Information security gap analysis based on ISO 27001: 2013 standard: A case study of the Yemeni Academy for Graduate Studies, Sana`a, Yemen

A. A. Nasser¹

1. Dept. of information system, College of science , Sa`adah University, Sa`adah, Yemen.

Correspondence should be addressed to: adelru2009@mail.ru.

Section:Research Paper, Product Type: Isroset-Journal
Vol.3 , Issue.11 , pp.4-13, Dec-2017

CrossRef-DOI:   https://doi.org/10.26438/ijsrms/v3i11.413

Online published on Dec 31, 2017

Copyright © A. A. Nasser . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
 

View this paper at   Google Scholar | DPI Digital Library

XML View     PDF Download

How to Cite this Paper

1793 Views    879 Downloads    250 Downloads

Abstract :
This Information is one of the most important assets of the company. Protecting information requires a broad range of controls. Organizations should make sure that they are covering the full range of controls needed to protect the confidentiality, integrity, and availability of business information from the full range of threats. ISO/IEC 27001:2013 is one of the leading standards of information security. It is the code of practice including 114 controls in 14 different domains. This research was conducted to find out the level of information security in the Yemeni Academy for graduate studies (YAGS) regarding the compliance of implementation of this standard. The results showed maturity level of information security in the YAGS is at level 2. The value of the gap between the value of the maturity level of the current and expected level of maturity value is 3.19. This mains that many control weaknesses exist, related security policies and procedures should be developed and security management system and culture should be implemented. The detailed results of benchmarking based on the ISO27001 standard, the method used to measure the maturity level for each security control domain, and the improvement recommendations are presented.

Key-Words / Index Term :
Gap analysis; Compliance; ISO 27001; Maturity level; Maturity model

References :
[1] A. Martins, J. Eloff , “Information security culture”, IFIP TC11 17th International Conference on Information Security (SEC2002): Security in the Information Society: Visions and Perspectives, Cairo, Egypt,2002.
[2] A. Itrada, S. Sultan, M. Al-Junaidi, R. Qaffaf, F. Mashal, and F. Daas, “Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a case study”, Jordan Journal of Mechanical and Industrial Engineering , Vol. 8,no. 2, pp.102 – 118, April. 2014.
[3] K.Samota, J.patel, “Resent IT trends: A Review paper",International journal of scientific research in multidisciplinary Studies", Vol. 3, Issues 5 , pp. 1 – 7, May. 2017
[4] M. Lauren and L. Tim, “A Model for Improving e-Security in Australian Universities" , Journal of Theoretical and Applied Electronic Commerce Research, ISSN 0718–1876 Electronic Version, Vol. 1, Issues 2 , pp. 90 – 96, August. 2006.,
[5] K. Knapp, F. Morris,M. Thoms, and B. Anthony , “Information security policy: An organizational-level process model” Computer &. Security, vol.28,no,7, pp.493-508, 2009
[6] M. Dey,“Information security management - a practical approach” ,in Proceeding AFRICAN 2007 Conference, 2007.
[7] S. E. Chang, and C. S. Lin , "Exploring organizational culture for information security management” , Industrial Management & Data Systems, vol.107,issue 3, pp. 438 – 458, 2007.
[8] G. Dhillon, “Violation of safeguards by trusted personnel and understanding related Information Security concerns” , Computers & Security, Vol. 20, Issue 2,pp. 165-172, April 2001.
[9] N. Gaunt, “Practical approaches to creating a security culture”, International Journal of Medical Informatics, vol.60,Issue 2, Nov.2000
[10] H.S. Venter, and J.H.P Eloff , “Network Security: Important Issues” , Network Security, Vol. 2000, Issue 6, Jun. 2000.
[11] M. Andress, “Manage people to protect data” , InfoWorld, Vol. 22, Issue 46, Nov. 2000.
[12] S. Von,B, “Information Security - The Third Wave? ”,Computers and Security, Vol. 19, Issue 7,pp. 615-620, Nov. 2000.
[13] C. Candiwan, “ Analysis of ISO27001 Implementation for Enterprises and SMEs in Indonesia”, In Proceedings of the International Conference on Cyber-Crime Investigation and Cyber Security (ICCICS2014), pp. 50-58,Nov.2014, Kuala Lumpur, Malaysia.
[14] Al-Mayahi and S. P. Mansoor, “ISO 27001 gap analysis – case study” , presented at 2012 International Conference on Security and Management (SAM ’12), Las Vegas, 2012.
[15] F. H. Ermana, and M. I. Tanuwijaya,"Security audit information system based on the ISO 27001 Standards”,PT. BPR Jatim (STIKOM), Surabaya. 2012.
[16] B. Karabacak, and I.Sogukainar, “A quantitative method for iso 17799 gap analysis” , Computers and Security journal, Elsevier, vol. 25(6), pp. 413–419, 2006.
[17] P. Ifinedo,“Understanding information systems security policy compliance: anintegration of the theory of planned behaviour and the protection motivation theory”, Computers & Security, Vol. 31, No. 2011, pp. 83-95.,2014.
[18] R. Gabriel, S. Sowa, and J. Wiedemann, “Improving information security compliance – A process-oriented approach for managing organizational change,” in Multikonferenz Wirtschaftsinformatik 2008 (MKWI 2008), Berlin, 2008
[19] K. Julisch, “Security compliance: The next frontier in security research,”, In NSPW `08: Proceedings of the New Security Paradigms Workshop 2008, pp 71-74,ACM, 2008.
[20] British Standards Institute, Information security management, part 2: “Specification for Information Security Management Systems. Technical Report BS 7799-2”, 1999.
[21] ISO/IEC 17799:2000, Information technology – Security techniques – Code of practice for information security management, Geneva, Switzerland: International Organization for Standardization, 2000.
[22] N. Mayer, “A Cluster Approach to Security Improvement according to ISO/IEC 27001”, presented at the Software Process Improvement, 17th European Conference, EuroSPI 2010.
[23] S. T. Arnason and K. D. Willett, “How to Achieve 27001 Certification: An Example of Applied Compliance Management, ”,in Aurbach publication, Taylor & Francis Group LLC, 2008 .
[24] Nurbojatmiko, A. Susanto, E. Shobariah,"Assessment of ISMS based on standard ISO/IEC 27001:2013at DISKOMINFO Depok City", In 4th International Conference on Cyber and IT Service Management, April, 2016.
[25] ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements. International organization for standardization
[26] B. Stevanović, “ Maturity Models in Information Security”, International Journal of Information and Communication Technology Research,vol.1,no.2,2011
[27] Project Management Institute (PMI), “Organizational project management maturity model knowledge foundation(OPM3)”, Newtown Square, Pennsylvania USA,.2003
[28] T. Mettler, and P. Rohner. “Situational Maturity Models as Instrumental Artifacts for Organizational Design ”, In Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, Bew York, 2009.
[29] M. F. Saleh, “Information Security Maturity Model”, International Journal of Computer Science and Security (IJCSS), Vol.5, Issue 3, pp: 316-337, 2011.
[30] K. Judev and J. Thomas, “Project management maturity models: The milver bullets of competitive advantage?”, Project Management Journal, vol. 33, 2002.
[31] G. Klimko, “Knowledge management and maturity models: Building common understanding” ,Proc. of the 2nd European Conference on Knowledge Management, 2001.
[32] ]S. Woodhouse,“An isms (Im) - maturity capability model,” in IEEE 8th International Conference on Computer and Information Technology Workshops, July, 2008.
[33] C.S.Leem, S. Kim, and H.J.Lee, “Assessment methodology on maturity level of isms,” Knowledge-Based Intelligent Information and Engineering Systems, Pt 3, Proceedings, vol. 3683:Springer-Verlag Berlin, pp. 609 – 615, 2005..
[34] T K Gusti Ayu, I Made Sukarsa and I Putu Agung B, " Governance Audit of Application Procurement Using COBiT Framework", Journal of Theoretical and Applied Information Technology (JATIT)‖. Vol 59. No.2. pp 342 – 351,.2014,