A study of Integrated risk assessment methodology of ISO 27001 and BS 10012 – A Case Study of government agency A

• Main Authors: Pei-Ying Yang, 楊佩穎
• Other Authors: Ming-Dar Hwang
• Format: Others
• Language: zh-TW
• Published: 2015
• Online Access: http://ndltd.ncl.edu.tw/handle/9smqxt

碩士 === 淡江大學 === 資訊管理學系碩士在職專班 === 103 === In order to improve information security and personal data protection, business organizations have chosen to introduce ISO 27001 and BS 10012 management systems and other international standards. The introduction of these systems can be quite complicated, and risk assessment is one of the necessary items for establishing the management system. If two systems are introduced simultaneously, the risk assessment must be implemented twice, which will incur repeated costs. Therefore, this study investigated the integration of the risk assessment methods for ISO 27001 and BS 10012 based on the case study of government agency A, with the aim of reducing man-hour costs. With the requirements of relevant government laws and regulations and the risk management framework of CNS 27005 and CNS 31000 as the risk assessment architecture, this study made an inventory of the information assets and personal data files in the form of flow process, and stipulated the aspects of impact and risk scenario conforming to the information asset and personal data files to serve as the factors for integrating the ISO 27001 and BS 10012 risk assessments. This study found that government agency A only had to implement one risk assessment after introducing the integrated risk assessment methodology, which saved about 29% of inventory and risk assessment man-hours, and 33% of educational training man-hours, consequently decreasing the man-hour cost of the business organizations.