A Framework for Inter-Organizational Comparisons of Information Security Capabilities

Authors:

  • Helena Granlund
  • Kristoffer Lundholm
  • Jonas Hallberg
  • Margaretha Eriksson

Publish date: 2011-06-20

Report number: FOI-R--3186--SE

Pages: 26

Written in: English

Keywords:

  • Information security
  • Metric
  • Information security management systems (ISMS)
  • ISO/IEC 27001
  • ISO/IEC 27004

Abstract

The ability to evaluate the information security capabilities of organizations is vital for the adequateness of the associated risk decisions. Swedish government agencies are supposed to address information security in accordance with the established standards for Information Security Management Systems (ISMS), such as the ISO/IEC 27001 and ISO/IEC 27004. The framework presented in this report supports this effort by providing means to evaluate the maturity of the information security metrics program that is supposed to be part of the ISMS. Applying the framework will provide illustrations of the maturity of the metrics program, as well as the overall results of the implemented information security metrics. These results can be used for comparisons of organizations as well as the basis for discussions and exchange of knowledge related to ISMS and information security metrics programs. We foresee that the application of the framework among Swedish government agencies will support their intra- and inter-organizational learning as well as the strategic management of the ISMS. Moreover, the ability of regulatory authorities to evaluate the ISMSs of agencies will benefit from the potentially increased transparency.