ISIT-modellen - Vägledning för att realisera en verksamhets informationssäkerhetsmål
The ISO standard ISO/IEC 17799/SS-627799-2 is a guidance for organizations to
realize their information security goals. In spite of this standard, studies
show flaws regarding information security in organizations. In particular flaws
regarding overall view, knowledge and clear roles and responsibilities have
been observed.
The ISIT (Information Security Integrated Three level) model and its
guidelines, developed in this thesis, help organizations to identify the
required processes and procedures as well as the logical process flow. The
thesis is based on theoretical studies and a case study within a multinational
company. The results of the case study show great lacks in defining roles and
assigning responsibilities, but also in overall view and knowledge regarding
processes and the process flow. The thesis develops a model to facilitate an
organization?s initiation of the ISO standard and to help solving the
identified flaws. The ISIT model is based on the ISO standard, but expands the
PDCA model and integrates it with the controlling documents related to
information security management. The expansion of the PDCA model gives a
clearer flow, where all the processes related to a management system are
included. This enables clarity and faster overall view regarding the
information security organization. The integration of the controlling documents
means that the processes can be divided into procedures at different levels of
the organization. This provides a possible solution to the definition of roles
and to the assignment of responsibilities.
Guidelines on the identification of processes and roles can not be found in
the ISO standard. Therefor the ISIT model should be used as a complement to the
ISO standard and will help organizations to reach their information security
goals.