Article Preview
Top1. Introduction
Assuring information security is a necessity in modern organizations. There exists variation of viewpoints in information security management (ISM) concerning ‘what’ should be done (ISO/IEC 27000 and COBIT; IT management), ‘how’ it should be done (ITIL; service management), and ‘who’ should do it (SFIA; competence management), see (Armstrong 2013). These recommendations are used to define baseline of information security requirements ensuring that an organization has implemented the selected practices. Some of the recommendations provide the possibility for organizations to request certification, which can then be granted if the implemented practices fulfill the audition criteria.
Widely adopted ISO/IEC 27001 prescribes a process for information security management system (ISMS) whereas guidance to implement security controls is defined in ISO/IEC 27002. Hence, together they comprise minimum criteria of controls and their objectives, providing also non-normative guidance for control implementation. Finnish National Security Auditing Criteria (KATAKRI) has been developed by the national authorities in Finland to verify maturity of information security practices in an organization. Approach in KATAKRI is different compared to ISO/IEC 27000 standards. As national security auditing criteria, KATAKRI defines both security control objectives and absolute security controls to meet an objective. Implementation of controls is mandatory whereas ISO/IEC 27001 leaves responsibility of the selection of controls and their implementation to the organization itself by defining only the control objectives. Use of ISO/IEC 27001 is always subject to completeness of risk assessment and selection of valid security controls. On the other hand, KATAKRI may force organization to implement such controls that are not feasible from risk management or benefit-cost ratio point of view.
KATAKRI is of interest for wider than just the national audience because of its structure. It has been created in the form of the audition questionnaire, which makes it a tool that can be used to check the security baseline of an organization. As information security is a process, to protect information and information infrastructure from unauthorized access, a baseline must be defined and evaluated. ISO/IEC 27001 and 27002 specifications are not usable as audition tools themselves and, hence, a number of spreadsheets and special applications have been created from different viewpoints to be used in the auditions. At the topic level, KATAKRI could also be used as an ISO/IEC 27001 audition tool, but this requires detailed analysis and alignment of the correspondences of the two specifications.
In our work, we study differences of security control objectives and actual controls of ISO/IEC 27001 and KATAKRI’s requirements to analyze completeness and mutual coverage of KATAKRI and ISO/IEC 27001. The actual comparison also takes into account ISO/IEC 27002 security control implementation guidelines, creating links between them and the security requirements in KATAKRI. More precisely, our analysis of KATAKRI and ISO/IEC 27002 specifications is focused on both shared common security aspects and the actual differences to see the potential gaps in them, especially in the relatively new KATAKRI. First of all, however, the two specifications are united in their terminology and structure, but whereas ISO/IEC 27002 focuses on existence of security controls to meet the security objectives, KATAKRI defines different levels of requirements that should be fulfilled. Barlette & Fomin (2008), Fomin et al (2008), Yeniman Yildirim et al (2011), and Siponen (2006) all criticize that information security management standards focus on security process, not how well activities are carried out or how objectives are achieved. To cope with these information security management system hindrances, we created an explicit alignment between the process-oriented standard and the (normal) operative mode assessment in an organization.