Title:
A Comparative Study on Different Approaches Risk Management in Information Security Management Systems

Authors:
Michael Matthias Naumann, Doru Alexandru Plesea, Marieta Olaru, Fabian Pitz, Romania

Abstract:

When setting up and maintaining an information security management system, identifying risks and their treatment is a fundamental aspect. Due to the necessary alignment of the standards with the high-level structures of the ISO standards, individual standards such as ISO/IEC 27001 do not specify any specific requirements for a concrete risk analysis methodology. This leads to variations and adjustments in implementation within companies, resulting in non-conformities as well as inadequate implementation, which introduces further risks. Another challenge is the implementation of the risk methodology within integrated management systems with their different goals and approaches. The purpose of the paper is to highlight the challenges during risk management using different methods to identify, measure, and treat risks from an asset or process perspective. Furthermore, implementations of risk analyses at interviewed companies in practice will be considered to analyze and evaluate concrete problems in adapting risk analysis methodologies to the requirements within the companies. The results of the research show what other risks can arise if a methodological approach or treatment of risks is insufficient, as well as what can be an approach for a simplified structured and compliant approach of risks.

DOI: http://dx.doi.org/10.51505/ijaemr.2025.1007