Browse > Article
http://dx.doi.org/10.5762/KAIS.2021.22.4.140

A Study on Primary Control Area for Information Security Management System (ISMS): Focusing on the Domestic Three Industries  

Kang, Youn-Chul (Department of Digital Management, Korea University)
Ahn, Jong-Chang (Department of Information Systems, Hanyang University)
Publication Information
Journal of the Korea Academia-Industrial cooperation Society / v.22, no.4, 2021 , pp. 140-149 More about this Journal
Abstract
Most industries have introduced and operate an information security management system (ISMS) or a personal information security management system (PIMS) to suitably protect and maintain customer's information and company trade secrets. This study starts with the premise that it is desirable for every industry considering information security to maintain an ISMS. ISMS can be of different types among various organizations, taking into consideration culture, practical work procedures, and guidelines for information security. This study intends to derive primary control areas of an ISMS for each industry based on organizational size and audit type by analyzing non-conformity trends and control factors according to certification audits for organizations introduced for international ISMS under ISO27001. This study analyzed improvement effects of ISMS through case analyses. It is meaningful as exploratory research, although it was difficult to acquire data for empirical study because few organizations maintain certification in major industrial sectors. The requirements presented the highest frequency of non-conformity for each type from the 2013-initiated ISO27001; the years 2013 to 2020 were extracted as the primary control area. The study found that for primary control areas of ISMS for each of three industries, organizational size and audit type had differences.
Keywords
Information Security Management System; Personal Information Security Management System; Certification Audit; Information Security Control Area; Non-conformity Trends;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Y. C. Kang, S. T. Rim, "The Necessity of Introducing ISMS: Focusing on the Patent Information Provider", Korea Institute of Information Security & Cryptology, Vol.23, No.4, pp.7-14, 2013. Available From: https://www.koreascience.kr/article/JAKO201329438851081.page (accessed Apr. 20, 2021)
2 S. W. Hong, J. P. Park, "Effective Management of Personal Information & Information Security Management System(ISMS-P) Authentication systems", Journal of the Korea Academia-Industrial cooperation Society, Vol.21, No.1, pp.634-640, 2020. DOI: https://doi.org/10.5762/KAIS.2020.21.1.634   DOI
3 ISMS Certification-related Documentation, Financial Security Institute, Korea, 2021. Available From: https://isms.kisa.or.kr/main/isms/issue/?certificationMode=list&crtfYear=2017 (accessed Apr. 20, 2021)
4 W. Boehmer, "Appraisal of The Effectiveness and Efficiency of an Information Security Management System based on ISO 27001", 2008 2nd International Conference on Emerging Security Information, Systems and Technologies, IEEE, Cap Esterel, France, pp.224-231, Aug. 2008. DOI: https://doi.org/10.1109/SECURWARE.2008.7   DOI
5 N. K. Sharma, P. K. Dash, "Effectiveness of ISO 27001, As an Information Security Management System: An Analytical Study of Financial Aspects", Far East Journal of Psychology and Business, Vol.9, No.5, pp.57-71, 2012. Available From: https://ideas.repec.org/a/fej/articl/v9cy2012i5p57-71.html (accessed Apr. 20, 2021)
6 B. Shojaie, H. Federrath, I. Saberi, "Evaluating the Effectiveness of ISO 27001:2013 Based on Annex A", 2014 9th International Conference on Availability, Reliability and Security, IEEE, Fribourg, Switzerland, pp.259-264, Sep. 2014. DOI: https://doi.org/10.1109/ARES.2014.41   DOI
7 W. Boehmer, "Cost-Benefit Trade-Off Analysis of an ISMS Based on ISO 27001", 2009 International Conference on Availability, Reliability and Security, Fukuoka, Japan, pp.392-399, 2009. DOI: https://doi.org/10.1109/ARES.2009.128   DOI
8 C. Drugescu, R. Etges, "Maximizing the Return on Investment on Information Security Programs: Program Governance and Metrics", Information Systems Security, Vol.15, No.6, pp.30-40, 2007. DOI: https://doi.org/10.1080/10658980601051482   DOI
9 The ISO Survey of Management System Standard Certifications (2006-2012), ISO, 2013. Available From: http://www.pjr.com/downloads/iso_survey.pdf (accessed Oct. 15, 2020)
10 ISO/IEC27001:2005 Requirement, ISO, 2005. Available From: https://www.iso.org/standard/54534.html (accessed Apr. 20, 2021)
11 The ISO Survey of Management System Standard Certifications 2019, ISO, 2019.
12 White Paper for National Information Security, Korea Internet and Security Agency (KISA), Korea, pp.183-185, 2016.
13 Y. C. Kang, J. C. Ahn, "A Study on Primary Control Area for Information Security Management System (ISMS): Focusing on the Finance-related Organizations", Journal of Internet Computing and Services, Vol.19, No.6, pp.9-20, 2018. DOI: http://doi.org/10.7472/jksii.2018.19.6.9   DOI