ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen

ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen

Organisaatioiden tietoturvallisuuden keskiössä ovat usein tietoturvan hallintajärjestelmät. Tunnetuin tietoturvallisuuden hallintajärjestelmien standardeista on ISO 27001. Hallintajärjestelmien luomiseen, kehittämiseen, ylläpitämiseen ja jalkauttamiseen vaaditaan jatkuvaa parantamista sekä säännölli...

Full description

Bibliographic Details
Main Author: Salovaara, Sami
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:fin
Published: 2022
Subjects:
ISO 27001
ISO 27002
auditointimalli
Kyberturvallisuus
601
tietoturva
standardit
auditointi
kyberturvallisuus
Online Access: https://jyx.jyu.fi/handle/123456789/84064
_version_ 1826225702505021440
author Salovaara, Sami
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Salovaara, Sami Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Salovaara, Sami Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Salovaara, Sami
datasource_str_mv jyx
description Organisaatioiden tietoturvallisuuden keskiössä ovat usein tietoturvan hallintajärjestelmät. Tunnetuin tietoturvallisuuden hallintajärjestelmien standardeista on ISO 27001. Hallintajärjestelmien luomiseen, kehittämiseen, ylläpitämiseen ja jalkauttamiseen vaaditaan jatkuvaa parantamista sekä säännöllisiä tietoturva-auditointeja. Tämän tutkimuksen tavoitteena oli luoda kokonaisvaltainen auditointimalli toimeksiantajan pilvipalvelupohjaisten tietojärjestelmien sekä tietoturvaprosessien katselmointien suorittamiseen. Tutkimuksen tuloksena luotiin auditointimalli, jonka avulla kyettiin selvittämään toimeksiantajan esikuntatietojärjestelmäkokonaisuuden tietoturvallisuuden sekä tietoturvallisuuden hallintajärjestelmän nykytila ISO 27001 -standardin vaatimuksiin peilaten. Työn artefaktiksi muodostunut tietoturvallisuuden auditointimalli on yleisluontoiseksi kehitetty työkalupakki, jonka avulla auditointien suunnittelu, suorittaminen, raportointi sekä parannussuunnittelu voidaan toteuttaa mahdollisimman järjestelmäriippumattomasti. Tutkimus jakautuu kolmeen osaan. Teoriaosuudessa käsitellään pilvipalveluiden auditointia, kulkua sekä toteutusmenetelmiä, ISO 27001 sekä ISO 27002 -standardeja ja tietoturvan hallintajärjestelmiä. Käytännön osuudessa luodaan auditointimalli toimeksiantajalle. Iteratiivisin menetelmin kehitettyä auditointimallia testataan käytännössä auditoimalla toimeksiantajan tietojärjestelmiä. Auditointimalli käy läpi neljä kehityskierrosta. Neljännen iteraation versio on tutkimuksen liitteenä. Viimeisessä osiossa käydään tutkimuksen aikana nousseet havainnot ja tulokset yhteen johtopäätösten muodossa. Kappaleessa käsitellään myös auditointimallin onnistumisia ja epäonnistumisia, jatkokehitysmahdollisuuksia sekä työhön valittujen tutkimusmenetelmien kritiikkiä. Information security management systems, also known as ISMS, are often at the heart of the organization’s information security. The most widely known of these ISMS’s is ISO 27001. The creation, development, maintenance, and implementation of ISMS requires continuous improvement and regular security auditing. The goal of this thesis was to create a comprehensive model for cloud-based information system security auditing. The goal of this study was to create an auditing model which could be used to examine the client’s cloud-based information systems’, as well as ISMS’s level of information security at the present state compared to the requirements presented in ISO 27001 -standard. The resulting artefact of this study is a generic auditing model which can be used to plan, perform, report, and design the improvements. The study is divided into three parts. First part focuses on the theory of auditing cloud-based services, ISO 27001 and ISO 27002 standards and information security management systems. Practical part focuses on the research and development of the previously mentioned auditing model. Using iterative methods, the auditing model is put to test by auditing the client’s information systems. Auditing model goes through four cycles of development. The auditing model is included as an annex into this study. The final part of the thesis is reserved for conclusions. The successes and failures are discussed, as well as future development ideas for the auditing model.
first_indexed 2022-11-24T21:00:36Z
format Pro gradu
fullrecord [{"key": "dc.contributor.advisor", "value": "Lehto, Martti", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.advisor", "value": "Dauchy, Elina", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.advisor", "value": "Lehikoinen, Jaakko", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Salovaara, Sami", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2022-11-24T07:07:34Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2022-11-24T07:07:34Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2022", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/84064", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Organisaatioiden tietoturvallisuuden keski\u00f6ss\u00e4 ovat usein tietoturvan hallintaj\u00e4rjestelm\u00e4t. Tunnetuin tietoturvallisuuden hallintaj\u00e4rjestelmien standardeista\non ISO 27001. Hallintaj\u00e4rjestelmien luomiseen, kehitt\u00e4miseen, yll\u00e4pit\u00e4miseen ja\njalkauttamiseen vaaditaan jatkuvaa parantamista sek\u00e4 s\u00e4\u00e4nn\u00f6llisi\u00e4 tietoturva-auditointeja.\nT\u00e4m\u00e4n tutkimuksen tavoitteena oli luoda kokonaisvaltainen auditointimalli toimeksiantajan pilvipalvelupohjaisten tietoj\u00e4rjestelmien sek\u00e4 tietoturvaprosessien katselmointien suorittamiseen. Tutkimuksen tuloksena luotiin auditointimalli, jonka avulla kyettiin selvitt\u00e4m\u00e4\u00e4n toimeksiantajan esikuntatietoj\u00e4rjestelm\u00e4kokonaisuuden tietoturvallisuuden sek\u00e4 tietoturvallisuuden hallintaj\u00e4rjestelm\u00e4n nykytila ISO 27001 -standardin vaatimuksiin peilaten. Ty\u00f6n artefaktiksi muodostunut tietoturvallisuuden auditointimalli on yleisluontoiseksi kehitetty ty\u00f6kalupakki, jonka avulla auditointien suunnittelu, suorittaminen, raportointi sek\u00e4 parannussuunnittelu voidaan toteuttaa mahdollisimman j\u00e4rjestelm\u00e4riippumattomasti.\nTutkimus jakautuu kolmeen osaan. Teoriaosuudessa k\u00e4sitell\u00e4\u00e4n pilvipalveluiden auditointia, kulkua sek\u00e4 toteutusmenetelmi\u00e4, ISO 27001 sek\u00e4 ISO 27002 -standardeja ja tietoturvan hallintaj\u00e4rjestelmi\u00e4. K\u00e4yt\u00e4nn\u00f6n osuudessa luodaan auditointimalli toimeksiantajalle. Iteratiivisin menetelmin kehitetty\u00e4 auditointimallia testataan k\u00e4yt\u00e4nn\u00f6ss\u00e4 auditoimalla toimeksiantajan tietoj\u00e4rjestelmi\u00e4. Auditointimalli k\u00e4y l\u00e4pi nelj\u00e4 kehityskierrosta. Nelj\u00e4nnen iteraation versio on tutkimuksen liitteen\u00e4. Viimeisess\u00e4 osiossa k\u00e4yd\u00e4\u00e4n tutkimuksen aikana nousseet havainnot ja tulokset yhteen johtop\u00e4\u00e4t\u00f6sten muodossa. Kappaleessa k\u00e4sitell\u00e4\u00e4n my\u00f6s auditointimallin onnistumisia ja ep\u00e4onnistumisia, jatkokehitysmahdollisuuksia sek\u00e4 ty\u00f6h\u00f6n valittujen tutkimusmenetelmien kritiikki\u00e4.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Information security management systems, also known as ISMS, are often at the\nheart of the organization\u2019s information security. The most widely known of these\nISMS\u2019s is ISO 27001. The creation, development, maintenance, and implementation of ISMS requires continuous improvement and regular security auditing.\nThe goal of this thesis was to create a comprehensive model for cloud-based\ninformation system security auditing. The goal of this study was to create an auditing model which could be used to examine the client\u2019s cloud-based information systems\u2019, as well as ISMS\u2019s level of information security at the present\nstate compared to the requirements presented in ISO 27001 -standard. The resulting artefact of this study is a generic auditing model which can be used to plan,\nperform, report, and design the improvements.\nThe study is divided into three parts. First part focuses on the theory of auditing cloud-based services, ISO 27001 and ISO 27002 standards and information\nsecurity management systems. Practical part focuses on the research and development of the previously mentioned auditing model. Using iterative methods,\nthe auditing model is put to test by auditing the client\u2019s information systems.\nAuditing model goes through four cycles of development. The auditing model is\nincluded as an annex into this study. The final part of the thesis is reserved for\nconclusions. The successes and failures are discussed, as well as future development ideas for the auditing model.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2022-11-24T07:07:34Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2022-11-24T07:07:34Z (GMT). No. of bitstreams: 0\n Previous issue date: 2022", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "65", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "fin", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "ISO 27001", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "ISO 27002", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "auditointimalli", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehitt\u00e4minen", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202211245337", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.collaborator", "value": "business", "language": "", "element": "contractresearch", "qualifier": "collaborator", "schema": "yvv"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "yvv.contractresearch.initiative", "value": "business", "language": "", "element": "contractresearch", "qualifier": "initiative", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "restrictedAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "standardit", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "auditointi", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.rights.accessrights", "value": "The author has not given permission to make the work publicly available electronically. Therefore the material can be read only at the archival workstation at Jyv\u00e4skyl\u00e4 University Library (https://kirjasto.jyu.fi/collections/archival-workstation).", "language": "en", "element": "rights", "qualifier": "accessrights", "schema": "dc"}, {"key": "dc.rights.accessrights", "value": "Tekij\u00e4 ei ole antanut lupaa avoimeen julkaisuun, joten aineisto on luettavissa vain Jyv\u00e4skyl\u00e4n yliopiston kirjaston arkistoty\u00f6semalta. Ks. https://kirjasto.jyu.fi/kokoelmat/arkistotyoasema..", "language": "fi", "element": "rights", "qualifier": "accessrights", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_84064
language fin
last_indexed 2025-02-18T10:54:17Z
main_date 2022-01-01T00:00:00Z
main_date_str 2022
publishDate 2022
record_format qdc
source_str_mv jyx
spellingShingle Salovaara, Sami ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen ISO 27001 ISO 27002 auditointimalli Kyberturvallisuus 601 tietoturva standardit auditointi kyberturvallisuus
title ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen
title_full ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen
title_fullStr ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen
title_full_unstemmed ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen
title_short ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen
title_sort iso 27001 standardiin perustuvan tietoturvan auditointimallin kehittäminen
title_txtP ISO 27001 -standardiin perustuvan tietoturvan auditointimallin kehittäminen
topic ISO 27001 ISO 27002 auditointimalli Kyberturvallisuus 601 tietoturva standardit auditointi kyberturvallisuus
topic_facet 601 ISO 27001 ISO 27002 Kyberturvallisuus auditointi auditointimalli kyberturvallisuus standardit tietoturva
url https://jyx.jyu.fi/handle/123456789/84064 http://www.urn.fi/URN:NBN:fi:jyu-202211245337
work_keys_str_mv AT salovaarasami iso27001standardiinperustuvantietoturvanauditointimallinkehittäminen

Similar Items