Hierarchical Multilevel Information security gap analysis models based on ISO 27001: 2013

A. A. Nasser Al-Shameri¹

1. Dept. of information system, College of science , Sa`adah University, Sa`adah, Yemen.

Correspondence should be addressed to: adelru2009@mail.ru.

Section:Research Paper, Product Type: Isroset-Journal
Vol.3 , Issue.11 , pp.14-23, Dec-2017

CrossRef-DOI:   https://doi.org/10.26438/ijsrms/v3i11.1423

Online published on Dec 31, 2017

Copyright © A. A. Nasser Al-Shameri . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
 

View this paper at   Google Scholar | DPI Digital Library

XML View     PDF Download

How to Cite this Paper

600 Views    267 Downloads    216 Downloads

Abstract :
This research was conducted to introduce the hierarchical multilevel models, based on categorization of security controls in ISO 27001:2013 standard. And to find out the level of information security in the Yemeni Academy for graduate studies (YAGS) regarding the compliance of implementation of this standard. The results showed maturity level of information security in the YAGS is at level 2 for all MTO, Responsibility categories in all security aspects. The value of the gap between the value of the maturity level of the current and expected level of maturity value is a 2.88 for MTO domains and 2.84 for responsibility groups. This mains that many control weaknesses exist, related security policies and procedures should be developed and security management system and culture should be implemented. The detailed results of benchmarking based on the ISO27001 standard, the method used to measure the maturity level for each security control domain, and the improvement recommendations are presented.

Key-Words / Index Term :
Gap analysis; MTO , Multilevel model, Compliance; ISO 27001; Maturity level

References :
[1] K.Samota, J.patel, “Resent IT trends: A Review paper",International journal of scientific research in multidisciplinary Studies", Vol. 3, Issues 5 , pp. 1 – 7, May. 2017
[2] Anderson, A., Longley, D., and Kwok, L.F., "Security modeling for organizations", CCS `94 Proceedings of the 2nd ACM Conference on Computer and communications security, , p. 241- 250, New York, 1994.
[3] Al-Mayahi and S. P. Mansoor, “ISO 27001 gap analysis – case study” , presented at 2012 International Conference on Security and Management (SAM ’12), Las Vegas, 2012.
[4] Saleh, M. S., Alrabiah, A., and Bakry, S. H., "Using ISO 17799:2005 information security management: a STOPE view with six sigma approach" , International journal of network management, v. 17, 2007, pp.85- 97.
[5] DNB Framework Information Security, point to consider: Available from http://www.toezicht.dnb.nl/en/binaries/51-230769.XLSX
[6] Bahareh S., Hannes F. and Iman S., Evaluating the effectiveness of ISO 27001:2013 based on Annex A, 9th International Ðorkshop on Frontiers in Úvailability, Reliability and Ðecurity (FARES 2014), Ðniversity of Fribourg, Ðwizerland, Sep 11, 2014
[7] Rosmiati, Imam Riadi, Yudi Prayudi , "A Maturity Level Framework for Measurement of Information Security Performance" , International Journal of Computer Applications (0975 – 8887),Volume 141 – No.8, May 2016
[8] S. Faris, H. Medromi, S. El Hasnaouni, H. Iguer and A.Sayouti, "Towards an Effective Information Security Risk Management of Universities Information Systems Using Multi Agent System", Itil, Iso 27002, Iso 27005‖, (IJACSA) Intermasional Journal of Advanced Computer Science and Application, Vol. 5 No. 6 2014, pp 114 –118.
[9] S. M. Wu, D. Guo, W. T. Lin and M. H. Li "web based analytic hierarchy process (ahp) assessment model for information security policy of commercial banks", IJABER, Vol. 14, No. 2 (2016): 951-960

[10] A. A. Nasser, Information security gap analysis based on ISO 27001: 2013 standard: A case study of the Yemeni Academy for Postgraduate Studies, Sana`a, Yemen, ",International journal of scientific research in multidisciplinary Studies", Vol. 3, Issues 12 , pp. 1 – 9, DEC. 2017
[11] Information security management systems requirements, International
Standards ISO/IEC 27001 Std., 2005.
[12] ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems –Requirements. International organization for standardization
[13] M. Dey,“Information security management - a practical approach” ,in Proceeding AFRICAN 2007 Conference, 2007.
[14] T K Gusti Ayu, I Made Sukarsa and I Putu Agung B, " Governance Audit of Application Procurement Using COBiT Framework", Journal of Theoretical and Applied Information Technology (JATIT)‖. Vol 59. No.2. pp 342 – 351,.2014,