The development of quality management system based information security management (QISM) implementation model
Student thesis: Doctoral Thesis
Leakage of sensitive information from within a company can spell catastrophe for their business. This may not be attributed to the information system's technical vulnerabilities, but rather an insufficient awareness of management control. Some scholars have suggested integrating quality and security in an IT system as a preventive approach. In fact, success factors of executing ISO 9001, an international quality management system standard, are those that contribute the success of ISO 27001 and thus it is beneficial for a company which could put the core and compatible requirements of ISO 9001 into ISO 27001 (integration) in order to reduce the reducancy of management system requirements. ISO 9001 Quality Management System (QMS) standard is one of the most popular quality management systems in the world. Because of high familiarity of ISO system and the relevant system development and implementation experience, it encourages the implementation of ISO 27001 Information Security Management System (ISMS) on a ISO 9001 Quality Management System platform. Further, it could certainly enhance the success of integrating quality and security management systems, so as to enhance ISO 9001 certified companies to implement ISO 27001 ISMS. Based on the results obtained in the pilot studies that quality and IT professionals were selected for interviewing and survey, it indicated a positive effect when the QMS based Information Security Management is adopted to facilitate the implementation of ISO 27001 in Hong Kong. However, academic justification on Information Security, Risk Assessment on ISMS, integration of QMS and ISMS, were not discussed popularly. Hence, this research topic is believed to be unique and original. There are two major innovation points: i) The QMS based Information Security Management (QISM) model and its implementation roadmap are developed to enhance the implementation of the ISO 27001 for ISO 9001 certified companies. ii) An effective risk assessment tool for information security is developed for QISM implementation. The research aims to develop a QMS based Information Security Management (QISM) model and its implementation roadmap and guidelines, with reference to ISO 9001 & ISO 27001, to assist ISO 9001 certified companies to implement ISO 27001, with validation of its use in a real-life case. Firstly, it develops a QMS based Information Security Management (QISM) model. Based on the QISM model, it further develops a Risk Assessment Methodology (named Information Security FMEA Circle). A QISM Implementation Roadmap is then formulated for enhancing the successful implementation, and a case study is employed to validate the developed model and the implementation roadmap. Development of the QISM model is divided into 4 steps. Firstly, core elements from ISO 9001 QMS model are extracted. Secondly, those elements are combined into the ISO 27001 ISMS model. Thirdly, security element model is reviewed and then conceptual security model framework is developed. The last step is to establish the QISM model by considering all elements. As a result, 5 major sets of ISMS controls, namely "Policy", "Organization Structure", "Process & Procedure", "Hardware" and Software", are included in the QISM model. An effective risk management system is an essential tool in ISO 27001 ISMS. After reviewing different risk management models including AS/NZS 4360:1999, Institute of Risk Management (2002), ISO/IEC 27005:2008, BS 31100:2008 and ISO 31000:2009, two common and key components are defined and they are the PDCA framework and four key stages required in a risk management process. Most of the existing risk assessment tools are qualitative or descriptive, and a quantitative tool called Failure Mode and Effect Analysis (FMEA) is selected for this research. An Information Security FMEA (Info-Secure FMEA) Circle is developed to support the risk management framework by modifying traditional FMEA methodologies and combining it with PDCA based risk assessment process. After that, the QISM Implementation Roadmap with 24- step guideline is formulated to facilitate the implementation of QISM which is adopted through the Awareness-Preparation-Implementation phases. Lastly, a case study on implementation of the QISM model in the IC Design Centre (ICDC) and IP Servicing Centre (IPSC) at Hong Kong Science and Technology Parks Corporation (HKSTP) is used for the model validation. The research project concludes that the integration of the core and compatible requirements of ISO 9001 QMS and ISO 27001 ISMS is to facilitate the adoption of ISO 27001 in ISO 9001 certified companies. With the Info-Secure FMEA circle, as well as the stepwise roadmap, the effectiveness of executing the QISM model in ICDC and IPSC is enhanced in which the system development cycle time and implementation barriers are reduced. It is because the QMS culture in the organization and IT security awareness has already been developed. Therefore, the new security practices could be implemented successfully. However, there are only a few companies which are certified in ISO 27001, compared with the number certified ISO 9001. The developed model could facilitate the ISO 9001 certified companies to integrate ISO 27001 ISMS in Hong Kong. In future studies, the number of case studies should be increased to demonstrate the feasibility of the model. Besides, the specificity of the existing risk assessment methodology could be improved for information security management.
- Management, Management information systems, Quality control, ISO 9001 Standard