A Pattern-based Method for Establishing a Cloud-specific Information Security Management System Establishing Information Security Management Systems for Clouds Considering Security, Privacy, and Legal Compliance

Assembling an Information Security Management System (ISMS) according to the ISO 27001 standard is difficult, because the standard provides only very sparse support for system development and documentation. Assembling an ISMS consists of several difficult tasks, e.g., asset identification, threat and risk analysis and security reasoning. Moreover, the standard demands consideration of laws and regulations, as well as privacy concerns. These demands present multi-disciplinary challenges for security engineers. Cloud computing provides scalable IT resources and the challenges of establishment an ISMS increases, because of the significant number of stakeholders and technologies involved and the distribution of clouds among many countries. Kristian Beckers University of Duisburg-Essen, paluno The Ruhr Institute for Software Technology Oststrasse 99, 47057 Duisburg, Germany E-mail: [email protected] Isabelle Côté ITESYS Institute for technical Systems GmbH Emil-Figge-Str. 76, 44227 Dortmund, Germany E-mail: [email protected] Stephan Faßbender University of Duisburg-Essen, paluno The Ruhr Institute for Software Technology Oststrasse 99, 47057 Duisburg, Germany E-mail: [email protected] Maritta Heisel University of Duisburg-Essen, paluno The Ruhr Institute for Software Technology Oststrasse 99, 47057 Duisburg, Germany E-mail: [email protected] Stefan Hofbauer Amadeus Data Processing GmbH Network Integration Services Department Berghamer Straße 6, 85435 Erding, Germany E-mail: [email protected] We analysed the ISO 27001 demands for these multidisciplinary challenges and for cloud computing systems. Based on these insights, we provide a method that relies upon existing requirements engineering methods and patterns for several security tasks, e.g., context descriptions, threat analysis and policy definition. These can ease the effort of establishing an ISMS and can produce the necessary documentation for an ISO 27001 compliant ISMS. We illustrate our approach using the example of an online bank.