Hardware Reference
In-Depth Information
7 Discussion and Conclusion
In this paper, we have first analysed what are the specific needs of SMEs regarding
ISMS. Then, we have proposed a research method in order to tailor the ISO/IEC
27001 standard to an adapted way for SMEs. The two first steps of this research
method have been already performed and the third step is currently in progress. Fur-
thermore, the theoretical validation, that is part of the second step, will be performed
again, in order to improve the guide iteratively after experiments. The outcome of this
research work is a guide providing a more affordable, easier and faster way to imple-
ment an ISMS that is still covering a vast majority of ISO/IEC 27001 requirements.
This way, this research project brings combined benefits for the Luxembourger mar-
ket: it promotes information security to SMEs through the guide, and it provides local
IT consultants with a wider range of methodological support.
Regarding strengths of our approach, the systematic research method proposed in
Section 3 blends theoretical reviews and experiments. Furthermore, the experiments
are not only conducted by our teams, but also by individuals apprehending the guide
for the first time. We thus ensure objective feedbacks about our research work.
Moreover, this guide looks convenient on many aspects. Indeed, by approaching
management systems from the very beginning and dispensing the required knowledge
to understand why and how ISMS should be deployed, the guide gets a strong head
start when compared to the raw ISO/IEC 27001 document. The presentation pattern
listing both human and documentary resources eases the understanding and speeds up
the deployment of an ISMS. Combined with the limited coverage of the standard, the
guide grants the possibility to easily focus on the core elements of an ISMS imple-
mentation and therefore increases overall efficiency.
However, each action to make the guide simpler is one step away from the initial
standard. Certainly, the reduced scope causes potential troubles. Audits are definitely
a good mean of detecting problems within one's organisation and helps setting mile-
stones regarding ISMS status.
Finally, individuals could wonder why they should implement such a guide instead
of targeting a direct ISO/IEC 27001 certificate. Given this statement, the guide should
be part of a complete labelling framework for SMEs, supported by the Ministry of
Economy and Foreign Trade, and potentially a national certification dedicated to
SMEs. The development of this framework is part of our future work.
References
1.
CSI, 2008 CSI Computer Crime and Security Survey (2009)
2.
BSI, BS7799-1: Information Security Management Systems - Code of Practice for Infor-
mation Security Management Systems (1995)
3.
BSI, BS7799-2: Information Security Management Systems - Specification with guidance
for use (1999)
4.
ISO, ISO/IEC 27001: Information technology - Security techniques - Information security
management systems - Requirements (2005)
5.
ISO, ISO/IEC 27002: Information technology - Security techniques - Code of practice for
information security management (2005)
