ministry of Science, Technology and Higher Education. .
Project n. º UID/GES/4752/2019.
This work has been supported by FCT – Fundação para a
Ciência e Tecnologia within the Project Scope:
UID/CEC/00319/2019.
REFERENCES
[1] J. Mäkinen, Data quality, sensitive data and joint controller
ship as

examples of grey areas in the existing data protection
framework for the
Internet of Things. Information & Communications Technology
Law 24,
3, 2015, pp. 262–277.
[2] JRC. Nurse, S. Creese, S and D. De Roure, Security risk
assessment in
Internet of Things systems. IEEE IT Professional 19, 5, 2017,
pp. 20–26.
[3] T. Clements and S. Milton, Maintaining Data Protection and
Privacy
Beyond GDPR Implementation, ISACA, 2018.
[4] European Parliament and Council, Regulation (EU)
2016/679 of the
European Parliament and of the Council of 27 April 2016,
Official Journal
of the European Union (2016).
[5] Goubau, T.: How GDPR Will Change Personal Data Control
and Personal
Data Control an Affect Everyone in Construction.
https://www.aproplan.com/blog/construction-news/gdpr-
changes-
personal-data-control-construction, last accessed 2018/07/20.
[6] E. Díaz, Díaz, The new European Union General Regulation
on Data
Protection and the legal consequences for institutions, Church,
Communication and Culture, v. 1, 2016, pp. 206-239.
[7] D. Milicevic and M. Goeken, Ontology-Based Evaluation of
ISO 27001.

In: Cellary W., Estevez E. (eds) Software Services for e-World.
I3E 2010.
IFIP Advances in Information and Communication Technology,
vol 341.
Springer, 2010.
[8] E. Bilbao, A. Bilbao and K. Pecina, Physical Logical
Security Risk
Analysis Model. IEEE, 2011, pp. 1-7.
[9] L. Irwin, How ISO 27001 can help you achive GDPR
compliance, IT
Governance, 2018.
[10] A. Calder and S. Watkins, IT GOVERNANCE, 2008.
[11] I. 27001:2013, INTERNATIONAL STANDARD ISO / IEC
Information
technology — Security techniques — Information security
management
systems — Requirements, vol. 2013, 2013.
[12] M. D. Myers, Qualitative Research in Information Systems
ACM
Computing Surveys (CSUR), MISQ Discovery, 1997.
[13] B. Berelson, Content Analysis in Communications
Research. Free Press,
New York, 1952.
[14] NQA, GDPR and ISO 27001 - how do they map?
and-iso-
27001, last accessed 2019/01/18.
[15] L. Dattani, GDPR and ISO 27001 - how to be compliant.

how-to-be-
compliant, last accessed 2019/01/25.
[16] M. Middleton-Leal, GDPR and ISO 27001 Mapping: Is ISO
27001
Enough for GDPR Compliance?, netwrix.
https://blog.netwrix.com/2018/04/26/gdpr-and-iso-27001-
mapping-is-
iso-27001-enough-for-gdpr-compliance/, last accessed
2019/01/27.
[17] PECB, The link between ISO/IEC 27001 and GDPR,
https://koolitus.ee/images/sisu_pildid/ISO_GDPR_link.pdf, last
accesed
2019/01/26
[18] T. Tzolov, One Model For Implementation GDPR Based On
ISO
Standards, International Conference on Information
Technologies
(InfoTech-2018), 2018, pp. 1-3.
SITES STUDIED
http://vexillum.pt/como-iso-27001-pode-ajudar-alcancar-
conformidade-
rgpd/
https://www.itgovernance.co.uk/gdpr-and-iso-27001
https://www.nqa.com/en-gb/certification/standards/iso-27001
https://www.itgovernance.co.uk/blog/how-iso-27001-can-help-
you-
achieve-gdpr-compliance

and-iso-
27001
how-to-be-
compliant
https://www.27001.pt/iso27001_5.html
https://koolitus.ee/images/sisu_pildid/ISO_GDPR_link.pdf
https://iso9001mgtsystem.files.wordpress.com/2017/02/how_iso
_27001
_can_help_eu_gdpr_compliance_en-1.pdf
https://blogs.manageengine.com/it-security/2018/01/15/how-iso-
27001-
helps-you-comply-with-the-gdpr.html
https://blog.netwrix.com/2018/04/26/gdpr-and-iso-27001-
mapping-is-
iso-27001-enough-for-gdpr-compliance/
https://www.privacycompliancehub.com/gdpr-resources/does-
being-
certified-in-iso-27001-really-ensure-that-you-are-gdpr-
compliant/
https://www.differentia.consulting/article/iso-27001-and-
gdpr/?cli_action=1548614370.003
iso27001guide.com/annex-a/compliance/compliance-with-legal-
and-
contractual-requirements/iso-27001-and-gdpr/

https://ins2outs.com/implement-information-security-
management-
system/
INTERNATIONAL JOURNAL OF INFORMATION SECURITY
SCIENCE
Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science,
Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan
‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321,
Fax: +965 25307030, e-mail: [email protected]

Abstract- Modern society depends on information technology in
nearly every facet of human activity including, finance,
transportation, education, government, and defense.
Organizations are exposed to various and increasing kinds of
risks,
including information technology risks. Several standards, best
practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research
work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when
adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the
article presents an overview of the most popular and widely
used
standards and identifies selection criteria. It suggests an
approach to proper implementation as well. A set of
recommendations
is put forward with further research opportunities on the
subject.
Keywords- Information security; risk management; security
frameworks; security standards; security management.
1. Introduction
The use of technology is increasingly covering

most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually
countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and

properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be completely eliminated,
they need to be reduced to acceptable levels.
Acceptable risks are risks that the business decides
to live with, given that proper assessment for these
risks has been performed and the cost of treating
these risks outweighs the benefits.
To this effect, enterprises spend considerable
resources in building proper information security

SCIENCE
29
risk management programs that would eventually
address the risks they are exposed to. These
programs need to be established on solid
foundations, which is the reason why enterprises
look for standards and frameworks that are widely
accepted and common across enterprises [4].
However, the fact that several standards and
frameworks exist make it challenging for
enterprises to select which one to adopt and the
question: “which is the best?” warrants further
investigation. The main objective of this paper is
to provide an answer to this question, thereby
assisting enterprises in developing proper

understanding of the issue and establishing
successful information security risk management
programs. This paper provides an analysis of some
existing standards and frameworks for information
security risks and consolidates various aspects of
the topic. It also presents the challenges that
frustrate information security risk management
efforts along with how leading market standards
and practices can be used to address information
security risks with insights on their strengths and
weaknesses.
Please note that the scope of this paper is
limited to the following frameworks: ISO 27001,
ISO 27002, ISO 27005, ITIL, COBIT, Risk IT,
Basel II, PCI DSS, and OCTAVE. These are the
most commonly used frameworks in the market
[5]. Other frameworks and methodologies like
RMF (by NIST) and M_o_R (by GOC) can be

considered in future work. It is also important to
mention that this paper is not intended to promote
a specific standard or framework; rather it treats
them equally. Conclusions drawn as a result of this
work are based on our detailed analyses, research,
literature review, and observations from our work
experience and engagements with clients from
various sectors in the field of information security.
The remainder of this paper is organized as
follows: section 2 highlights some related work;
section 3 details some challenges that disturb
information security risk assessments; section 4
provides an overview of the major drivers for
standards adoption; section 5 provides detailed
analyses and exploration for the standards and
frameworks in scope; section 6 details with the
strengths and weaknesses of these standards and
frameworks when used as a means to address

information security risks; section 7 captures the
selection considerations to use; section 8 provides
some recommendations along with the proposed
approach; section 9 presents a case study to
illustrate the benefits of the proposed selection
method; finally, section 10 puts forward some
conclusions and future research opportunities in
relation to our work.
2. Related Work
The literature on information security risk
management based on international standards is
scarce. The literature lacks studies that guide
organizations in selecting the standard that fits
their needs. Some research works attempt to
analyze existing information security risk
management standards, mainly ISO 27001 [6].
However, these research works focus mainly on

listing advantages and disadvantages of these
standards and how to implement and manage
them. No comprehensive studies have been done to
holistically compare various frameworks, with the
objective of providing selection criteria for the best
standard or proposing a better assessment
approach. Some papers dealt with frameworks
such as COBIT, ITIL, and ISO 17799, as means to
manage compliance requirements [7]. Ref. [8]
proposes a framework which considers global,
national, organizational, and employee standards
to guide information security management. Ref.
[9] presents framework of information security
standards conceptualization, interconnection and
categorization to raise awareness among
organizations about the available standards
(mainly ISO series).
As well as exploring existing frameworks used

in IT risk management this paper presents the
challenges facing organizations to successfully
implement information security risk assessments
and the drivers for standards adoption. The main
and novel contribution of our research work is the
proposal of a practical approach to selecting an
appropriate framework to address information
security risks.
3. Challenges to Information Security Risk
Assessments
SCIENCE
30
Some of the common challenges to information
security risk assessments are discussed briefly in

this section. In fact, these challenges represent
critical failure factors for an information risk
management program.
1) Absence of senior management commitment &
support: Management’s buy-in and support is a
critical driver for the success of any IT project,
including information security risk assessments.
Absence of management commitment will
result in wasting valuable resources and efforts,
producing weak evaluations, and most
importantly, will lead to ignoring the
assessment findings [10].
2) Absence of appropriate policies for information
security risk management: It is crucial to have
information security policies in place to reflect
the enterprise objectives and management
directions. Although some policies might be
created, information security risk management

policies tend to be dropped or forgotten. In a
research conducted by GAO, the US
Government Accountability Office, three out of
four detailed case studies showed that despite
the fact that firms used to have some form of
information security risk assessment approaches
practiced for several years, the risk management
and assessment policies and processes were not
documented until recently [11]. The absence of
this critical steering document will lead to
unstructured risk assessment approaches and
will openly allow unmanaged evaluations.
3) Disintegrated GRC efforts: The increasingly
popular term GRC refers to three critical areas:
Governance, Risk Management, and
Compliance. According to COBIT 4.1, IT
Governance is defined as “the responsibility of
executives and the board of directors, and

consists of the leadership, organizational
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organization’s strategies and objectives” [12].
Risk management is a process through which
management identifies, analyses, evaluates,
treats, communicates, and monitors risks that
might adversely affect realization of the
organization's business objectives. Compliance
is about making sure that external laws,
regulations, mandates and internal policies are
being complied with at a level consistent with
corporate morality and risk tolerance.
Governance, risk, and compliance should
always be viewed as a continuum of interrelated
functions, best approached in a comprehensive,
integrated manner. The disintegration results in
increased failure rates, waste of resources, and

increased overall assurance cost.
4) Improper assessments management: Despite the
importance of security risk assessments, they
are mostly not managed as projects and merely
considered as part of IT normal operations.
Considering security risk assessments as part of
IT routine assignments will exclude these
assessments from business review and
consequently will result in a definite disconnect
between management and their enterprise
information security assessments. This
exclusion will also increase the possibilities of
executing over-budget assessments that will
only cause additional efforts and resources to be
wasted.
5) Assets ownership is either undefined or
unpracticed: In ISO 27001 “the term ‘owner’
identifies an individual or entity that has

approved management responsibility for
controlling the production, development,
maintenance, use and security of the assets.
[13]. This definition entails major responsibility
granted to the person who is assigned the
ownership which includes making sure that
proper controls are actually implemented in
order to protect the asset. Information security
standards, best practices and mandates like ISO,
COBIT, and ITIL require that information
assets are identified, inventoried, and ownership
is assigned. This is crucial for the success of
any information security assessment. Most
organizations fail to develop comprehensive
information assets inventories and accordingly
do not assign ownership [14].
6) Limitations of existing automated solutions:
Software solutions for information security risk

assessment are developed to aid in the
automation of this process and to make it more
efficient. In a detailed comparison conducted by
“Risk Assessment Accelerator”, seven common
solutions were compared with respect to more
http://en.wikipedia.org/wiki/Risk_Management
http://en.wikipedia.org/wiki/Compliance_(regulation)
SCIENCE
31
than forty different areas [15]. Features like
ease of use, multi-language and client-server
architecture support were highlighted as
existing limitations in four up to five of these
solutions. Three out of the seven compared
solutions provide limited customization
capabilities for both built-in inventories (for

risks, vulnerabilities and threats) and the
generated dashboards. All these weaknesses and
limitations degrade enterprises’ efforts to have
efficient and reliable information security risk
assessment requirements documentation.
7) Existence of several IT risk assessment
frameworks: The existence of many information
security risk management and assessment
frameworks add to the ambiguity and challenge
of what is the best one to use. As a matter of
fact, analyses of exiting risk assessment
frameworks show that there is no one-size-fits-
all solution to this issue as it is hard to develop
a single precise document that will address the
needs of all enterprises given their variant
natures and requirements.
4. Drivers for Standards Adoption

In order to address their information security
risk management and assessment challenges,
enterprises adopt internationally accepted
frameworks or best practices. Standards in general
are meant to provide uniformity that would ease
the understanding and management of concerned
areas. Businesses find themselves in need to adopt
standards for various reasons which vary from
business requirements to regulators and
compliance mandates. Establishment of proper
corporate governance, increasing risk awareness
and competing with other enterprises are some
business drivers to mention. Some firms pursue
certifications to meet market expectations and
improve their marketing image. A major business
driver for standards adoption is to fill in the gaps
and lack of experience in certain areas where firms
are not able to build or establish proprietary

standards based on their staff competencies [16].
Providing confidence to trading partners,
stakeholders, and customers, reducing liability due
to unimplemented or enforced policies and
procedures, getting senior management ownership
and involvement and establishing a mechanism for
measuring the success of the security controls are
some other key drivers for the adoption of
standards.
5. Leading Market Best Practices Standards
The conclusion section should emphasize the
main contribution of the article to literature.
Authors may also explain why the work is
important, what are the novelties or possible
applications and extensions. Do not replicate the
abstract or sentences given in main text as the
conclusion.

In this section, an overview is presented of a
number of the more important standards for
information security risk management. For detailed
information about these standards, the reader is
encouraged to consult the references provided for
them. The list of standards presented is absolutely
not complete, and as mentioned before a subset of
the existing standards are treated in this paper.
5.1. ISO 27000 Set
The ISO 27000 is a series of standards, owned
by the International Standards Organization,
focusing on information security matters. For the
purposes of this work, ISO 27001, ISO 27002, and
ISO 27005 will be explored to highlight their
strengths and weaknesses in relation to current
demands for effective and robust frameworks for
information security risk assessments.

ISO 27001: The ISO 27001 standard is the
specification for an Information Security
Management System (ISMS). The objective of the
standard is to specify the requirements for
establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving an
Information Security Management System within
an organization [13]. It is designed to ensure the
selection of adequate and proportionate security
controls to protect information assets. It is seen as
an internationally recognized structured
methodology dedicated to information security
management.
SCIENCE
32

The standard introduces a cyclic model known
as the “Plan-Do-Check-Act” (PDCA) model that
aims to establish, implement, monitor and improve
the effectiveness of an organization’s ISMS. The
PDCA cycle has these four phases:
– establishing the ISMS
– implementing and operating the ISMS
– monitoring and reviewing the ISMS
– maintaining and improving the ISMS
Organizations that adopt ISO 27001 in their
attempt to pursue an effective means for
operational information security risk management
overlook the fact that this standard was designed to
be used mainly as an ISMS framework – at the
high level, not operational level - founding proper
bases for information security management. ISO
27001 document mentions valuable details on
information security risk assessment – mainly in

the statements 4.2.1.C thru 4.2.1.H that can be
used as selection criteria for a proper information
security risk assessment approach that builds upon
the controls list proposed by the standard.
ISO 27002: ISO 27002 is a code of practice
that provides suggested controls that an
organization can adopt to address information
security risks. It can be considered an
implementation roadmap or extension to ISO
27001. As stated in the standard document, the
code of practice is established to provide
“guidelines and general principles for initiating,
implementing, maintaining, and improving
information security management within an
organization” [17]. The controls listed in the
standard are intended to address the specific
requirements identified via a formal risk
assessment. The standard is also intended to

provide a guide for the development of
“organizational security standards and effective
security management practices, and to help build
confidence in inter-organizational activities” [18].
ISO 27002 as the Code of Practice is best suited to
be used as a guidance and direct extension to ISO
27001. ISO 27002 is used by enterprises as the
sole source of controls and a means for
information security risk assessment, however, not
all controls are mandated as firms’ structures and
businesses vary. Controls selection must be done
based on detailed and structured assessment to
determine which specific controls are appropriate
and which are not.
This standard contains guidelines and best
practices recommendations for these 10 security
domains: Security Policy; Organization of
Information Security; Asset Management; Human

Resources Security; Physical and Environmental
Security; Communications and Operations
Management; Access Control; Information
Systems Acquisition, Development and
Maintenance; Information Security Incident
Management; Business Continuity Management;
and Compliance.
Among these 10 security domains, a total of 39
control objectives and hundreds of best-practice
information security control measures are
recommended for organizations to satisfy the
control objectives and protect information assets
against threats to confidentiality, integrity and
availability.
ISO 27005: ISO 27005 standard was proposed
to fill in the gaps existing in ISO 27001 and ISO
27002 in terms of information security risk
management. The standard builds up on the core

that was introduced in ISO 27001 – reference
statements 4.2.1.C thru 4.2.1.H – and elaborates by
identifying inputs, actions, implementation
guidelines, and outputs for each and every
statement. However, during our research we
realized that the adoption of this standard as a
means for information security risk management is
minimal. This was evident in “The Open Group”
efforts to support ISO 27005 adoption by releasing
a free detailed technical document – called
ISO/IEC 27005 Cookbook – that uses ISO 27005
as a cornerstone for a complete risk management
methodology [18, 19]. ISO 27005 is not intended
to be an information security risk assessment
methodology [20].
The standard has six annexes that are all
informative but considered of a major value
extension to the standard. With proper

customization, these annexes along with the ISO
27005 body can be used as the main assessment
methodology for security risks.
5.2. IT Infrastructure Library (ITIL 3.0)
SCIENCE
33
ITIL is one of the IT frameworks used as a best
practice adopted to properly manage IT services.
ITIL perceives any effort or action done by IT in
support to the organization as a service that has
value to customers or businesses. The ITIL library
focuses on managing IT services and covers all
aspects of IT service provisioning starting from
service strategy, design, transition, operation, and

implementation. It also highlights the continual
monitoring and improvement aspect for each and
every service.
ITIL does not introduce itself as a framework
for information security risk management.
However, as an IT governance framework, having
it implemented in an enterprise will provide
assurance and indication on the organization’s IT
maturity. Addressing IT risks associated with
incident, change, event, problem, and capacity
management would definitely minimize related
information security risks as well [21, 22].
The drivers for ITIL adoption in organizations
were subject to analyses and study by several
researches. A survey conducted by itSMF (IT
Service Management Forum) showed that ITIL
was adopted by different industry sectors [23]
including education, government, and financial

sectors amongst others. The ITIL status survey for
2009 [24] showed the increasing adoption of ITIL
version 3.0 and elaborated on the major drivers
that are causing this adoption. This includes
improving service quality, customer satisfaction
and establishing IT stability and successful value
delivery for business. ITIL modularity adds to its
adoption popularity. Based on the enterprise
current priorities, the firm can select to focus on
service operations rather than service strategy
which typically needs more time to mature. The
implementation of ITIL can be implemented
gradually in phases.
5.3. COBIT 4.1 & Risk IT
Control Objectives for Information and related
Technology (COBIT), developed and owned by
the Information Systems Audit & Control

Association (ISACA), is one of the most
increasingly adopted information technology
frameworks for IT Governance. COBIT focuses
on defining IT control objectives and developing
the controls to meet them. It is made of 34
processes that manage and control information and
the technology that supports it [12].
COBIT is adopted by enterprises from various
industry sectors [25] which include IT consulting
firms, education, financial institutions,
government, healthcare, utilities and energy. To
get closer understanding on how various
enterprises perceive COBIT, thirty case studies
were reviewed and analyzed. The case studies
showed that COBIT was used to create the needed
alignment between business and IT, create the IT
Governance framework, improve IT processes and
establish the IT risk management organization.

Other enterprises used COBIT to meet their
compliance needs and requirements. It was
realized from the case studies that financial
institutions adopt COBIT for their internal IT audit
efforts and risk assessments. They also used it to
create IT policies and procedures. Other firms used
COBIT as a means to standardize IT processes and
increase their effectiveness and maturity level.
COBIT was also used as a means to conduct audit.
COBIT does not provide a methodology to
conduct information security risk assessments but
rather establishes the foundation for having a solid
IT organization in the firm.
ISACA recognized the importance and need
for a comprehensive IT risk management
framework and as a result developed the Risk IT
framework. According to the Risk IT framework
document “The Risk IT framework complements

ISACA’s COBIT, which provides a
comprehensive framework for the control and
governance of business-driven IT-based solutions
and services. While COBIT sets good practices for
the means of risk management by providing a set
of controls to mitigate IT risk, Risk IT sets good
practices for the ends by providing a framework
for enterprises to identify, govern and manage IT
risks [26].
Risk IT provides an end-to-end, comprehensive
view of all risks related to the use of IT and a
similarly thorough treatment of risk management,
from the tone and culture at the top, to operational
issues. It enables enterprises to understand and
manage all significant IT risk types. Risk IT
follows the process model used in COBIT and has
three major domains: 1) Risk Governance which

SCIENCE
34
focuses on the establishment and maintenance of
common risk view, and making risk-aware
business decisions; 2) Risk Evaluation which deals
with data collection, risks analyses and
maintaining risk profile; 3) The Risk Response
component articulates risk, manages risk and
reacts to all adverse events identified [26].
Given that Risk IT is still new, its adoption
across enterprises is not yet realized, however, it is
expected to take more attention and focus in the
near future taking use of the wide acceptance and
adoption of COBIT.
5.4. Other Frameworks

In this section, we briefly discuss other
standards and regulations for information security.
Some industries, such as banking, are regulated,
and the guidelines or best practices put together as
part of those regulations often become a de facto
standard among members of these industries.
Basel II: Basel II is the most commonly
adopted directive across the financial institutions.
The reason behind this is the fact that this directive
has become a mandated regulation that all
financial institutions need to comply with. Its core
is about how much capital banks need to put aside
to guard against the types of financial and
operational risks banks face [27]. It focuses on
operational risks as opposed to information
security risks. According to Basel II, operational
risk (Ops Risk) is any risk that results from failure
in any of the following areas: system, process,

human or external attack. This definition implies
that Basel II has an IT dimension that needs to be
properly managed. This area was subject for
detailed research and several publications tried to
set clear controls and control objectives to mitigate
the related risks. ISACA led this effort and
developed a detailed framework in this regards
[28].
PCI DSS: Payment Card Industry Data
Security Standard (PCI DSS) [29], currently in
version 2.0, is a standard that consists of twelve
domains and was created by payment brands
leaders to help facilitate the broad adoption of
consistent data security measures on a global basis.
Proper implementation of PCI DSS assists in
building and maintaining a secure network,
protecting cardholder data, maintaining a
vulnerability management program, and

implementation of solid access control measures.
Compliance with PCI requirements is mandated
for any party that stores or transmits credit or debit
card data. It assists enterprises to manage
information security risks, reduces losses resulting
from fraud, and protects consumer data. PCI DSS
is not intended to be used as an information
security risk management or assessment
framework; however, while efforts are spent
towards fulfilling its requirements overall
information security maturity level is leveraged
making it easier to achieve better security
assessments. For organizations that already have
ISMS (ISO 27001) implemented, PCI DSS
compliance is straight forward.
OCTAVE Set: OCTAVE (Operationally
Critical Threat, Asset and Vulnerability
Evaluation), developed at the CERT Coordination

center at Carnegie Mellon University, is a detailed
information security risk assessment methodology;
it consists of tools, techniques and methods to
conduct risk assessments. It is a formal and
detailed set of processes, which assist in ensuring
that risks are identified and properly analyzed,
…
SCIENCE
28
Addressing Information Security Risks by Adopting
Standards
Walid Al-Ahmad*‡, Bassil Mohammad**
*Computer Science Department, Faculty of Arts and Science,
Gulf University for Science & Technology, Kuwait
**Ernst & Young, Amman, Jordan

‡
P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321,
Fax: +965 25307030, e-mail: [email protected]
Abstract- Modern society depends on information technology in
nearly every facet of human activity including, finance,
transportation, education, government, and defense.
Organizations are exposed to various and increasing kinds of
risks,
including information technology risks. Several standards, best
practices, and frameworks have been created to help
organizations manage these risks. The purpose of this research
work is to highlight the challenges facing enterprises in their
efforts to properly manage information security risks when
adopting international standards and frameworks. To assist in
selecting the best framework to use in risk management, the
article presents an overview of the most popular and widely
used
standards and identifies selection criteria. It suggests an
approach to proper implementation as well. A set of
recommendations
is put forward with further research opportunities on the
subject.
Keywords- Information security; risk management; security
frameworks; security standards; security management.

1. Introduction
The use of technology is increasingly covering
most aspects of our daily life. Businesses which
are heavily dependent on this technology use
information systems which were designed and
implemented with concentration on functionality,
costs reduction and ease of use. Information
security was not incorporated early enough into
systems and only recently has it started to get the
warranted attention. Accordingly, there is a need to
identify and manage these hidden weaknesses,
referred to as systems vulnerabilities, and to limit
their damaging impact on the information systems
integrity, confidentiality, and availability.
Vulnerabilities are exploited by attacks which are
becoming more targeted and sophisticated.
Attacking techniques and methods are virtually

countless and are evolving tremendously [1, 2].
In any enterprise, information security risks
must be identified, evaluated, analyzed, treated and
properly reported. Businesses that fail in
identifying the risks associated with the
technology they use, the people they employ, or
the environment where they operate usually
subject their business to unforeseen consequences
that might result in severe damage to the business
[3]. Therefore, it is critical to establish reliable
information security risk assessment and treatment
frameworks to guide organizations during the risk
management process.
Because risks cannot be completely eliminated,
they need to be reduced to acceptable levels.
Acceptable risks are risks that the business decides
to live with, given that proper assessment for these
risks has been performed and the cost of treating

these risks outweighs the benefits.
To this effect, enterprises spend considerable
resources in building proper information security
SCIENCE
29
risk management programs that would eventually
address the risks they are exposed to. These
programs need to be established on solid
foundations, which is the reason why enterprises
look for standards and frameworks that are widely
accepted and common across enterprises [4].
However, the fact that several standards and
frameworks exist make it challenging for
enterprises to select which one to adopt and the
question: “which is the best?” warrants further

investigation. The main objective of this paper is
to provide an answer to this question, thereby
assisting enterprises in developing proper
understanding of the issue and establishing
successful information security risk management
programs. This paper provides an analysis of some
existing standards and frameworks for information
security risks and consolidates various aspects of
the topic. It also presents the challenges that
frustrate information security risk management
efforts along with how leading market standards
and practices can be used to address information
security risks with insights on their strengths and
weaknesses.
Please note that the scope of this paper is
limited to the following frameworks: ISO 27001,
ISO 27002, ISO 27005, ITIL, COBIT, Risk IT,
Basel II, PCI DSS, and OCTAVE. These are the

most commonly used frameworks in the market
[5]. Other frameworks and methodologies like
RMF (by NIST) and M_o_R (by GOC) can be
considered in future work. It is also important to
mention that this paper is not intended to promote
a specific standard or framework; rather it treats
them equally. Conclusions drawn as a result of this
work are based on our detailed analyses, research,
literature review, and observations from our work
experience and engagements with clients from
various sectors in the field of information security.
The remainder of this paper is organized as
follows: section 2 highlights some related work;
section 3 details some challenges that disturb
information security risk assessments; section 4
provides an overview of the major drivers for
standards adoption; section 5 provides detailed
analyses and exploration for the standards and

frameworks in scope; section 6 details with the
strengths and weaknesses of these standards and
frameworks when used as a means to address
information security risks; section 7 captures the
selection considerations to use; section 8 provides
some recommendations along with the proposed
approach; section 9 presents a case study to
illustrate the benefits of the proposed selection
method; finally, section 10 puts forward some
conclusions and future research opportunities in
relation to our work.
2. Related Work
The literature on information security risk
management based on international standards is
scarce. The literature lacks studies that guide
organizations in selecting the standard that fits
their needs. Some research works attempt to

analyze existing information security risk
management standards, mainly ISO 27001 [6].
However, these research works focus mainly on
listing advantages and disadvantages of these
standards and how to implement and manage
them. No comprehensive studies have been done to
holistically compare various frameworks, with the
objective of providing selection criteria for the best
standard or proposing a better assessment
approach. Some papers dealt with frameworks
such as COBIT, ITIL, and ISO 17799, as means to
manage compliance requirements [7]. Ref. [8]
proposes a framework which considers global,
national, organizational, and employee standards
to guide information security management. Ref.
[9] presents framework of information security
standards conceptualization, interconnection and
categorization to raise awareness among

organizations about the available standards
(mainly ISO series).
As well as exploring existing frameworks used
in IT risk management this paper presents the
challenges facing organizations to successfully
implement information security risk assessments
and the drivers for standards adoption. The main
and novel contribution of our research work is the
proposal of a practical approach to selecting an
appropriate framework to address information
security risks.
3. Challenges to Information Security Risk
Assessments
SCIENCE
30

Some of the common challenges to information
security risk assessments are discussed briefly in
this section. In fact, these challenges represent
critical failure factors for an information risk
management program.
1) Absence of senior management commitment &
support: Management’s buy-in and support is a
critical driver for the success of any IT project,
including information security risk assessments.
Absence of management commitment will
result in wasting valuable resources and efforts,
producing weak evaluations, and most
importantly, will lead to ignoring the
assessment findings [10].
2) Absence of appropriate policies for information
security risk management: It is crucial to have
information security policies in place to reflect

the enterprise objectives and management
directions. Although some policies might be
created, information security risk management
policies tend to be dropped or forgotten. In a
research conducted by GAO, the US
Government Accountability Office, three out of
four detailed case studies showed that despite
the fact that firms used to have some form of
information security risk assessment approaches
practiced for several years, the risk management
and assessment policies and processes were not
documented until recently [11]. The absence of
this critical steering document will lead to
unstructured risk assessment approaches and
will openly allow unmanaged evaluations.
3) Disintegrated GRC efforts: The increasingly
popular term GRC refers to three critical areas:
Governance, Risk Management, and

Compliance. According to COBIT 4.1, IT
Governance is defined as “the responsibility of
executives and the board of directors, and
consists of the leadership, organizational
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organization’s strategies and objectives” [12].
Risk management is a process through which
management identifies, analyses, evaluates,
treats, communicates, and monitors risks that
might adversely affect realization of the
organization's business objectives. Compliance
is about making sure that external laws,
regulations, mandates and internal policies are
being complied with at a level consistent with
corporate morality and risk tolerance.
Governance, risk, and compliance should
always be viewed as a continuum of interrelated

functions, best approached in a comprehensive,
integrated manner. The disintegration results in
increased failure rates, waste of resources, and
increased overall assurance cost.
4) Improper assessments management: Despite the
importance of security risk assessments, they
are mostly not managed as projects and merely
considered as part of IT normal operations.
Considering security risk assessments as part of
IT routine assignments will exclude these
assessments from business review and
consequently will result in a definite disconnect
between management and their enterprise
information security assessments. This
exclusion will also increase the possibilities of
executing over-budget assessments that will
only cause additional efforts and resources to be
wasted.

5) Assets ownership is either undefined or
unpracticed: In ISO 27001 “the term ‘owner’
identifies an individual or entity that has
approved management responsibility for
controlling the production, development,
maintenance, use and security of the assets.
[13]. This definition entails major responsibility
granted to the person who is assigned the
ownership which includes making sure that
proper controls are actually implemented in
order to protect the asset. Information security
standards, best practices and mandates like ISO,
COBIT, and ITIL require that information
assets are identified, inventoried, and ownership
is assigned. This is crucial for the success of
any information security assessment. Most
organizations fail to develop comprehensive
information assets inventories and accordingly

do not assign ownership [14].
6) Limitations of existing automated solutions:
Software solutions for information security risk
assessment are developed to aid in the
automation of this process and to make it more
efficient. In a detailed comparison conducted by
“Risk Assessment Accelerator”, seven common
solutions were compared with respect to more
http://en.wikipedia.org/wiki/Risk_Management
http://en.wikipedia.org/wiki/Compliance_(regulation)
SCIENCE
31
than forty different areas [15]. Features like
ease of use, multi-language and client-server
architecture support were highlighted as
existing limitations in four up to five of these

solutions. Three out of the seven compared
solutions provide limited customization
capabilities for both built-in inventories (for
risks, vulnerabilities and threats) and the
generated dashboards. All these weaknesses and
limitations degrade enterprises’ efforts to have
efficient and reliable information security risk
assessment requirements documentation.
7) Existence of several IT risk assessment
frameworks: The existence of many information
security risk management and assessment
frameworks add to the ambiguity and challenge
of what is the best one to use. As a matter of
fact, analyses of exiting risk assessment
frameworks show that there is no one-size-fits-
all solution to this issue as it is hard to develop
a single precise document that will address the
needs of all enterprises given their variant

natures and requirements.
4. Drivers for Standards Adoption
In order to address their information security
risk management and assessment challenges,
enterprises adopt internationally accepted
frameworks or best practices. Standards in general
are meant to provide uniformity that would ease
the understanding and management of concerned
areas. Businesses find themselves in need to adopt
standards for various reasons which vary from
business requirements to regulators and
compliance mandates. Establishment of proper
corporate governance, increasing risk awareness
and competing with other enterprises are some
business drivers to mention. Some firms pursue
certifications to meet market expectations and
improve their marketing image. A major business

driver for standards adoption is to fill in the gaps
and lack of experience in certain areas where firms
are not able to build or establish proprietary
standards based on their staff competencies [16].
Providing confidence to trading partners,
stakeholders, and customers, reducing liability due
to unimplemented or enforced policies and
procedures, getting senior management ownership
and involvement and establishing a mechanism for
measuring the success of the security controls are
some other key drivers for the adoption of
standards.
5. Leading Market Best Practices Standards
The conclusion section should emphasize the
main contribution of the article to literature.
Authors may also explain why the work is
important, what are the novelties or possible

applications and extensions. Do not replicate the
abstract or sentences given in main text as the
conclusion.
In this section, an overview is presented of a
number of the more important standards for
information security risk management. For detailed
information about these standards, the reader is
encouraged to consult the references provided for
them. The list of standards presented is absolutely
not complete, and as mentioned before a subset of
the existing standards are treated in this paper.
5.1. ISO 27000 Set
The ISO 27000 is a series of standards, owned
by the International Standards Organization,
focusing on information security matters. For the
purposes of this work, ISO 27001, ISO 27002, and
ISO 27005 will be explored to highlight their

2019 14th Iberian Conference on Information Systems and Tech.docx

2019 14th Iberian Conference on Information Systems and Tech.docx

Recommended

Recommended

More Related Content

Similar to 2019 14th Iberian Conference on Information Systems and Tech.docx

Similar to 2019 14th Iberian Conference on Information Systems and Tech.docx (20)

More from RAJU852744

More from RAJU852744 (20)

Recently uploaded

Recently uploaded (20)

2019 14th Iberian Conference on Information Systems and Tech.docx