Elina Larsson; Michael Olin MCS-2004:17, pp. 43. TEK/avd. för interaktion och systemdesign, 2004.
The ISO standard ISO/IEC 17799/SS-627799-2 is a guidance for organizations to realize their information security goals. In spite of this standard, studies show flaws regarding information security in organizations. In particular flaws regarding overall view, knowledge and clear roles and responsibilities have been observed.
The ISIT (Information Security Integrated Three level) model and its guidelines, developed in this thesis, help organizations to identify the required processes and procedures as well as the logical process flow. The thesis is based on theoretical studies and a case study within a multinational company. The results of the case study show great lacks in defining roles and assigning responsibilities, but also in overall view and knowledge regarding processes and the process flow. The thesis develops a model to facilitate an organization’s initiation of the ISO standard and to help solving the identified flaws. The ISIT model is based on the ISO standard, but expands the PDCA model and integrates it with the controlling documents related to information security management. The expansion of the PDCA model gives a clearer flow, where all the processes related to a management system are included. This enables clarity and faster overall view regarding the information security organization. The integration of the controlling documents means that the processes can be divided into procedures at different levels of the organization. This provides a possible solution to the definition of roles and to the assignment of responsibilities.
Guidelines on the identification of processes and roles can not be found in the ISO standard. Therefor the ISIT model should be used as a complement to the ISO standard and will help organizations to reach their information security goals.