Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard Stefan Fenz, Gernot Goluch, Andreas Ekelhart, Bernhard Riedl Secure Business Austria Favoritenstrasse 16 1040 Vienna, Austria {sfenz, ggoluch, aekelhart, briedl}@securityresearch.at Edgar Weippl Vienna University of Technology Favoritenstrasse 9-11 1040 Vienna, Austria weippl@ifs.tuwien.ac.at Abstract This paper introduces an ontology-based framework to improve the preparation of ISO/IEC 27001 audits, and to strengthen the security state of the company respectively. Building on extensive previous work on security ontologies, we elaborate on how ISO/IEC 27001 artifacts can be inte- grated into this ontology. A basic introduction to security ontologies is given first. Specific examples show how cer- tain ISO/IEC 27001 requirements are to be integrated into the ontology; moreover, our rule-based engine is used to query the knowledge base to check whether specific secu- rity requirements are fulfilled. The aim of this paper is to explain how security ontologies can be used for a tool to support the ISO/IEC 27001 certification, providing pivotal information for the preparation of audits and the creation and maintenance of security guidelines and policies. 1. Introduction Nowadays companies increasingly rely on IT, which makes IT security a very important field for guaranteeing business continuity. Driven by laws such as Basel II [1] and the Sarbanes Oxley Act [13], IT security is no longer considered as a costly responsibility that generates no addi- tional business benefits for the organization; management is compelled to pay more attention to securing an appropriate and certified IT security approach. Additionally, the ma- jority of companies currently depend on collaboration with other firms (suppliers, subcontractors, etc.). Accordingly, certification of one’s IT security approach assures collabo- rating companies a certain level of reliability and trust. Corporations certify their ISMS (Information Security Management System) [12] following international stan- dards in order to increase their equity. However, certi- fication costs time and money, leading to a situation in which it is mostly large corporations that perform certifica- tion. Small and medium sized enterprises, in particular, can rarely bear the costs of a full certification procedure. Of the large enterprises in the U.K., 28 percent carried out such certification initiatives, in terms of BS7799 [2], ISO/IEC 17799 [9] and ISO/IEC 27001 [10], while the average for all companies is only 7 percent [12]. Thus, we propose an ontological mapping of the ISO/IEC 27001 standard to increase the degree of automa- tion within the certification process, lowering the financial costs and time required for the certification procedure. In combination with our Security Ontology approach [4], we aim at an automatic partial audit preparation by extracting IT infrastructure knowledge from an established Security Ontology. Besides the automation, the ontological map- ping of the ISO/IEC 27001 standard provides a founda- tion for an electronic tool, supporting the actual certifica- tion process by providing a central platform for all partic- ipating actors. Furthermore, we introduce the generic On- toWorks framework to access, visualize, and reason on on- tological databases and provide an overview on its usage for the ISO/IEC 27001 Ontology and the Security Ontology (the corresponding ontology files are available at securityontol- ogy.securityresearch.at). 2. Previous Work Recent projects related to the Common Criteria (CC) for Information Technology Security Evaluation carried out with our partner companies revealed the need for an au- tomation of the certification process. In a nutshell, the Common Criteria for Information Tech- nology Security Evaluation provides comprehensive guide- lines for the evaluation and certification of IT security re- garding data security and data privacy. Our experiences re- 13th IEEE International Symposium on Pacific Rim Dependable Computing 0-7695-3054-0/07 $25.00 © 2007 IEEE DOI 10.1109/PRDC.2007.29 381 13th IEEE International Symposium on Pacific Rim Dependable Computing 0-7695-3054-0/07 $25.00 © 2007 IEEE DOI 10.1109/PRDC.2007.29 381 13th IEEE International Symposium on Pacific Rim Dependable Computing 0-7695-3054-0/07 $25.00 © 2007 IEEE DOI 10.1109/PRDC.2007.29 381