Auditing Information Security Management Systems – Towards a Practical Method

This paper describes a research project related to the Swedish pilot certification scheme for information security management systems, based on the British Standard BS7799. Empirical data is gathered from several organisations seeking certification according to SS627799, which is a Swedish translation of BS7799. The project is focused on problems related to the assessment of information security controls. A software prototype for gapanalysis was developed, and refined through input from information security experts and software developers. The result is a tool called SBA Check 3.0, which is marketed by the Swedish Computer Society. In this doctoral research project, the tool is put forward as a tentative hypothesis, and it is contrasted with solutions and problems identified in the literature as well as from the studied organisations. This first paper presents the overall research problem and design.