IRA-3MSS: Integrated Risk Assessment Method for Three Management System Standards in the Field of Information Technology Service

Abstract

Three Management System Standards (MSS) published by the International Organization for Standardization (ISO) are applicable to organizations providing IT services: the MSS of Information Security, Service, and Business Continuity (3MSS). Operating 3MSS without integrating processes, including Risk Assessments (RA), may result in duplication of processes and inconsistency in assessment results. Although the ISO provides examples for integrating MSS requirements, it does not provide specifics on how to integrate RA, which are the core elements of MSS. Studies related to the integration of MSS have not yet revealed any methods for integrating RA. Here, we devise and present a method for integrating RA in 3MSS, called the Integrated Risk Assessment Method for Three Management System Standards (IRA-3MSS). The Business Impact Analysis (BIA), which is required by the Business Continuity Management System (BCMS) shows priorities of IT services to be followed. The IRA-3MSS incorporates those priorities as parameters into the integrated RA method for the Information Security Management System (ISMS), and the Service Management System (SMS). The case study results showed that the duplication of RA processes in 3MSS could be avoided using IRA-3MSS. Because IRA-3MSS also integrates the calculation of risk levels for assets and IT services through an established formula, inconsistency in assessment results did not occur. These results demonstrate the effectiveness of IRA-3MSS and provide a novel perspective for studies related to MSS integration.