Proposal of Delta ISMS Model – Enhancement to Company-wide Information Security Management Using Accident Database

In this paper, we propose “Delta ISMS model” which strengthens company-wide information security management using accident database. ISMS requires learning from information security incidents, however, ISMS certified organizations where information securities accidents do not always diminish in number because of ineffective improvements from learning. We recognize insufficiency of the detailing of learning procedures does not make an appropriate improvement. Therefore, we consider detailing of learning procedures is the solution to make appropriate improvements. Regarding detailing of learning procedures, we show a series of such procedures as operation of an accident database, calculation of the annual loss expectation, periodical selection of the countermeasure using a matrix of accidents and countermeasures and offering information to executive for making a decision of countermeasure selection. We evaluate the validity of the proposed system through evaluation by the person in charge, comparison of monitoring by information security governance with those items by the processed Delta ISMS method, and consideration of the relation with digital forensics.