ISO27000 Framework Based Ontology Construction And Its Application On System Evaluation

With the trend of digitalizing everything in enterprises these days,enterprises are confronted with more security risks than they ever are.Security policies based on holistic frameworks have drawn more attention in recent days.Being one of the most important globally recognized security framework,ISO27000 is also informative and most frequently used.Writers of ISO 27000 framework have intended to form it in an abstract and ambiguous way so that it could apply to enterprises of various structures.It's also the reason there could hardly be some deep and mature understandings of ISO27001.The verification process of ISO27001 depends largely on experts so it involves subjectivity.Ontology however,with the ability of abstracting common knowledge of a certain domain and also with the capability of elaborating specific knowledge,is a reasonable solution for bridging the abstraction aspect of ISO27001 and the detailed enterprise information system knowledge.In this article we aim to perform compliance check between specific enterprise status and ISO27001 with the help of ontology and its reasoning module.We first used the ontology as a tool to map the structure of documents in ISO27001 framework thus it provides a further understanding of the documents structures required by ISO27001.Then we tried to construct an ontology that could map every information security related detail of enterprise systems and come up with a solution to get the compliance status between ISO27 K and the enterprise via the ontology.To achieve this,we first set several top classes of the ontology through document anaylsis and also extended the capability of properties in description logic which could only present relationship between two entities into more rich representation methods.Then we worked on the way of mapping enterprise facts into ontology,and finally come to the method of getting the compliance between enterprise and ISO27001 standard controls and tried the method on an instance system for ontological mapping and compliance check.