Statement of applicability as a key element of the GIS certification process in the light of cybersecurity standards

• Autorzy: Stanik Jerzy , Kiedrowicz Maciej

Identyfikatory

DOI

10.57599/gisoj.2022.2.2.79

• Języki publikacji: EN

Abstrakty

EN

The Statement of Applicability (SoA) is a mandatory document ISMS that you need to develop, prepare, and submit with your ISO 27001, and it is crucial in obtaining your ISO 27001 Risk Assessment and ISMS certification. According to ISO/IEC 27001, Information Security Management System is a collection of ‘that part of the general management system, based on the approach to business risk, to establish, implement, operate, monitor, review, maintain and improve information security. ISO/IEC 27001 specifies the requirements and implementation process for the Information Security Management System. However, implementing this standard without a good SoA document may prove impossible. The article presents a system model for the construction of SoA for ISMS and its certification following the ISO 27001 standard. This model aims to provide instruments for designing and generating an SoA document in relation to ISMS, covering all information processes in GIS. This model allows organizations to evaluate their current state of GIS information asset security implementation according to the best practices defined in ISO/IEC 27001. The proprietary model proposed in this article is assessed from a multi-stage perspective, which confirms that the proposed draft Statement of Use document makes a valuable and innovative contribution to information security management by considering the best practices in this field.

Słowa kluczowe

EN

spatial data; security; Statement of Applicability; SoA; risk; implementation process

PL

dane przestrzenne; bezpieczeństwo; Deklaracja Stosowalności; SoA; ryzyko; proces wdrażania

• Wydawca: SILGIS Association ; Croatian-Polish Scientific Network
• Czasopismo: GIS Odyssey Journal
• Rocznik: 2022
• Tom: Vol. 2, no. 2
• Strony: 79--92
• Opis fizyczny: Bibliogr. 16 poz.

Twórcy

autor

Stanik Jerzy

• Military University of Technology, Faculty of Cybernetics, Institute of Computer and Information Systems, Warsaw, Poland

• https://orcid.org/0000-0002-0162-2579

autor

Kiedrowicz Maciej

• Military University of Technology, Faculty of Cybernetics, Institute of Computer and Information Systems, Warsaw, Poland

• https://orcid.org/0000-0002-4389-0774

Bibliografia

• 1. Al-Mayahi, Mansoor P. (2008). ISO27001 gap analysis - case study.
• 2. Chi-Chun L., Wan-Jia C. (2012). A hybrid information security risk assessment procedure considers interdependences between controls. Expert Systems with Application. 39: 247-257.
• 3. Dubois E., Heymans P., Mayer, R. Matulevicius N. (2010). A Systematic Approach to Define the Domain of Information System Security Risk Management. Intentional Perspectives on Information Systems Engineering.
• 4. Goel S., Nussbaum B., (2021). Attribution Across Cyber Attack Types: Network Intrusions and Information Operations. IEEE Open Journal of the Communication Society. 2021, 2, 1082-1093. [CrossRef].
• 5. How to develop a Statement of Applicability according to ISO 27001:2017, March 2018, Edition 2.0. https://www.neupart.com/ [20.05.2022].
• 6. Miller H., Murphy R. (2009). Secure cyberspace: answering the call for intelligent action, IT Professional.
• 7. ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, 2013.
• 8. ISO Standard 27001 - Information security management systems - Requirements https://www.bsigroup.com/en-GB/iso-27001-information-security/BS-EN-ISO- IEC-27001-2017/ [20.05.2022].
• 9. ISO Standard 27002 - Information technology - Security techniques - Code of practice for information security controls, https://shop.bsigroup.com/ProductDetail/?pid=000000000030347481 [21.05.2022].
• 10. Payment Card Industry - Data Security Standard (PCI DSS), https://www.pcisecuritystandards.org/security_standards/index.php [21.05.2022].
• 11. SANS Institute - Twenty Critical Security Controls for Effective Cyber Defence http://www.sans.org/critical-security-controls/ [22.05.2022].
• 12. NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-53r4.pdf [22.05.2022].
• 13. The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark http://www.digst.dk/Arkitektur-og-standarder/Styring-af-informationssikkerhed-efter-ISO-27001/~/media/Files/Arkitekturogstandarder/[23.05.2022]. InformationssikkerhedefterSO27001/ISO27001_Benchmark.ashx [23.05.2022].
• 14. Walkowski M., Biskup M., Szewczyk A., Oko J., Sujecki S. (2019). Container Based Analysis Tool for Vulnerability Prioritization in Cyber Security Systems. In: Proceedings of the 2019 21st International Conference on Transparent Optical Networks (ICTON), Angers, France, 9-13 July 2019; IEEE: Piscataway, NJ, USA. [CrossRef].
• 15. Tools and Software Solutions. https://www.itgovernance.co.uk/it-governance-tools [24.05.2022].
• 16. Tools and Software Solutions. https://advisera.com/27001academy/product-tour/[24.05.2022].

Uwagi

PL

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).