This document discusses conformity assessment of electronic information security requirements based on the ISO 27001 standard for countries in the Customs Union. It notes that ISO 27001 provides an objective and independent method for evaluating information security levels. The document recommends certifying electronic services infrastructures as an information security management system according to ISO 27001 to provide internationally recognized evidence of security and ensure confidence in cross-border information exchange. It analyzes the advantages and disadvantages of this approach and discusses requirements for preparing electronic services infrastructures for ISO 27001 certification.

1. UDC 004.056
On the issue of conformity assessment services of electronic information
security requirements based on ISO 27001 standard in the customs union
I.I. Livshitz, D.V. Yurkin, A.A. Minyaev
JSC “Gasinformservice”
Kronshtadskaya 10 A, St. Petersburg, 198096, Russia
Abstract. This publication summarizes the problem of conformity assessment for electronic services (ES)
information security requirements (IS) for the countries-participants of the Customs Union. The urgency is caused
by the publication of a wide range of approaches to information security and the well-known difficulties in
establishing international confidence in the level of security ES.
It is noted that in addition to well-known standards set by the various national regulators, some perspective in order
to create objective and independent evidence of confidence in the assessment of the safety level of EC can ensure
international standards of ISO 27001 series of methodical base of the ISO 27001 series operates on an objective and
independent assessment of the set of metrics IS for generating a quantitative assessment of the level of EC
protection. The results can be applied in ensuring international confidence in the EC due to objective and
independent assessment of the IB.
Key words: Information Security; Information security management system; audit; risks; Standards, Customs
Union, electronic services.
1. Introduction
One of the most pressing problems at the present stage of development of electronic
communications for the countries of the Customs Union (CU) is an information security (IS) e-
services (ES). The solution to this problem is offered as getting a formalized assessment of the
conformity of measures (assets) (in terms of [1] - "controls") the requirements for information
security, which will meet the criteria of assessment, recognized by all members of the
international information exchange.
An independent evaluation may be entrusted to the authorized representatives of the CU
Member States. In order to consolidate Russia's national requirements, the Republic of Belarus
and the Republic of Kazakhstan on protection of the information necessary to develop a single
document containing requirements for the measures (tools) to ensure information security, which
can be independently and objectively confirmed by evaluating specific objects (in terms of [1] -
"asset") within the information security management system (ISMS). ISMS conformity
assessment carried out in accordance with the requirements of international standards ISO 27001
series [1 - 4] adopted at the national level in each of the CU Member States:
− GOST R ISO / IEC 27001-2006 - in the Russian Federation;
− STB ISO / IEC 27001-2011 - in the Republic of Belarus;
− ST RK ISO / IEC 27001-2008 - in the Republic of Kazakhstan.
It is relevant to the question of the need to develop a standard methodology and procedures
of conformity assessment according to the requirements of providing open and does not
contradict the requirements of the national standard documentation CU member states, above.
The aim of this publication is to offer review facility assessment ES information infrastructure as
the ISMS and, accordingly, the object of the certification according to the requirements of
national standards ISO 27001 series, taken in each of the CU Member States. This solves the
difficult task of ensuring international confidence in the level of information security software on
the basis of objective and independent evidence in the framework of the audit results. Evaluation
is carried out by a single ISMS internationally accepted standards, through independent

2. (certification) audits of third party by the national certification bodies under the strict supervision
of the IAF (International Accreditation Forum).
2. The requirements to realization of e-services
Let us consider the general to the EC requirements that must be taken into account in the
implementation and successful certification of an ISMS. We believe that in the modern ES
includes technology designed to ensure the verification activities of digital electronic signatures
for electronic documents (ED), at a fixed time maintaining the public key infrastructure (PKI) in
respect of the respondents (sender or recipient). EC being implemented by providers that are
trusted by all parties on the basis of the information exchange agreement (accession agreements).
On the side of the ES provider can be made to implement the following services:
− Service PKI - key management and certificate, which provides a single space EPO
treatment;
− Service authorized time, which provides for an NTP time reference markers with the
global standard;
− Service registration and maintenance of object identifiers, which allows you to record
patterns that are involved in the information exchange;
− Service documentation of events and information service, which allows you to support
the audit function;
− Service attribution solves the problem of cryptographic signature key certificate
communication with additional information;
− Service ED assurances that provides inspections using a DVCS protocol, OCSP, TSP for
cross-border information exchange.
Recommended implementation of complex solutions used while providing IS ES, so as to
provide properties: accessibility, integrity, confidentiality, authenticity, integrity and suitability
for use independently of any change (migration) consisting of software, and the specific
technical solutions. Specifications technical solutions used in providing information security for
the EC determined the specific composition of software and technical solutions used in the
particular national implementation [5 - 7].
3. Requirements for the preparation of ES infrastructure of ISO 27001 certification
It is known that the requirements for an ISMS installed near the ISO 27001 series, in
particular, the requirements for the implementation of measures (tools) to ensure information
security are defined by [2], the requirements for the management of information security risks
are determined by [3], to the dimensions of information security requirements defined by [4].
However, it seems appropriate to compare the requirements ES object as the object of
informatization (OI) in accordance with the [8, 9]. Defining OIs following - "a set of information
resources, equipment and information processing systems used in accordance with the given
information technology (IT), as well as their means of support, premises or facilities (buildings,
structures, facilities), in which these tools and systems installed, or premises and facilities
intended for confidential negotiations "[10]. Additional terms relating to methodological aspects
of the establishment, evaluation RI implementation given in [11].

3. Consider the requirements for the Olympic Games in accordance with the regulations [8,
9], which is convenient to combine the main groups, and compare them with similar
requirements for an ISMS [2] (see Table 1.):
Table 1. Generic requirements for object of informatization
№
Group of requirements
Item position of document
“Regulations on certification of
object of informatization”
Item position of
ISO 27001
1. Personal 3.7.1 7.2; 7.3; 7.4
2. Information security tools 1.5; 1.8; 3.4; 3.7 А.5 – А.18
3. Documentation 1.8; 2.6; 3.1; 3.5; 3.7; 4.1 7.5
4.
Composition of software and
technical device
1.7; 1.8; 3.4; 3.7; 3.8; 3.10; 4.1 А.5 – А.18
These documents [8, 9] established the applicability of international circuits and the
protection of information assets in the performance of the certification processes. In order to
compare the requirements of various regulatory documents note, further, that the "Regulation on
information protection certification" reflected: "In agreement with the federal certification body
can be used, and other certification schemes, including applied in international practice
(paragraph 1.7 [9. ]). Moreover, the possibility of recognition of international certificates:
"Federal agency for certification of information security ... shall cooperate with the relevant
authorities of other countries and international organizations on the issues of certification,
decides on the recognition of international and foreign certificates" (paragraph 2.2 [9]).
4. Advantages and disadvantages of EC certification according to ISO 27001
Description of the advantages and disadvantages of the proposed options assessment ES
information infrastructure as the ISMS in accordance with ISO 27001 requirements is given in
Table 2.
Table 2. Description of the advantages and disadvantages
of assessment of TPA as the ISMS
Advantages Disadvantages
− International unified methodology of the audit
management system (19011) [12].
− International Standard (27001) regarding the
requirements for an ISMS, including - a list of
recommended actions (means) IS [2].
− General Electric as the certification of IT
services in accordance with ISO 20000 [13].
− Certification General Electric in the field of
business continuity in accordance with ISO
22301 [14].
− High unification of work on any national level
TC - a single audit plan, audit unified criteria.
− Availability of audit materials for information
exchange TC members.
− Preparation of the Certificate as evidence of an
objective evaluation of accredited national and
− Potential labor input of the
organization of the audit process,
taking into account the formation
of the national audit teams.
− The requirement of two stages of
the audit, including the obligatory
audit of the facility ("on-site
audit").
− Potential problems with the
implementation of national
requirements for information
security in view of the choice and
use of different means (measures)
to ensure information security, for
example - cryptographic means.

4. international bodies (IAF).
− Availability of periodic control over the quality
and timing of the independent and objective
audit of the ISMS.
− The ability to control not only the independent
peer review documentation for the audit object,
but also monitoring ISMS audit on-site.
5. Implementation of EC conformity assessment infrastructure requirements of ISO
27001
Adoption of an object (information infrastructure ES) defined boundaries ("boundaries"),
the scope of certification ("scope"), together with the measures (tools) to ensure information
security ("controls"), documentation system ("documented information") as an ISMS and
implementation of certification within a unified and recognized by all Member States of the
vehicle requirements of national regulators - ISO 27001 will:
− develop and approve a single document that defines the requirements for
information security, to meet which will be held ISMS certification (certification,
certification of the border, the permissible exceptions and so on.);
− develop a plan of audits, including the certification of an ISMS to meet the criteria
of the standard ISO 27001. Designed ISMS audit plan should detail the procedures
for auditing on objects ISMS ("on-site audit"), in particular, control measures
(tools) to ensure information security ;
− appoint a group of auditors and certified competent representatives of all CU
member states having the right to carry out independent audits according to the
criteria of ISO 27001 standard;
− audit the third party (certification) for compliance with the approved ISMS ISO
27001 criteria in accordance with the agreed by all Member States of the TC audit
plan;
− provide the auditors group to the national authorities, which have internationally
recognized accreditation of ISMS certification for compliance with the national
standard ISO 27001 series and having the confidence in the TC. The certification
body issues a certificate of compliance with the ISMS requirements of the ISO
27001 series of national standard, which is recognized in all the CU member states,
as well as in the world (in the framework of recognition of accreditation of
certification bodies in the IAF system).
6. The mathematical rationale for the selection of EC certification scheme in accordance
with ISO 27001
It is necessary to prepare a mathematical basis for the objective of optimal choice ES
infrastructure assessment scheme for the purpose of providing internationally recognized
certification is based on ISO 27001. In order to plan this process, as a rule, take into account a
certain number of criteria IB, which are closely linked to issues of measurement [4], the analysis
of findings, correct and timely interpretation and communication to all stakeholders (both
internal and external).

5. It is well known that the fundamental difficulty of choice for many of the criteria is the
inability of the a priori determination of the best and only the best solution; Moreover, in a
number of papers given enough attention to the problem of minor (small) changes [15, 16] or
small disturbances, which can over time lead to a change in the meaning of the best solution, or,
in the limit, to disastrous consequences. It is known that such a decision implies multicriteriality
management tasks for which valid solutions are measured by several indicators (or criteria) at the
same time [15, 16]. It is known that there is a fundamental difficulty of solving the problems
mentioned above - a priori impossibility of determining the best (optimal) solutions from the set
of feasible solutions. Note that the best solution chosen must meet the expectations of all
stakeholders (in the notation of ISO [1] - "stakeholders"), the list of which is a countable set of
[17 - 19].
We define the set of numeric functions f1, f2… fm, m ≥ 2, defined on the set of possible
solutions as the X optimality criteria (objective functions). A vector f = (f1, f2, …, fm) called
criterion which takes values in the m-dimensional space Rm
, called criterial space or space
evaluations.
A vector estimate х ∈Х possible solutions for the vector criterion f is:
f (x) = (f1 (x), f2 (x),… fm (x) ) ∈ Rm
All possible vector evaluation constitute a set of possible ratings:
Y = f (x) = {y ∈ Rm
| y = f (x) при х ∈Х }
All possible evaluation of selected form a set of selected vectors (estimates):
С(Y) = f (С (Х) ) = {y ∈ Y | y = f (x) при х ∈С(Х) }
Multi-criteria task (multi-criteria optimization - MCO) referred to the problem of selection,
which includes the set of admissible values of the X and the vector criterion f. Or say that the
ICE task is to find the set of selected decisions C (X) such that С (Х)⊂Х given preference
relation 'on the basis of a given vector criterion f, established in accordance with the objectives
of (preference) of the decision maker (LPR). It is vital that this task was not too difficult, but this
problem can be solved by determining the level of detail at the stage of formulation of the
problem and determine the acceptable composition vector criterion.
It is known that the solution х*
∈ Х is called Pareto-optimal (or Pareto optimal) if there is
no such possible solutions х ∈ Х for which the inequality f (x) ≥ f (x *). Pareto-optimal solutions
form a Pareto set P j (X):
P j (X) = { х*
∈ Х | there is no such х*
∈ Х for which f ( x ) ≥ f (х*
)}.
It is important that a Pareto optimal solution - a feasible solution for which can not be
improved in any of the existing criteria, without impairing other other available criteria. Pareto-
optimal solutions - many compromises, in which decision-makers consciously make a decision
about the choice of a particular "win" and the adoption of minimum losses by one criterion. This
may be somewhat simplified if the decision maker offers several optimality criteria, and then
formed the so-called "area of interest" the decision maker. But in this case also need to fix the

6. limit for the making of dominance Х (х1
 х х2
; х2
 х х3
;…) that may cause an empty set (in the
limit).
Generally Edzhvota-Pareto principle states - if the decision maker behaves "reasonably",
the selected solution must be Pareto optimal [15]. Here, the "reasonableness" of behavior DMP
involves execution of two minimum conditions:
1. Perform exception vectors dominant axiom: for any pair of feasible vectors y1, y2 ∈ Y,
for which the y1  y y2, performed y2 ∉C(Y).
2. Perform Pareto axiom: for all pairs of possible solutions х1
, х2
∈ Х for which the
inequality f ( х1
) ≥ f ( х2
), performed х1
 х х2
.
In practical terms it is important to take into consideration an important feature of the
Pareto - the existence of non-empty set of Pareto-optimal vectors. This means, for example, that
under certain criteria f (e.g., budget, goals, deadlines, staff), there is a fundamental choice, for
example, the optimal set of measures (tools) to ensure information security in the project
implementation of EC infrastructure for certification ISMS.
For example, for the purpose of forming the IS assessment criteria for the task - an
internationally recognized information security assessments ES infrastructure, the following
criteria can be offered:
f1 - the cost of the certification project;
f2 - consulting costs for certification;
f3 - the duration of the certification project;
f4 - the amount of documentation required for certification;
f5 - value of new contracts (international) after certification;
f6 - recognition of the value of the certificate of conformity to the CU;
f7 - availability of national experts for certification in CU.
In [15, 16] that the finding of Pareto-optimal vectors by brute force with unlimited
potential vectors of dimension - it is impossible. Accordingly, it takes no special knowledge of
the decision-maker (which in practice occurs not often enough) or system necessary (sufficient)
conditions of Pareto optimality.
In this example, Pareto optimization, we have:
− 3 embodiment Y = { y(1)
, y(2)
, y(3)
};
− 7 Criteria (m = 7);
− Quantitative (proxy means) scale - 5 points;
In addition, the need to minimize the number of criteria:
f1 → f1 = 5 – f1
f2 → f2 = 5 – f2
f3 → f3 = 5 – f3
Consider options for the specification:
y (1) = ES Infrastructure Certification as an OI (requirements - Technical Commission
documents);
y (2) = ES certification infrastructure as an IT system (requirements - ISO 15408 series);
y (3) = ES certification infrastructure as an ISMS (requirements - ISO 27001 series).
A detailed analysis of options for all the criteria presented below (see Table 3.):

7. Table 3. Description of the advantages and disadvantages
of assessment of TPA as the ISMS
Vector of estimates f1 f2 f3 f4 f5 f6 f7
y (1)
2 2 1 1 3 3 3
y (2)
2 3 2 1 3 4 3
y (3)
2 4 2 2 4 5 5
Obviously, y2  y y1 (due to the lower complexity of, the national recognition of EC
evaluation results as the evaluation object on the requirements of ISO 15408), and that, in turn,
y3
 y y2
(due to a more rational documentation requirements, universal assessment model EC,
access to technical expertise for the design and auditors - to assess, as well as a wide national and
international recognition of ISO 27001 certificates). Thus, y3
vector dominates all other vectors
(y2
, y1
), thereby eliminating them from the set of Pareto-optimal: y1
∉C(Y), y2
∉C(Y).
7. Conclusion
Implementation of EC assessment infrastructure as the ISMS, and the formation of the
conclusion with the issuance of a certificate of compliance with the requirements of ISO 27001
(both national and international), possible for any Member State of the vehicle; still provided the
recognition reliability of the certificate as part of the vehicle, and if necessary - for all the
participants and users of information exchange in the world EC infrastructure.
References
1. Information technology - Security techniques - Information security management systems -
Overview and vocabulary: ISO / IEC 27000: 2014, International Organization for
Standardization, 2014. - 31 pages.
2. Information technology - Security techniques - Information security management systems -
Requirements: ISO / IEC 27001: 2013, International Organization for Standardization, 2013. - 23
pages.
3. Information technology - Security techniques - Information security risk management: ISO /
IEC 27005-2011, International Organization for Standardization, 2011. - 68 pages.
4. Information technology - Security techniques - Information security management -
Measurement: ISO / IEC 27004: 2009, International Organization for Standardization, 2009. - 55
pages.
5. GOST R ISO 15489-1-2007 "System of standards on information, librarianship and
publishing. Document Management".
6. GOST R / ISO / TR 15801-2009 «Electronic document management systems. Records
Management. The information stored in electronic form. Recommendations to ensure the
accuracy and reliability".
7. GOST R / ISO / TR 18492: 2005 "Ensuring long-term preservation of electronic documents"
8. "Regulation on certification of informatization facilities for information security requirements
(Approved. Chairman of the State Technical Commission under the President of the Russian
Federation of November 25, 1994).
9. "Regulations on certification of protection of information according to the security
requirements (Approved. Order of the Chairman of the State Technical Commission under the
President of the Russian Federation dated October 27, 1995 N 199).

8. 10. GOST R 51275-2006 "Information Security. informatization object. Factors influencing the
information".
11. GOST R 50922-2006 "Information Security Basic terms and definitions".
12. Guidelines for auditing management systems: ISO 19011: 2011, International Organization
for Standardization, 2011. - 44 pages.
13. Information technology -Service management - Part 1: Service management system
requirements: ISO / IEC 20000-1: 2011, International Organization for Standardization, 2011. -
26 pages.
14. Societal security - Business continuity management systems - Requirements: ISO 22301:
2012, International Organization for Standardization, 2012. - 24 pages.
15. VD Nogin Decision-making in many criteria // State University - Higher School of
Economics, St. Petersburg, 2007. 103 p.
16. Zakharov AO Narrowing of the Pareto set based on the information about closed against the
DM preferences // Bulletin of St. Petersburg State University, 2009, vol. 4. a. 69 - 82.
17. Livshits I. The joint solution of problems of information security audits and ensure the
availability of information systems based on the requirements of international standards BSI and
ISO // Informatization and Communication, 2013, vol. 6; from. 62 – 67.
18. Livshits I. Practically applicable methods for evaluating information security management
systems // Quality Management 2013, vol. 1; from. 22 – 34.
19. Livshits I. The approaches to the use of an integrated management system model for the
audit of complex industrial facilities - airport complexes // Proceedings SPIIRAS 2014, vol. 6;
from. 72 – 94.