Approach of Determining Process Maturity in Information Security Management Systems
Approach of Determining Process Maturity in Information Security Management Systems

Summary/Abstract: The need in companies to be compliant with their business processes and to identify and minimise possible risks is an essential task today. Thus, the consideration of the process maturity for management systems of companies is an important approach to see immediately the status of processes as well as implemented requirements. By leveraging maturity levels, numbers and metrics provide a quick look at the overall condition and can be used to derive both measures and compliance with requirements. When looking at an information security management system (ISMS), there is a lack of a general process view and evaluation based on it, and thus also a holistic view beyond the detailed requirements and hard facts. The intention of the paper is to look at the status of existing, industry-specific maturity approaches for information security management systems and to analyse the possibilities for adaptation. Furthermore, based on the evaluation, a maturity model for the ISMS will be proposed to ensure key figures for the companies over time regarding the minimum requirements and certification conformity. A mapping to standards such as CMMI for the classification of the maturity level and the consideration of similar solutions and implementations will be considered. The paper is intended to show the possibility to use a concept to enable the calculation of a percentage maturity level for the representation of the information security level in the company and to make the resulting risks in information security visible. The results of this research show that the proposed approach for a unified method will help to report the maturity of information security management system processes in combination with conformity and security risk for the decision makers in companies.

• Details
• Contents