Information Security Systems vs. Critical Information Infrastructure Protection Systems – Similarities and Differences Andrzej Białas Institute of Control Systems, 41-506 Chorzów, Długa 1-3, Poland abialas@iss.pl Abstract The paper concerns similarities and differences between the information security management systems (ISMS) and the critical information infrastructure protection systems (CIIP), to predict the extent of adaptation works so that the ISMS could be used in CIIP. The discussion deals with different aspects of both types of systems: standardization, used models, considered security or protection objectives, architecture, management frameworks and tools. The paper tries to answer the question how to use older and more mature information security methodology, its standards, experiences and achievements to build and maintain CIIP systems that still remain a challenge for today. 1. Introduction The paper deals with differences and similarities between the information security approach existing in today’s organizations and the critical information infrastructure protection approach. Effective functioning of today’s societies is based on critical infrastructures (CI), i.e. large scale infrastructures whose degradation, disruption or destruction would have a serious impact on health, safety, security or well-being of citizens or the effective functioning of governments and/or economy, e.g. energy, oil, gas, finance, and health sectors [1]. All CIs widely use information and communication technologies (ICT) and depend strongly on them. Information processes supported by ICT that are critical infrastructures for themselves, or critical for the operation of other critical infrastructures, are called critical information infrastructures (CII). Their protection is a new challenge for today’s societies whose functioning is based on information. It also has international dimension. Programs and activities of infrastructure owners, manufacturers, users, operators, R&D institutions, governments, and regulatory authorities, which aim at keeping the performance of CIIs in case of failures, attacks or accidents and minimizing the recovery time and damage, are understood as critical information infrastructure protection (CIIP). Due to CII complexity, heterogeneity, multidimensional interdependencies, significant risk dealing with the natural disasters and catastrophes, technical disasters and failures, espionage, international crime, physical and cyber terrorism, etc., these infrastructures require a new, holistic approach to their protection, considering not only information security methods and techniques but also achievements of the safety domain. They also need co-operation on international level. Improving dependability and survivability of CII is the key challenge. The information security within organizations is ensured by establishing and maintaining effective information security management systems, integrating a well balanced set of different safeguards selected on the risk basis. The most representative example of such systems is the Information Security Management System (ISMS), defined in the BS7799-2:2002 [2] standard, as ”the part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security” within the