• Journal of Applied Reliability
• /
• v.14 no.2
• /
• pp.108-113
• /
• 2014

The demand against the risk analysis and information security of system from the companies or the agencies which operate an information system is increasing. ISO/IEC 27001 was established by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). Also this standard is international and authoritative standard of ISMS (Information Security Management System). This paper is to review how the ISO 27001 ISMS Requirement has been established and improved, and to communicate the significant changes from ISO27001 : 2005 to ISO 27001 : 2013 focusing on reasons for revisions. Additionally, This paper shows case study for understanding ISO 27001 : 2013 implementation.

• Journal of Digital Convergence
• /
• v.12 no.1
• /
• pp.405-414
• /
• 2014

It is very important to IT users that the Cloud service provides dynamic extension of IT resources and cost-saving. However, the reliability for Cloud service hinders utilizing Cloud service actively. Existing studies on assessment program for Cloud Service are executed by extracting information security assessment articles and adding features of cloud services by referencing ISO/IEC 27001:2005. This paper will review the recently released ISO/IEC 27001:2013 for the addition, reduction, and changing of articles for Controls and Control objectives. Comparative analysis for the Controls of ISO/IEC 27001:2013 with those of CSA CCMv.3, FedRAMP which is an assessment program for Cloud service will suggest Control Objects of Information Security Management System for related Cloud service. The suggestion of Controls will be an important reference index for the security policy of companies which manage the information security management system based on Cloud service.

• Information Systems Review
• /
• v.25 no.4
• /
• pp.205-231
• /
• 2023

The Information Security Management System (ISMS) is a protection procedure and process that keeps information assets confidential, flawless, and available at any time. ISMS-P in Korea and ISO/IEC 27001 overseas are the most representative ISMS certification systems. In this paper, in order to understand the relationship between ISMS certification and organizational characteristics, data were collected from Korea Internet & Security Agency (KISA), Ministry of Science and ICT, Information Security Disclosure System (ISDS), Financial Supervisory Service, Data Analysis, Retrieval and Transfer System (DART), and probit regression analysis was performed. In the probit analysis, the relationship with four independent variables was confirmed for three cases: ISMS-P acquisition, ISO/IEC 27001 acquisition, and both ISMS-P and ISO/IEC 27001 acquisition. As a result of the analysis, it was found that companies that acquired both ISMS-P and ISO/IEC 27001 had a positive correlation with the total number of employees and a negative correlation with business history. In addition, the improvement direction of the ISMS-P certification system and information security disclosure system could also be confirmed.

• KIPS Transactions on Software and Data Engineering
• /
• v.3 no.11
• /
• pp.465-470
• /
• 2014

The SP quality assessments from national IT industry promotion agency of Korea(NIPA) assesses ability of software development process. And the SP quality assessments is getting popular over the nation. But, in the SP quality assessments, there is no concern about security attribute. In this paper new secure process base on ISO 27001 is proposed for the organization that is already passed SP quality assessments. This process can detect security threatening factors and gives chance to protect those factors. Furthermore, since detected security weaknesses can be used as a measurement, the system can be managed in aspect to security attribute.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.04a
• /
• pp.823-825
• /
• 2011

R&D에 관한 주요 국가 및 산업기술의 정보 유출이 문제가 되고 있다. 2009년 11월 국가과학기술지식정보서비스(NTIS)는 영국표준협회(BSI)로부터 ISO 27001에 대한 11개 도메인, 133개 보안 통제항목의 정보보호관리체계((Information Security Management System) 인증을 획득하였고 이후 사후인증 심사를 받고 있다. 본 논문에서는 정보보호 국제 표준인증인 ISO 27001과 관련하여 NTIS의 정보보호관리체계에 대하여 국가R&D정보관리의 경영적 관점에서 실증적 현황 및 성과와 향후 개선 및 발전 방향에 대하여 검토한다. ISO 27001 도입 후 133개 통제항목 중에서 적용율이 증가하였고 중부적합/경부적합/개선권고 사항이 크게 감소하였으나 정보자산 및 개인정보 관리는 지속적인 관심과 개선이 필요함을 알 수 있었다.

• Journal of Information Technology Services
• /
• v.23 no.1
• /
• pp.11-25
• /
• 2024

In the field of information security management systems, one of the representative certifications in Korea is ISMS-P certification, and internationally, ISO/IEC 27001 certification is recognized. When companies acquire both ISMS-P (or ISMS) and ISO/IEC 27001 certifications, budget and manpower are duplicated in similar areas. Therefore, it is necessary for the company to choose and invest in a certification that is suitable for its conditions. This paper proposes a strategy for obtaining information security management system certification that is suitable for the characteristics of the company, allowing for effective information security management based on the company's conditions. To achieve this, data were collected from the Ministry of Science and ICT's Information Security Disclosure System (ISDS), the Korea Internet & Security Agency (KISA), and the Financial Supervisory Service's Data Analysis, Retrieval and Transfer System (DART), and Probit regression analysis was conducted. During the Probit regression analysis, the relationships between seven independent variables and five cases of ISMS-P (or ISMS) acquisition, ISMS-P acquisition, ISMS acquisition, ISO/IEC 27001 acquisition, and both ISMS-P (or ISMS) and ISO/IEC 27001 acquisition were analyzed. The analysis results revealed the relationship between company characteristics, including industry, and certification acquisition in the ISMS field. Through this, strategies for certification acquisition based on company types could be suggested.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.6
• /
• pp.153-160
• /
• 2007

Recently, the demand against the system risk analysis and security management from the enterprises or the agencies which operate a information system is increasing even from domestic. The international against the standardization trend of information protection management system it investigates from the dissertation which it sees. It analyzed and against information property information protection management system integrated it will be able to manage a danger modeling it did it proposed. Having analyzed as well as compared the matureness of security-measurement models in regard to the global standard of proposal system, the administrative presentation for various IT technology resources. which have been managed singly so far, is now well applied under the united control of the company itself, and enabled the automated management of authentication support and renewal for ISO 27001, ISO 9000, ISO 14000, resulting in much advanced operation for both material and human resources.

• Convergence Security Journal
• /
• v.21 no.1
• /
• pp.19-24
• /
• 2021

The purpose of this study was to add CPTED to the information security area. The control items of ISO 27001 (11 types) and the application principles of CPTED (6 types) were mapped. And the relevance between the items was verified through the FGI meeting through 12 security experts. As a result of the survey, the control items with a relevance of at least 60% on average are security policy, physical and environmental security, accident management, and conformity. As a result, the comprehensive policy was shared with CPTED's items as a whole. The specialized control items are security organization, asset management, personnel security, operation management, access control, system maintenance, and continuity management. However, specialized control items were mapped with each item of CPTED. Therefore, information security certification and septed are related. As a result, environmental security can be added to the three major areas of security: administrative security, technical security, and physical security.

• Review of KIISC
• /
• v.26 no.4
• /
• pp.16-21
• /
• 2016

올 6월 약 4년간의 표준화 활동의 결과로 ISO/IEC 27009 "ISO/IEC 27001의 분야별 응용 - 요구사항"이 국제 표준으로 발표되었다. 이 표준은 ISO/IEC 27001을 어떤 특정 분야에 적용하고자 할 때 필요한 요구사항을 정의한 것으로서, 분야별 정보보호 경영체계 인증제도의 국제적 상호 인정의 기반을 마련하기 위한 것이다. 본 논문에서는 이 표준의 개발 배경, 내용과 의미, 그리고 관련 현황을 소개하고 국내 정보보호 경영시스템 전문가들의 대응 방향을 제시한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2016.04a
• /
• pp.229-232
• /
• 2016

개정된 정보통신망법 정보보호 관리체계에 대해 민간, 공공기관들의 관심과 인증을 준비하는 조직이 늘어나고 있다. 의무 인증대상자가 대. 중견기업, 비(非) 정보통신서비스 사업자로 확대되고 국제표준 요구사항의 일부 인정이 가능해지며 ISO/IEC 27001:2013과 정보보호 관리체계에 대한 동시 인증을 효과적으로 추진하기 위한 가이드라인이 필요하다. 본 연구에서는 '정보보호 관리체계'(ISMS)의 요구사항, 통제항목 및 심사 과정에서의 차이점 분석(gap analysis)을 통해, 국제표준과 국내 법령에 적합한 ISMS를 효과적으로 구현할 수 있도록 한다.