Paper: a study on the certification of the information security management systems



Paper: a study on the certification of the information

security management systems

Andrew Ren-Wei Fung


, Kwo-Jean Farn


*, Abe C. Lin

c a

Institute of Information Management, National Chiao-Tung University, 1001 Ta Hsueh Road, Hsinchu 300, Taiwan, ROC


Internet Security Solutions International Co., Taiwan, ROC


DCGS for Communications, Electronics and Information(J-6), Ministry of National Defense, Taiwan, ROC Received 7 October 2002; received in revised form 16 January 2003; accepted 20 January 2003


Current reliable strategies for information security are all chosen using incomplete information. With standards, problems

resulting from incomplete information can be reduced, since with standards, we can decrease the choices and simplify the

process for reliable supply and demand decision making. This paper is to study the certification of information security

management systems based on specifications promulgated by the Bureau of Standards, Metrology and Inspection (BSMI),

Ministry of Economic Affairs in accordance with international standards and their related organizations. And we suggest a

certification requirement concept for five different levels of ‘‘Information and Communication Security Protection System’’ in

our country, the Republic of China, Taiwan.

D 2003 Elsevier Science B.V. All rights reserved.

Keywords: Certification; Conformity Assessment Procedure; Information security management system; Standard; Trust

1. Foreword

The Executive Yuan of Republic of China (R.O.C.)

is the highest administration unit in the country. The

Chief of the Executive Yuan is like a premier in

France. In May 2001, the president of R.O.C. ordered

a study on ‘‘National Information and Communication

Infrastructure Security Mechanism Plan.’’ In August,

the president commanded that the National Security

Council should make a proposal on ‘‘The

Establish-ment of the National Plan for Protecting and Assuring

the Critical Information and Communication

Infra-structure,’’ and submitted to the Executive Yuan for

further tasks in order that in information and

commu-nication network resources can be fully used in an

obstacle-free and secure environment by year 2008.

On February 5, 2001, the Executive Yuan of R.O.C

sent out the ‘‘Plan for establishing the construction of

basic information and communications security

mech-anisms in Taiwan’’ to each of its subordinate

author-ities, requesting active cooperation


, thus officially

turning a new leaf in the development of information

security in Taiwan.

In recent years, several countries (e.g., the USA,

the UK, China, and others) have invested great efforts

in the construction of basic information security

[2 –

0920-5489/03/$ - see front matterD 2003 Elsevier Science B.V. All rights reserved. doi:10.1016/S0920-5489(03)00014-X

* Corresponding author. Tel.: 5712301; fax: +886-03-5723792.

E-mail addresses:, (K.-J. Farn).



, and have added to the impact on Taiwanese society

by the nationwide power outage on July 29, 1999 and

the great earthquake on September 21, 1999. Hence,

the competent authorities in the spring of 1999 began

to realize the importance of security of basic

commu-nication and information construction, and as a result,

they designed ‘‘Security mechanisms in Taiwan’s

basic communication and information construction.’’

Due to the fact that Taiwan’s current communication

and information security measures are restricted by

their limited nature and lack of overall protection,

detection and restorative abilities, the National

Infor-mation Infrastructure Work Group, in an attempt to

efficiently meet the President’s instructions, reviewed

the related plans, and after careful studies, called the

first ‘‘National Information and Communication

Security Meeting’’ on January 31, 2001, trying to

complete the ‘‘Plan for Establishing the Construction

of Basic Information and Communications Security

Mechanisms in Taiwan’’ in 4 years



Before the aforementioned plan was officially

accepted by the Executive Yuan, the number of

people mobilized, the aspects involved and the depth

of interactions with the society were unprecedented

in the field of information security in Taiwan. And

this may have far-reaching effects on the direction

which the information security technologies will take

in the future. According to the plan, the prime

minister and the vice prime minister shall be the

convener and the deputy convener, respectively, of

the ‘‘National Information and Communication

Se-curity Meeting,’’ and the convener of the ‘‘National

Information and Communication Initiative’’ (NICI)

shall be its executive director. The meeting shall set

up seven work groups: an integrated operations work

group, a danger report work group, a technical

support center, an internet crime work group, an

information gathering work group, an audit service

work group and a standard specification work group

responsible for initiating different aspects of the

construction of basic national communications and

information security. Among these work groups, the

Ministry of Economic Affairs takes the main

respon-sibility over the standard specification work group,

with the assistance of the Executive Yuan’s Research,

Development and Evaluation Commission, the

Min-istry of National Defense, the MinMin-istry of

Trans-portation and Communication and the Ministry of

Finance. The main responsibilities are described in

the following:

1. Setting standards for information and

communica-tion security technologies.

2. Setting standards for various institutions for

handling information and communication security


3. Planning the installation of monitoring technology

for information and communication security.

4. Planning and installing the methods of certification

of information and communication security.

5. Installing the procedure of the information and

communication security.

To achieve the targets of the aforementioned plan,

the BSMI has followed the criteria in Annex 1 – 3 to

the Agreement of Technical Barriers to Trade in the

Uruguay round of multilateral trade negotiations:

1. Formulating in the standards for Evaluation criteria

for IT security (ISO/IEC 15408), Code of practice

for information security management (ISO/IEC

17799), and Software Process Assessment (ISO/

IEC TR 15504).

2. Developing protection profiles of different

prod-ucts in the ISO/IEC 15408 series of standards (e.g.,

access control, cryptography, issue and

manage-ment of Public Key Certificates) and the

installa-tion of their common monitoring techniques.

Table 1

Ten CISSP information systems security test domains are covered in the examination pertaining to the common body of knowledge[8]

Item Knowledge domain

1 Security management practices 2 Access control systems 3 Telecommunications and network security 4 Cryptography 5 Security architecture and models 6 Operations security 7 Applications and systems


8 Business continuity planning and disaster

recovery planning

9 Law, investigations, and ethics 10 Physical security


3. Making BS7799-2 (Information Security

Manage-ment Part 2: Specification for Information Security

Management Systems) a national standard, and

installing a certification system for Taiwan’s

communication and information security

manage-ment systems.

4. Installing procedures for communication and

information security management systems

accred-itation and product certification and accredaccred-itation

as well as laboratory accreditation in compliance

with the requirements in ISO/IEC Guide 62, ISO/

IEC Guide 65 and ISO/IEC 17025.

The BSMI is in the process of promoting all the

related tasks. This study briefly analyses the

differ-ences and similarities among certification of

informa-tion security management systems, quality

manage-ment systems and environmanage-mental managemanage-ment systems

in Sections 2 and 3 propose a concept for fundamental

certification standards according to various the risk

Table 2

Brief history of information security management accreditation Item Year Event

1 1990 The organization for information, computer and communications policies under the Organization for Economic Cooperation and Development (OECD) starts drafting ‘‘Guidelines for the security of information systems.’’ 2 1992 OECD officially passed the ‘‘Guidelines for

the security of information systems on November 11, 1992.

3 1993 The British Department of Trade and Industry promulgated ‘‘A Code of Practice for Information Security Management.’’ 4 1995 The UK specified the first part of the British

Standard ‘‘A Code of Practice for Information Security Management’’ (BS 7799), and submitted it to the International Organization for Standardization (ISO) to become ISO DIS 14980.

5 1996 The review of the submission of the first part of BS 7799 to ISO was completed on February 24, 1996, and the result was that it was not qualified as an ISO standard. 6 1997 (a) On March 27, 1993, OECD

announced ‘‘Guidelines for Cryptography Policy.’’

(b) The UK officially began to implement a pioneering plan for information security management accreditation. 7 1998 (a) The UK announced part two of

BS 7799 ‘‘Specification for information security management systems’’ as well as the basis for information security management accreditation.

(b) In October 1995 the European Union announced the ‘‘Data Protection Directive’’, to take effect on October 10, 1998, demanding the protection of personal data through an Adequacy Standard. 8 1999 An amended version of BS 7799

was submitted to ISO for review. 9 2000 The first part of the amended

version of the BS 7799 passed the ISO review process on December 1, 2000, to become the international

standard ISO/IEC 17799. Part 2 did not pass the review process and will be amended according to the principles of Corporate Governance.

Table 2 (continued) Item Year Event

10 2001 (a) On September 11 and 12, 2001, OECD in Tokyo asked the establishment of information security standards for each specific industry, in addition to the original ISO/IEC 17799 basic standards. A task force was formed to work out the information security guideline.

(b) The UK announced BS7799-2: 2002 Draft in November 2001, publicly soliciting opinions, asking user organizations to submit their opinions prior to March 31, 2002 for integration. The amended version of BS7799-2 is set to be announced in June, 2002. 11 2002 (a) On July 25, 2002, OECD published

‘‘OECD Guidelines for the Security

of Information Systems and Networks—Towards a Culture of Security.’’ Replacing the old version of November 26th, 1992.

(b) On September 5, 2002, BS 7799-2:2002 version was also revised according to the aforementioned guide.

12 2003 Information security management certification is likely to become official ISO standard 17799.

Apart from the Australia, Brazil, Czech Republic, Canada, Denmark, Germany, Iceland, India, Ireland, Japan, Korea, Malaysia, the Netherlands, New Zealand, Norway, Poland, Singapore, South Africa, Sweden, Switzerland, Taiwan, UAE, the UK have currently agreed to adopt BS 7799.


classification in Taiwanese certification preparatory

work. Section 4 describes the conclusion.

2. The brief introduction of related information

security management specifications

The work to establish international approval

proce-dures for information security management

accredita-tion in the digital society can be traced back to

November 1988. How should the Common Body of

Knowledge (CBK) of the specialized personnel

work-ing with information security be accredited? An

organ-ization specialized in the accreditation of information

security personnel, the International Information

Sys-tem Security Certification Consortium (ISC)



established in Salisbury, England. To be approved by

the (ISC)


, one requires tests of 10 major CBK

categories as in

Table 1

(taking normally 6 h to answer

250 multiple-choice questions). Correct answers to

70% of the questions in combination with a minimum

of 3 years working experience with information

secur-ity related matters are needed to qualify as a Certified

Information Systems Security Professional (CISSP).

CISSP certification is not issued on a permanent basis,

but the test must be taken once every 3 years, and only

after passing the test will the person get a renewed

certificate. The Canadian Information Processing

Soci-ety (CIPS), the Computer Security Institute (CSI), and

the Information Systems Security Association (ISSA)

all recognize CISSP certification. Apart from (ISC)



SANS and other organizations also have their series of

accreditation tests for specialized information security

techniques (e.g., UNIX Security, Intrusion Detection

Systems). Apart from the certification of specialized

information security personnel, the work to set the

international standards for the specifications for the

management of information systems security is in




Table 2

gives a brief history of its

development, and

Table 3

gives an outline of its

contents as submitted to ISO after amendments.

The ideas behind and the structure of the

specifi-cations for information security management

certifi-cation are the same as for ISO 14001, as shown in

Fig. 1

. Systematized security concepts such as main

requirements, goal management, risk prevention, law

obedience, and continuous improvement are

imple-mented according to a Plan – Do – Check – Action (P –

D – C – A) cycle as shown in

Fig. 2

. Since risk

appraisal includes all organizations and all

depart-ments, areas, staff and activities, the rationality and

conformity of the appraisal is still a topic for research


. Compared to ISO 14001, it is more difficult.

Fig. 3

is a graphic explanation of the information security

management risk appraisal process. The risk

manage-ment procedure in this figure-risk analysis aimed at risk

extent definition and risk recognition and estimation,

risk evaluation to decide project risk tolerability

poli-cies and responses and risk minimization and control

when setting project policies—are based on

implemen-tation and audit.

Fig. 4

is a schematic explanation of the

Table 3

The outline of amendments to BS7799 contents[6]

Item Control element Amendment contents 1 Security policy Enhance review and evaluation

session 2 Organizational


(a) Enhance security of third-party access session

(b) Increase outsourcing session 3 Asset classification

and control

Enhance information labeling and handling session

4 Personnel Security Enhance learning form incidents session

5 Physical and environment security

(a) Emphasizing office and personnel security issues (b) Reducing the number of special

requirements in a computer center

6 Computer and network management

(a) Add details to the security of open system

(b) Add publicly available systems session

(c) Giving a new name ‘‘Communications and Operations Management’’ 7 Access control (a) Enhance monitoring system


(b) Add mobile computing and tele-working

8 System development and maintenance

(a) Add cryptographic controls session

(b) Add security in development and support processes session 9 Business continuity


Add details to impact analysis and writing continuity plans 10 Compliance (a) Enhancing compliance with

legal requirements

(b) Add regulation of cryptographic controls and collection of evidence sessions


Fig. 1. Systematized security concepts.


Fig. 3. Risk analysis and risk assessment flow chart and explanation.

Fig. 4. Schematic explanation of communication and information security management risk appraisal. This diagram is cited and revised from Bsi BS7799 ‘‘Lead Auditor Course.’’


risk management process


. Under normal

cir-cumstances, the risk created by a security incident is the

monetary and production loss brought to each piece of

information and assets by all threats through all weak

points, and the totality of all kinds of risk to the

organizational embarrassment. We use ISO/IEC TR

13335 methodology


to establish the risk

manage-ment classification.

The four threats in

Fig. 3

are in BS7799 abbreviated

to threats C, I and A, as shown in

Table 4

, and the

British Standards Institution (BSI) further integrates

the compliance requirements described in the

follow-ing designated L. as described in detail in

Table 5

. The

use of the C, I, A and L threat categories will allow a

more efficient choice of control targets and response

policies for the Information Security Management

System (ISMS).

Threat: information security related to any

opera-tional function, process or activity can be threatened in

many ways. The banking industry has already defined

four specific threats, which, if they occur, will weaken

trust or completeness of operational functions, products

or services or disturb operational sustainability.

The following table provides explanations for each

of these four threats:

Vulnerability: ‘‘vulnerability’’ refers to the ways by

which a threat occurs.

The following table explains these vulnerabilities:

Table 4

Information security characteristics

1. Confidentiality (C): Guarantees that the data only can be accessed by authorized personnel.

2. Integrity (I): Safeguarding of the accuracy and completeness of data and data processing methods.

3. Availability (A): Guarantees that data can be accessed through authorized personnel and used when needed.

Table 5

BS7799 integrates the compliance requirements[6,7]

(1) Compliance with legal requirements (ISO/IEC 17799: 2000(E), 12.1):

Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

(2) Reviews of security policy and technical compliance (ISO/IEC 17799: 2000(E), 12.2):

Objective: To ensure compliance of systems with organizational security policies and standards.

(3) System audit considerations (ISO/IEC 17799: 2000(E), 12.3): Objective: To maximize the effectiveness of and to minimize

interference to/from the system audit process.

Threat Explanation Unauthorized changes to,

leaking or corruption of information

This threat is made up of intentional or non-intentional release of information and intentional additions, changes or corruptions to information by the staff accessing or not accessing information processes in its normal dispensation of duties. Changes to,

or corruption of information due to carelessness

This threat is made up of loss, addition, change or corruption of information due to carelessness, oversight or unintentional action. The possibility of this threat occurring arises out of human action or non-action, hardware, software or communication failure and natural disasters. Non-delivery

or improper delivery of information

This threat is made up of information being unintentionally deleted or improperly delivered due to paper or digital formats. This includes hardware, software and communication failure and natural disasters.

Denial of service or retrogression

This threat is made up of insufficient usability as a result of unplanned short-term or long-term retrogression occurring in the overall workflow or in part of the workflow.

Vulnerability Explanation

Personnel This vulnerability is attributed to the staff, manufacturers and hired personnel. When not understanding or obeying the department operational procedure and control. Equipment and


This vulnerability is caused by the practical security of the work area and equipment, and the access to work area and equipment.


Risk categories: there are three main risks that must

be considered during risk appraisal.

The following table explains these risk categories:

3. Information security management system

certification and accreditation mechanisms

Owing to the speed with which quality and

envi-ronmental management certification has developed in

Taiwan, quality or certification is not standardized.

This could easily have a negative impact on trades,

and the Ministry of Economic Affairs on March 5,

1997, set and issued BCIQ order 86350708

‘‘Imple-mentation Rules for the Chinese Quality Management

and Environmental Management Accreditation

Sys-tem,’’ and on March 26 of the same year, it set and

issued BCIQ order 86260244 ‘‘Points for the

Estab-lishment of the Chinese National Accreditation

Board.’’ On July 30, 1998, the Chinese National

Accreditation Board (CNAB) began accepting

appli-cations for accreditation from relevant certification

organizations and organizations training inspection

personnel. Based on the definition in the Article 4 in

the above-mentioned implementation rules:

1. Accreditation: The authority in charge issues an

official written recognition that the certification or

training organization is capable of implementing

the regulated work processes or activities.

2. Certification: The certification organization issues

a written guarantee that the inspectors, products,

procedures or services comply with the procedures

or activities specified in the regulations.

In response to the needs for certification of

profes-sional safety and health, fire security equipment and

information security management systems, the

Minis-try of Economic Affairs on March 3, 2001, set and

issued MOE (90) Accreditation 0900460122

‘‘Imple-mentation Regulation for Chinese National

Accredita-tion Scheme.’’ Apart from the original quality and

environmental management, regular certification

organizations (e.g., organizations for the certification

of information security management systems) and the

accreditation of product certification and inspection

organizations are all the responsibility of the CNAB.

On March 2, 2001, MOE (90) Accreditation document

no. 09003504120 was issued, announcing the

amend-ment of the ‘‘Points for the Establishamend-ment of the

Chinese National Accreditation Board.’’ In other

words, as

Fig. 5

shows, the agreement on technical

trade barriers in the General Agreement on Tariff and

Vulnerability Explanation

Applications This vulnerability is caused by a company’s procedures for the processing of information. Application involves the handling of input and output.

Communications This vulnerability occurs during the electronic transfer of information between two stations. Environment

software and operating system

This vulnerability occurs in the operating system and sub-systems at the location where the application software was developed and is used.

Risk categories Explanation

Loss of funds Loss of funds is defined as the loss of valuable objects or increased costs or expenses. The category business function risk will increase with the increased risk of fund losses or potential value Example Valuable objects – money – bonds – capital transfers Increased costs: – bond issue – theft

– negative legal decision, etc. Loss of

production capacity

When the staff is unable to continue carrying out its duties or when duties must be repeated, loss of production capacity will occur. When business functions can no longer be used, or when results are incorrect, work will be interrupted or repeated. Organizational


This risk category considers the impact on public trustworthiness confidentiality, accuracy and consistency must also be considered.


Trade (GATT) demands that each country, considering

safety, health, environment and consumer protection

factors, set technical laws or standards, and proves that

related products conform to the Conformity

Assess-ment Procedure (CAP) of these technical laws or

standards and that they do not create any unnecessary

barriers to international trades. Due to the lack of

integrity and secure reliability of information,

e-com-merce and e-governments turning to

digitization/Inter-net will never become active, and the virtual world will

never go beyond cultural recreations and advertising

framework. Services for the accreditation, certification

Fig. 5. The information security assessment explanation.


and inspection of information security mechanisms

establishing an international digitized/Internet society

has been directed by the CNAB since March 2, 2002.

According to BSMI plans, ISMS accreditation and

certification as shown in

Fig. 6

, is set to begin in March


There will be different security demands on

infor-mation systems due to different working conditions,

e.g., the Federal Deposit Insurance Corporation’s

(FDIC) Division of Supervision (DOS) proposed a

set of Electronic Banking Safety and Soundness

Examination Procedures (S&S Exam.) aimed at

differ-ences in the characters of Internet banking services

provided by financial institutions and the extent of

risks faced, clearly dividing them into three different

levels as shown in

Table 6 [13]

. Based on the

manage-ment concepts shown in

Table 7 [14]

, ‘‘Maturity of

Information Risk Management’’ and ‘‘Risk Category

Table 6

U.S. Federal Deposit Insurance (FDIC) Division of Supervision (DOS) proposed a set of Electronic Banking Safety and Soundness Examination Procedures[13]

Level Electronic banking functional explanation 1 Information-only systems

2 Electronic information transfer systems 3 Fully transactional information systems

Table 7

Maturity of information risk management[14]

Maturity level Description

0 Non-existent: management processes are not applied at all

(a) No risk assessment of processes or business decisions. The organization does not consider the business impact associated with security vulnerabilities. Risk management has not been identified as relevant to IT solutions and services;

(b) The organization does not recognize the need for IT security. Responsibilities and accountabilities for security are not assigned. Measures supporting the management of IT security are not implemented. There is no IT security reporting or response process for IT security breaches. No recognizable security administration processes exist; (c) No understanding of the risks, vulnerabilities and threats to IT operations or service continuity by management. 1 Initial/Ad-Hoc: processes are ad-hoc and disorganized

(a) The organization consider IT risks in an ad hoc manner, without following defined processes or policies. Informal project based risk assessment is used;

(b) The organization recognizes the need for IT security, but security awareness depends on the individual. IT security is reactive and not measured. IT security breaches invoke ‘finger pointing’ responses if detected, because responsibilities are unclear. Responses to IT security breaches are unpredictable;

(c) Responsibilities for continuous service are informal, with limited authority. Management is becoming aware of the risks related to and the need for continuous service.

2 Repeatable but intuitive: processes follow a regular pattern

(a) There is an emerging understanding that IT risks are important and need to be considered. Some approach to risk assessment exists, but the process is still immature and developing;

(b) Responsibilities and accountabilities for IT security are assigned to an IT security coordinator with no management authority. Security awareness is fragmented and limited. Security information is generated, but is not analyzed. Security tends to respond reactively to incidents and by adopting third-party offerings, without addressing the specific needs of the organization. Security policies are being developed, but inadequate skills and tools are still being used. IT security reporting is incomplete or misleading;

(c) Responsibility for continuous service is assigned. Fragmented approach to continuous service. Reporting on system availability is incomplete and does not take business impact into account.

3 Defined process: processes are documented and communicated

(a) An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff;

(b) Security awareness exists and is promoted by management through formalized briefings. IT security procedures are defined and fit into a structure for security policies and procedures. Responsibilities for IT security are assigned, but not consistently enforced. An IT security plan exists, driving risk analysis and security solutions. IT security reporting is IT focused, rather than business focused. Ad hoc intrusion testing is performed;

(c) Management communicates consistently the need for continuous service. High-availability components and system redundancy are being applied piecemeal. An inventory of critical systems and components is rigorously maintained.


Management’’ and referring to the regulations in other



, we categorize our ISMS

certifica-tion into five categories as shown in

Table 8

, where

category 3 and above connects to the certification of

the international BS7799-2. Category 4 is designed to

take different industry demands into consideration.

Table 7 (continued)

Maturity level Description

4 Managed and measurable: processes are monitored and measured

(a) The assessment of risk is a standard procedure and exceptions would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios;

(b) Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings, user identification, authentication and authorization have become mandatory and

standardized. Intrusion testing is standardized and leads to improvements. Cost/benefit analysis, is increasingly used. Security processes are coordinated with the overall organization security function and reporting is linked to business objectives;

(c) Responsibilities and standards for continuous service are enforced. System redundancy practices, including use of high-availability components, are being consistently deployed.

5 Optimized-best practices are followed and automated

(a) Risk assessment has developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed;

(b) IT security is a joint responsibility of business and IT management and integrated with corporate business objectives. Security requirements are clearly defined, optimized and included in a verified security plan. Functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly

addressed with formalized incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analyzed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and proactive identification of risk is the basis for continuous improvements. Security processes and technologies integrated organization wide;

(c) Continuous service plans and business continuity plans are integrated, aligned and routinely maintained. Buy-in for continuous service needs is secured from vendors and major suppliers.

Table 8

The classification of certification in the ISMS

Categories Requirements for certification

1 (a) Compliance with legal requirements (BS 7799-2: 1999, 4.10.1). (b) Security policy (BS 7799-2: 1999, 4.1).

(c) Asset classification and control (BS 7799-2: 1999, 4.3). (d) Protection against malicious software (BS 7799-2: 1999, 4.6.3). (e) Security in development and support processes (BS 7799-2: 1999, 4.8.5). 2 (a) Requirements for Categories 1.

(b) Compliance (BS 7799-2: 1999, 4.10). (c) Organizational security (BS 7799-2: 1999, 4.2). (d) User training (BS 7799-2: 1999, 4.4.2).

(e) Responding to security incidents and malfunctions (BS 7799-2: 1999, 4.4.3). (f) Business continuity management (BS 7799-2: 1999, 4.9).

3 Requirements for BS 7799-2:2002 Annex A.

4 Requirements for BS 7799-2:2002 Annex A as well as requirements for different industries as shown inFig. 8. 5 Requirements for TQM (Total quality management, included BS 7799-2).


Category 5, apart from the requirements in BS7799-2,

also has to consider the integrity of information

security management systems and quality and

envi-ronmental management systems. On the other hand,

category 3 or above should apply the market and

insurance mechanisms shown in

Fig. 7


Table 9

and reinforce the shortcomings of ISO/IEC 17799

shown in

Fig. 8


Fig. 9

shows a reference flowchart

Fig. 7. Example of the application of risk analysis in the market and insurance mechanisms.

Table 9

The application of information security in the market and insurance mechanisms[16]

Provider Policy Min. Coverage premium Notes limits Source Cigna property and casualty Secure systems insurance $25,000 $25,000,000 Requires security assessment by approved vendor Mello (1998) ICSA (International Computer Security Association)

TruSecure $20,000 $250,000 Requires ICSA security review

Attrino (1998), Weise (1998) J&H March NetSecure $5,000 $200,000,000 Requires E-business

security assessment Lloyds CIDSI (Computer

Information and Data Security Insurance)

$10,000 $50,000,000 Policy has Information Risk Group (IRG) as a required element Koehn (1998) Reliance national/NRMS InsureTRUST $10,000,000 Requires NRMS (Network Risk Mgt Services of Atlanta) review Weise (1998) Zurich Financial Services Group

E-risk protection program $4,000 $25,000,000 Requires IBM security certification

O’D. Moore (1999) This figure covers the cost of the security review.


Fig. 9. Selection methods for ISMS protection[12].


of the decision procedure for the choice of

informa-tion security management preventive measures



4. Conclusion

The main goal of international standardization is to

create a trade environment providing each of the

fol-lowing functions to promote the exchange of products.

1. Product quality and reliability and price


2. Guaranteeing the user’s security and promoting the

recycling of resources.

3. Goods, technology and service interoperability and

mutual sequential continuity.

4. Simplification to reduce molding for a greater

production capacity to reduce cost.

5. Simplification in order to diminish the frequency of

modeling in the hope of expanding production

scope and lower cost.

6. Improving the convenience of repair and

main-tenance and distribution efficiency.

In 1906, the beginnings of electrical technology

started and in October 4, 1946, an international

meet-ing was held in London, England, to promote

interna-tional unification and adjustment of industrial

standards officially and to establish the International

Organization for Standardization (ISO). ISO began

operating on February 23, 1947. October 14 is

there-fore also known as World Standards Day



The so-called standards are unified regulations and

simplified necessary timely conditions that provide a

way of measuring objects, functions, installations,

states, actions, control procedures, user instructions,

work procedures, responsibilities and duties, concepts

of power, and so on, based on fair, just, and

conven-ient opinions. These specifications are the technical

specifications in these standards that are directly or

indirectly related to the quality of products or services.

Normally, specifications or standards often pose

dif-ferent demands because of difdif-ferent types of


Tables 7 and 8

offer schematic explanations.

The standards for implementing P – D – C – A cycle in

ISMS, as shown in

Table 10


The certification standards are proposed in the third

section of this paper regarding the ability of Taiwan’s

information security management systems (levels 1 –

5) to meet the international systems (levels 3 – 5)

demands on functional standards for certification

specifications for relevant information technology on

different types of organizations still need to be further




Global civilization experienced great changes in

the 1990s. Quality, environmental, safety and health

management gradually moved towards conformity

and standardization, and related international

stand-ards also affected the economic development in many

nations, as well as their organizational management

and operations. The best evidence of this is the

abidance by the ISO 9000 series of standards for

quality management and the ISO 14000 series of

standards for environmental management.

Interna-tional standards for information security management

issued in the last month of the 20th Century have

become a guide for the construction of a reliable

information environment. If appropriately used, this

will not only improve the security of information

systems, but it will also help shape a culture of quality.


We would like to express our appreciation to the

reviewers for their suggestions and comments. Their

input have greatly upgraded our paper.

Table 10

The international ISMS standards in risk management cycle Risk management level Requirements for risk level Cycle Categories Plan ISO/IEC TR 13335 Do 1 ISO/IEC 17799 2 ISO/IEC 17799 3 ISO/IEC 17799 4 ISO/IEC 17799 plus industry-related standards (e.g., Health informatics—Public Key Infrastructure (PKI) must comply with ISO/TS 17090, too) 5 The integration of ISO/IEC 17799,

industry-related standards,

ISO 9000, and ISO 14000 into ISMS Check BS 7799-2:2002



[1] The Executive Yuan of Republic of China (R.O.C.), February 5, 2001 (90) MOE document no. 007431 (2001).

[2] The White House, National Plan for Information Systems Protection Version 1.0 (2000) 101 – 102.

[3] F.B. Schneider, Trust in Cyberspace, National Academic Press, New York, U.S.A., 1999.

[4] A. Rathmell, Protecting critical information infrastructures, Computers and Security 20 (2001) 43 – 52.

[5] National Information Infrastructure Group (NII), the Execu-tive Yuan of R.O.C., The first meeting of the National infor-mation and communication security meeting (meeting data). National Information Infrastructure Group, Executive Yuan, (2001).

[6] ISO (International Organization for Standardization)/IEC (In-ternational Electro-technical Commission), Information Tech-nology—Code of Practice for Information Security Manage-ment. ISO/IEC 17799. 2000 (E), ISO, (2000).

[7] BSI (British Standards Institution), Information Security agement—Part 2: Specification for Information Security Man-agement Systems. BS7799-2:1999; Information Security Management Systems - Specification with guidance for use. BS7799-2:2002, BSi (2002), September, London.

[8] R.L. Krutz, R.D. Vines, The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, Wiley, Washington, D.C., U.S.A., 2001.

[9] Bureau of Standards, Metrology and Inspection, MOE, col-lected papers from the APEC-SBS Seminar, September 22, 2001, Taipei City, Bureau of Standards, Metrology and In-spection, Ministry of Economic Affairs (2001).

[10] IEC, Dependability Management—Part 3: Application Guide-Section 9: Risk Analysis of Technology Systems. IEC 300-3-9, 1995, IEC (1995).

[11] ISO, Banking, Securities and Other Financial Services—Infor-mation Security Guidelines. ISO TR 13569: 1997(E), ISO (1997).

[12] ISO, Information Technology—Guidelines for the Manage-ment of IT Security, Parts 1 – 5. ISO/IEC TR 13335 (All Parts), ISO (2001).

[13] U.S. Federal Deposit Insurance Corporation, Division of Supervision. Electronic Banking: Safety and Soundness Ex-amination Procedures (1998).

[14] P. Williams, Information security governance, Information Se-curity Technical Report 6 (3) (2001) 60 – 70.

[15] B. Solms, R. Solms, Incremental information security certifi-cation, Computers and Security 20 (4) (2001) 308 – 310. [16] R.C. Reid, S.A. Floyd, Extending the risk analysis model to

include market-insurance, Computers and Security 20 (4) (2001) 331 – 339.

[17] OECD Workshop, OECD Workshop Information Security in a Network World, 12 – 13, September 2001, Tokyo, Japan. [18] C. Shu-The, A study into the internationalization of national

standards. Bureau of Standards, Metrology and Inspection, Ministry of Economic Affairs, 1990.

[19] ISO, Health informaticsUPublic Key Infrastructure Part 1 – 3, ISO/TS 17090 (All Parts), ISO, 2002.

Andrew Ren-Wei Fung received his BBA and MS degrees in Information agement from the National Defense Man-agement College, Taiwan, in 1987 and 1995, respectively. He is currently a PhD candidate at the Institute of Information Management, National Chiao Tung Uni-versity (NCTU), Hsinchu, Taiwan. His re-search interests include Information Security and Parallel Computing.

Kwo-Jean Farn is director of the R&D Department at Taiwan Internet Security Solutions, Co. and a part-time associate professor at the National Chiao Tung Uni-versity (NCTU) in Taiwan. He received his PhD degree in 1982. His extensive experience includes a 20-year career in Information Technology and a 10-year career in Information Security. He served as chair of the Implementation Critical Information Infrastructure Protection Proj-ect at Computer and Communications Research Laboratories/Indus-trial Technology Research Institute (CCL/ITRI) in Taiwan from 1999 to September 2000. He has worked at ITRI for more than 18 years until the summer of 2001. He holds eight patents in the area of Information Security.

Lieutenant General Abe C. Lin was appointed as Deputy Chief of General Staff for Communications, Electronics and Information (J-6) of the MND on March 1, 2002. J-6 directs and oversees the policy of C4ISR, Electronic and Infor-mation Warfare, Communications, and Information security of the Republic of China on Taiwan. In the year 2000, the Government of Taiwan appointed Gen. Lin to the post of Deputy executive Sec-retary of the National Information and Communications Initiatives (NICI) of the Government of Taiwan. In an additional capacity, Gen. Lin has been facilitating the establishment of a national-level network security infrastructure. General Lin, who graduated from Taiwan Air Force Academy in 1970, earned his Master’s Degree in Business Administration from the National Taiwan University of Science and Technology, and his Master’s Degree in Electrical Engineering from the University of Illinois. He has also published numerous papers and dissertations to express his ideas. These papers have received strategic attention from the Government of Taiwan and the academia.


Table 2 (continued) Item Year Event

Table 2

(continued) Item Year Event p.3
Fig. 1 . Systematized security concepts such as main
Fig. 1 . Systematized security concepts such as main p.4
Fig. 2. The risk management model.
Fig. 2. The risk management model. p.5
Fig. 1. Systematized security concepts.
Fig. 1. Systematized security concepts. p.5
Fig. 3. Risk analysis and risk assessment flow chart and explanation.
Fig. 3. Risk analysis and risk assessment flow chart and explanation. p.6
Fig. 4. Schematic explanation of communication and information security management risk appraisal
Fig. 4. Schematic explanation of communication and information security management risk appraisal p.6
Fig. 5. The information security assessment explanation.
Fig. 5. The information security assessment explanation. p.9
Fig. 6. Requirement for ISMS accreditation and certification (BS7799-2).
Fig. 6. Requirement for ISMS accreditation and certification (BS7799-2). p.9
Fig. 7. Example of the application of risk analysis in the market and insurance mechanisms.
Fig. 7. Example of the application of risk analysis in the market and insurance mechanisms. p.12
Fig. 8. The use of ISO/IEC 17799 in various industry information security management standards [17] .
Fig. 8. The use of ISO/IEC 17799 in various industry information security management standards [17] . p.13
Fig. 9. Selection methods for ISMS protection [12] .
Fig. 9. Selection methods for ISMS protection [12] . p.13