By Topic

A model to assess the maturity level of the Risk Management process in information security

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Janice Mayer ; Universidade do Vale do Rio dos Sinos - UNISINOS, São Leopoldo - Brazil ; Leonardo Lemes Fagundes

The risk management (RM) process comprises coordinated activities aimed at guiding and controlling an organization as far as risks are concerned. These activities encompass the definition of the context of analysis, assessment, treatment, acceptance, as well as the communication and the monitoring of information security risks. Organizations should implement RM in a consistent, systematic manner in order to achieve compliance with current laws, standards and regulations, and also meet mandatory requirements for the certification of an information security management system. However, in the context of information security, no reference was found in literature for a model to assess the maturity level of an RM process. In order to overcome this problem, this study describes the structure of a model for the assessment of the maturity level of the RM process in the realm of information security. The designed model basically consists of a set of best practices, totally aligned with standard ISO/IEC 27005 and comprised of: (1) three stages; (2) five maturity levels; (3) forty-three control objectives; (4) one control map; (5) one assessment instrument relative to the maturity level of the activities of the RM process; (6) an accountability matrix relative to each activity of the process and also a (7) risk scorecard.

Published in:

Integrated Network Management-Workshops, 2009. IM '09. IFIP/IEEE International Symposium on

Date of Conference:

1-5 June 2009