DOI QR코드

DOI QR Code

A Study on Primary Control Area for Information Security Management System (ISMS): Focusing on the Domestic Three Industries

정보보호 관리체계를 위한 주요 통제영역에 대한 연구: 국내 3개 산업을 중심으로

  • 강윤철 (고려대학교 디지털경영학과) ;
  • 안종창 (한양대학교 정보시스템학과)
  • Received : 2021.01.18
  • Accepted : 2021.04.02
  • Published : 2021.04.30

Abstract

Most industries have introduced and operate an information security management system (ISMS) or a personal information security management system (PIMS) to suitably protect and maintain customer's information and company trade secrets. This study starts with the premise that it is desirable for every industry considering information security to maintain an ISMS. ISMS can be of different types among various organizations, taking into consideration culture, practical work procedures, and guidelines for information security. This study intends to derive primary control areas of an ISMS for each industry based on organizational size and audit type by analyzing non-conformity trends and control factors according to certification audits for organizations introduced for international ISMS under ISO27001. This study analyzed improvement effects of ISMS through case analyses. It is meaningful as exploratory research, although it was difficult to acquire data for empirical study because few organizations maintain certification in major industrial sectors. The requirements presented the highest frequency of non-conformity for each type from the 2013-initiated ISO27001; the years 2013 to 2020 were extracted as the primary control area. The study found that for primary control areas of ISMS for each of three industries, organizational size and audit type had differences.

기업 기밀과 고객 정보를 적절하게 보호하고 유지하기 위해, 조직은 정보보호 관리체계(ISMS), 개인정보보호 관리체계(PIMS), 비즈니스연속성 관리체계(BCMS)와 같은 경영시스템을 도입하여 운영하기 시작하였다. 본 연구는 정보보안을 고려하는 모든 조직이 정보보호 관리체계를 유지하는 것이 바람직하며 ISMS는 정보보안 문화, 실무 및 가이드라인을 고려하는 다양한 조직 안에 각기 다른 형태를 가질 수 있다는데서 출발하였다. 산업분야에 상관없이 적용 가능하고 보편적으로 널리 알려진 국제 정보보호 관리체계 ISO27001을 도입한 조직을 대상으로, 인증 심사에 따른 부적합 사례를 통해 산업별, 조직규모별, 심사유형별 정보보호 관리체계의 주요 통제 영역을 도출하려 하였다. 국내의 경우 산업분야별 인증을 유지하고 있는 곳이 많지 않아 실증 연구를 위한 자료 확보에 어려움이 있지만, 탐색적 연구 대상으로서의 의미가 있는 것으로 보인다. 분석을 통해, 대상 업체들에서 ISO27001:2013이 발표된 2013년부터 2020년까지 각 형태별로 부적합 빈도수가 가장 높았던 요구사항을 주요 통제영역으로 도출하였다. 이를 바탕으로 3개 산업분야, 조직규모, 심사유형에 따라 ISMS의 주요 통제항목에 차이가 있다는 것을 발견하였다.

Keywords

References

  1. White Paper for National Information Security, Korea Internet and Security Agency (KISA), Korea, pp.183-185, 2016.
  2. Y. C. Kang, J. C. Ahn, "A Study on Primary Control Area for Information Security Management System (ISMS): Focusing on the Finance-related Organizations", Journal of Internet Computing and Services, Vol.19, No.6, pp.9-20, 2018. DOI: http://doi.org/10.7472/jksii.2018.19.6.9
  3. Y. C. Kang, S. T. Rim, "The Necessity of Introducing ISMS: Focusing on the Patent Information Provider", Korea Institute of Information Security & Cryptology, Vol.23, No.4, pp.7-14, 2013. Available From: https://www.koreascience.kr/article/JAKO201329438851081.page (accessed Apr. 20, 2021)
  4. S. W. Hong, J. P. Park, "Effective Management of Personal Information & Information Security Management System(ISMS-P) Authentication systems", Journal of the Korea Academia-Industrial cooperation Society, Vol.21, No.1, pp.634-640, 2020. DOI: https://doi.org/10.5762/KAIS.2020.21.1.634
  5. ISMS Certification-related Documentation, Financial Security Institute, Korea, 2021. Available From: https://isms.kisa.or.kr/main/isms/issue/?certificationMode=list&crtfYear=2017 (accessed Apr. 20, 2021)
  6. W. Boehmer, "Appraisal of The Effectiveness and Efficiency of an Information Security Management System based on ISO 27001", 2008 2nd International Conference on Emerging Security Information, Systems and Technologies, IEEE, Cap Esterel, France, pp.224-231, Aug. 2008. DOI: https://doi.org/10.1109/SECURWARE.2008.7
  7. N. K. Sharma, P. K. Dash, "Effectiveness of ISO 27001, As an Information Security Management System: An Analytical Study of Financial Aspects", Far East Journal of Psychology and Business, Vol.9, No.5, pp.57-71, 2012. Available From: https://ideas.repec.org/a/fej/articl/v9cy2012i5p57-71.html (accessed Apr. 20, 2021)
  8. B. Shojaie, H. Federrath, I. Saberi, "Evaluating the Effectiveness of ISO 27001:2013 Based on Annex A", 2014 9th International Conference on Availability, Reliability and Security, IEEE, Fribourg, Switzerland, pp.259-264, Sep. 2014. DOI: https://doi.org/10.1109/ARES.2014.41
  9. W. Boehmer, "Cost-Benefit Trade-Off Analysis of an ISMS Based on ISO 27001", 2009 International Conference on Availability, Reliability and Security, Fukuoka, Japan, pp.392-399, 2009. DOI: https://doi.org/10.1109/ARES.2009.128
  10. C. Drugescu, R. Etges, "Maximizing the Return on Investment on Information Security Programs: Program Governance and Metrics", Information Systems Security, Vol.15, No.6, pp.30-40, 2007. DOI: https://doi.org/10.1080/10658980601051482
  11. ISO/IEC27001:2005 Requirement, ISO, 2005. Available From: https://www.iso.org/standard/54534.html (accessed Apr. 20, 2021)
  12. The ISO Survey of Management System Standard Certifications (2006-2012), ISO, 2013. Available From: http://www.pjr.com/downloads/iso_survey.pdf (accessed Oct. 15, 2020)
  13. The ISO Survey of Management System Standard Certifications 2019, ISO, 2019.