Aligning Two Specifications for Controlling Information Security

All material supplied via JYX is protected by copyright and other intellectual property rights, and duplication or sale of all or part of any of the repository collections is not permitted, except that material may be duplicated by you for your research use or educational purposes in electronic or print form. You must obtain permission for any other use. Electronic or print copies may not be offered, whether for sale or otherwise to anyone who is not an authorised user. Aligning Two Specifications for Controlling Information Security Nykänen, Riku; Kärkkäinen, Tommi


INTRODUCTION
Assuring information security is a necessity in modern organizations. There exists variation of viewpoints in information security management (ISM) concerning 'what' should be done (ISO/ IEC 27000 and COBIT; IT management), 'how' it should be done (ITIL; service management), and 'who' should do it (SFIA; competence management), see (Armstrong 2013). These recommendations are used to define baseline of information security requirements ensuring that an organization has implemented the selected practices. Some of the recommendations provide the possibility for organizations to request certification, which can then be granted if the implemented practices fulfill the audition criteria.
Widely adopted ISO/IEC 27001 prescribes a process for information security management system (ISMS) whereas guidance to implement security controls is defined in ISO/ IEC 27002. Hence, together they comprise minimum criteria of controls and their objectives, providing also non-normative guidance for control implementation. Finnish National Security Auditing Criteria (KATAKRI) has been developed by the national authorities in Finland to verify maturity of information security practices in an organization. Approach in KATAKRI is different compared to ISO/IEC 27000 standards. As national security auditing criteria, KATAKRI defines both security control objectives and absolute security controls to meet an objective. Implementation of controls is mandatory whereas ISO/IEC 27001 leaves responsibility of the selection of controls and their implementation to the organization itself by defining only the control objectives. Use of ISO/ IEC 27001 is always subject to completeness of risk assessment and selection of valid security controls. On the other hand, KATAKRI may force organization to implement such controls that are not feasible from risk management or benefit-cost ratio point of view.
KATAKRI is of interest for wider than just the national audience because of its structure. It has been created in the form of the audition questionnaire, which makes it a tool that can be used to check the security baseline of an organization. As information security is a process, to protect information and information infrastructure from unauthorized access, a baseline must be defined and evaluated. ISO/ IEC 27001 and 27002 specifications are not usable as audition tools themselves and, hence, a number of spreadsheets and special applications have been created from different viewpoints to be used in the auditions. At the topic level, KATAKRI could also be used as an ISO/IEC 27001 audition tool, but this requires detailed analysis and alignment of the correspondences of the two specifications.
In our work, we study differences of security control objectives and actual controls of ISO/IEC 27001 and KATAKRI's requirements to analyze completeness and mutual coverage of KATAKRI and ISO/IEC 27001. The actual comparison also takes into account ISO/ IEC 27002 security control implementation guidelines, creating links between them and the security requirements in KATAKRI. More precisely, our analysis of KATAKRI and ISO/ IEC 27002 specifications is focused on both shared common security aspects and the actual differences to see the potential gaps in them, especially in the relatively new KATAKRI. First of all, however, the two specifications are united in their terminology and structure, but whereas ISO/IEC 27002 focuses on existence of security controls to meet the security objectives, KATAKRI defines different levels of requirements that should be fulfilled. , Fomin et al. (2008), Yeniman Yildirim et al. (2011), andSiponen (2006) all criticize that information security management standards focus on security process, not how well activities are carried out or how objectives are achieved. To cope with these information security management system hindrances, we created an explicit alignment between the process-oriented standard and the (normal) operative mode assessment in an organization.
The contents of the paper are as follows: After the introduction, we provide background information on the two specifications and introduce the comparative approach in general in Section 2. Comparison of certification and accreditation processes in the two specifications is provided in Section 3. Then, in Section 4, a structural comparison and alignment of the two specifications, providing a common terminology, and high level comparison of their contents is performed. In Section 5, we present more detailed comparison results including intersection and complements of the specifications. Related work is presented in Section 6. Finally, in Section 7, conclusions and discussion on the results is provided and further research needs pointed out.

KATAKRI: Finnish National Security Auditing Criteria
Another approach of interest to manage corporate security is the Finnish national security auditing criteria, KATAKRI. It is published by the Ministry of Defence, but Confederation of Finnish Industries, Finnish Communications Regulatory Authority, Ministry of Foreign Affairs, and Ministry of the Interior have also participated in the preparation of the criteria. The initial version of KATAKRI was published in 2009 and the updated second version in 2011.
The first goal of the national security auditing criteria is to harmonize official measures while assessing organization's security level. The second defined goal is "to support companies and other organizations as well as authorities with their service providers and subcontractors to work on their own internal security". Therefore, the documentation also contains unofficial recommendations to help users to apply useful security practices. (KATAKRI, 2011) KATAKRI defines requirements operating in three different levels of security: the base level (IV), the increased level (III), and the high level (II). The levels correspond to the international security level classification as restricted, confidential, and secret, respectively. KATAKRI does not contain requirements for the highest security level (I), internationally known as the top secret. Based on the need of the handled information classification, audition requirements vary. Where the focus of the base level is to assess the foundation of security management and implemented security controls, the high level includes requirements to minimize the security risks.

Comparing Standards and Models
Comparison of standards or methodologies may reveal several hindrances. One is the lack of widely adopted common ontology containing definitions of the basic concepts and their relationships. This goes beyond the common terminology that was provided in the previous section. Ramanauskaite et al. (2013) have identified that major information security management standards utilize only partially comparable security ontologies. Hence, even if standards and methodologies should lead to harmonized ontology definition, there does not exist a single widely adopted ontology definition. Pardo et al. (2011) emphasize that in comparison it is possible to, using relationships of the models, find out how different the compared models are. Pardo et al. defines that "in the model comparison the need to know the level of equality and proportion between the things being compared should take the priority". One part of a comparison is the terminology analysis. Pardo et al (2011) divide the terminology analysis into two subtypes; syntactic analysis and semantic analysis. Our study uses only semantic analysis as the contents of the compared documents is defined in natural language and, hence, the comparison inevitably requires qualitative analysis.
Multiple models can have various types of connections between them. Pardo et al. (2011) have identified four operations: union, intersection, difference, and complement. Intersection contains elements that are common in all the models and union combines together the shared contents. Difference comprises elements that the compared models do not have in common. Complement is a set of elements that are not included in one of the compared models. In this study, we focus on the intersection and complements of the two specifications under consideration.

Certification and Audition Terminology
To be able to compare the certification and audition processes, we need to have a common terminology. In Table 1, the key terminology of the common audition and certification concepts of the two specifications is presented. As KATAKRI does not contain terminology definitions, the concepts are derived from relevant ISO/IEC standards ISO/IEC 17000 (2004)

Process Stakeholders
ISO, as standardization organization, does not provide the certification of standards developed by it. It does not, either, perform accreditation of the certification bodies, which are accredited by the national accreditation bodies. An organization aiming to receive ISO 27001 certification can select any certification body, with the national accreditation, to perform the actual certification process.
KATAKRI is used by number of public authorities in Finland, like Finnish Defense Forces, to audit their suppliers. Authorities use their own or third-party auditors to perform the auditions. The first target of the KATAKRI is to provide harmonized security requirements shared by all the authorities (KATAKRI, 2011). It is also recommended in the KATAKRI that it should be used by the organizations to self-

Process Comparison
ISO/IEC 27001 certification process requirements, among other ISO standards, are defined in the ISO/IEC 17021:2011 standard "Conformity assessment -Requirements for bodies providing audit and certification of management systems". The standard is prepared by ISO Committee on conformity assessment (CASCO), which is responsible for the development of International Standards and Guides in the field of conformity assessment. Certification process defined by the ISO/ IEC 17021 is started by the organization aiming for certification. The organization submits an application to a certification body. Certification body reviews the application and determines the competences required from an audit team, providing also the final certification decision. The actual certification audition is implemented in two stages. Stage 1 audit focuses on the management system and documentation. Stage 2 audit shall evaluate the implementation of the management system comparing audit evidence to audit criteria. Nonconformities from audits are communicated to client organization and client organization shall provide corrective ac-tions. Audit results from both stage audits and corrective actions are evaluated to determinate whether the certificate can be granted or not.
When an organization has successfully obtained certification, the surveillance audits are performed at least annually to evaluate its capability to maintain the level of operation that fulfils the certification requirements. Surveillance audits are partial and don't cover complete management system. The recertification audit is performed in every three years, which covers the complete information security management system as a whole. When an organization has successfully maintained the required level of operation, certification shall be renewed.
KATAKRI, on the other hand, does not have any specific enforced ways to carry out the certification process, but KATAKRI (2011) document describes an example process for certification. The example process is represented in Figure 2.
KATAKRI certification process is initiated by the recognition of the need for the audit. When the need is recognized, the required security classification level is defined. As KATAKRI supports multiple security classification levels, the audit criteria depend on the select level. In the first phase, the security situation is assessed to build an overall image of the security level.

Figure 1. ISO/IEC 17021 certification process
Next, auditors review the security documentation and optionally provide feedback on the fatal deficiencies. The last two activities correspond to Stage 1 audit in ISO/IEC 17021.
After the documentation review, actual onsite audit is performed, similarly to Stage 2 audit in ISO/IEC 17021. Audit results are documented in the audit report. If fatal deficiencies are found, then these are reported and re-audit is performed after corrective actions. When a successful audit is completed, certification can be granted, depending on the accreditation level of the auditor. KATAKRI is used, for example, to provide Facility Security Clearance, which can be required for participation to international tender.
Even if the certification processes of ISO/ IEC 27001 and KATAKRI deviate, they still consist of the same components. Key parts of the both processes are documentation review and onsite audition of the actual implementation of the information security management system. Both processes depend on the results of these audits, and corrective actions to overcome the potential deficiencies are verified during the additional audits. ISO/IEC 17021 process covers also maintaining of the certification, where example process of KATAKRI certification terminates to initial certification.

Towards Common Terminology
In order to compare the structures of the two specifications, a common overall terminology on the security standard domain would be useful as, e.g., stated by Beckers et al. (2014). KATAKRI does not contain terminology definitions, but contains in total 90 references to ISO/IEC 27000 standards, which is more than to any other international standard. Hence, KATAKRI terminology can be verified in these sections to be comparable to ISO/IEC 27000 terminology. In ISO standards, however, the terminology definitions are distributed over number of referenced standards.
We summarize the security management terminology based on the three ISO standards (ISO 55000:2014, ISO/IEC 27000:2014, ISO/ Guide 73:2009) in Table 2.  these clauses contain "one introductory clause introducing risk assessment and treatment" and a number of security categories. Each security category contains one control objective and one or more controls (see Table 3). The security controls in the security category can be applied to achieve the control objective. Each control is attached with the implementation guidance, which provides instructions on implementing the control to meet the control objective. Definition of the implementation guidance also states that guidance may not be suitable for all organizations and other implementation options can be more appropriate. For each control, there is also other information included such as references to other standards or legislation.

Structural Comparison
KATAKRI is organized as a requirements compliance questionnaire. It has four major sections called divisions, which are further divided into subdivisions. Each subdivision contains number of questions. Hence, a number of requirements are defined in the form of questions. Each question consists of a tripartite classification of requirements, corresponding to the security level (the base level/IV, the increased level/III, and the high level/II).
For the KATAKRI, the organization to be certified shall select the pursued security level. Based on the selection, every requirement defined for the selected security level must be complied in the each question assessing it. In addition to three security levels, there is addi- Where KATAKRI requirements are merely the ones that can be answered yes or no, ISO/ IEC 27001 auditor has to evaluate that the identified set of security controls is comprehensive and implemented according to the qualitative requirements of the security controls.
ISO/IEC 27002 and KATAKRI both share the same approach grouping security concepts first on the high level and then on the secondary level. In ISO/IEC 27002, highest level of grouping is the division of security clauses. On the other hand, KATAKRI is divided into four divisions, which are further divided into subdivisions.  that the security clauses are not in any specific order concerning prioritization of the security clauses or controls. In KATAKRI, prioritization is implemented in dividing the security controls based on the pursued security level. Hence, KATAKRI divisions and subdivisions do not relate to prioritization. UML class diagram of the structures of the both documents is presented in Figure 3. ISO 27002 standards structure is equal in both versions of the standard and it contains definition of the terms and their relationships. KATAKRI, on the other hand, does not contain ontology definition at all. Hence, we identified basic structures of the KATAKRI document.
Even if ISO/IEC 27002 and KATAKRI both share the same approach of grouping security concepts on the high level, the actual structures have significant differences at the lower levels. ISO/IEC 27002 standard defines control objective, which shall be achieved by implementing the defined controls. KATAKRI, on the other hand, has a question that is answered, in order to fulfill requirements on the corresponding security level. Hence, KATAKRI question and ISO/IEC 27002 control objective both set a goal, which is achieved by implementing defined controls or requirements.
ISO/IEC 27002 contains implementation guidance for each control that it defines. Actual implementation of the control can be done as specified in the implementation guidance or organization can select an approach that suits to its needs and characteristics (ISO/IEC 27002:2013). KATAKRI does not contain implementation guidance but provides additional information such as references to standards, legislation, and security guides.

Identified Relationships
We analyzed all requirements of KATAKRI and identified matching definitions from ISO/ IEC 27002:2005. In addition, we also counted number of references from KATAKRI to ISO/ IEC 27002:2005. As KATAKRI defines also requirements for risk management, we included risk management requirements of ISO/IEC 27001:2005 in the analysis.
In general, the results reveal that KATAKRI had in total 432 connections to ISO/IEC

Implications of the Different Structures
Information security management system based on ISO/IEC 27001 and 27002 is always a risk evaluation driven approach. Even though number of controls is defined in ISO/IEC 27002 specification, implementation of the controls is always a matter of evaluating suitability and appropriateness to the organization. Structurally ISO/IEC 27002 control implementation guidance provides help to implement a proper control, but this still requires expertise from the user. The lack of the competence has been identified as one of the key obstacles to adopt ISMS by Yeniman et al (2011) and especially in small and medium sized enterprises by . Weiss (2008) identifies two existing questions when evaluating security controls for the organization. First, how effective the current security controls of the organization are? And secondly, how efficient is the investment on the security controls? Security baseline analysis provides answer to the first question, but the latter requires organization specific risk assessment and analysis to be properly answered.
KATAKRI, in comparison to ISO/IEC 27002, provides more exact security require-ments to be fulfilled and leaves fewer options to the organization to determine appropriate way to implement the security controls. The approach of the KATAKRI may lead to a situation where the requirements force organization to implement the security controls that are not feasible or have low benefit-cost ratio. Although KATAKRI requirements are more structured and specific, it does not imply that they could be neither implemented nor evaluated with lesser expertise than the ISO/IEC 27002 security controls.

OPERATIONAL ALIGNMENT
We have divided the more specific results into four groups. First, we present the intersection of the two specifications. This consists of the security controls that exist in the both documents. Then, we present the complements of both ISO/IEC 27002 and KATAKRI, which discloses the differences of the documents. More precisely, Section 5.2 contains those security topics that are contained in ISO/IEC 27002 but not in KATAKRI and Section 5.3 contains the ones that are in KATAKRI but not in ISO/IEC 27002. We close the section by presenting other findings from the two documents.

Intersection of Specifications
In general, both documents have sections that contain the same topics, which can be seen as high number of links between the security clauses in ISO/IEC 27002:2013 and the division of KATAKRI into subdivisions as presented in Figure 4.
The general security management in ISO/ IEC 27002:2005 as defined in the security clauses (4-8) and (14-15) is strongly linked to KATAKRI's first division 'Administrative security'. Similarly, 'Personnel security' in KATAKRI and 'Human resource security' in ISO/IEC 27002:2005 are linked but not very strongly. Also the areas of physical security are connected. The fourth division, 'Information assurance', in KATAKRI is much dispersed related to ISO/IEC 27002:2005 covering both concrete areas in security operations (9-12) as well as higher level operations management (14-15).
In detail, several common topics that were covered by both ISO/IEC 27002 and KATAKRI were identified. Table 4 below presents the intersection of the specifications divided into four domains defined by the KATAKRI.
The highest number of connections was in the risk management as both methods require the same approach to identify assets, and threats to assets, to perform the risk mitigation. Both specifications keep security training and rising of the security awareness as an important aspect of information security.

ISO/IEC 27002 Complements
We identified that KATAKRI contained, in total, only nine connections to ISO/IEC 27002:2005 security categories "12.1 Security requirements of information systems" and "12.2 Correct processing in applications". These two security categories contain requirements for new information system development and only nine links is a relatively small amount to cover all requirements for the information system development. In the ISO/IEC 27002:2013 "12.1 Security requirements of the information systems" has been updated and category number has been changed to 14.1. Section "12.2 Correct processing in applications"and the controls of it in ISO/IEC 27002:2005 have been removed from the next version in 2013. These have been complemented with two new controls in Section 14.1 of the 2013 version, but KATAKRI doesn't have wider correlation to either of these. Rationale for this is that KATAKRI is not meant to provide requirements for the information system development,

Figure 4. Number of connections between ISO/IEC 27002:2005 security clauses and KATAKRI divisions
because it merely provides audition criteria. Actually a security guideline for information system development in the state institutions, called "VAHTI 1/2013 Sovelluskehityksen tietoturvaohje" (Software development security guideline), was published separately. This guideline covers security requirements for the information system development. Liitsalo (2013) concluded that VAHTI 1/2013 has fulfilled the lack of common national guideline of generic information system development security requirements.
ISO/IEC 27002:2005 contains one security category, "10.9 Electronic commerce services", where we did not identify any links from KATAKRI. This category and its controls have been removed from ISO/IEC 27002:2013. At the time ISO/IEC 27002:2005 was published, the electronic commerce was emerging and it was seen as an important domain to cover. As the time passed, also many other information systems became available through the internet. Hence, the electronic commerce turned out as only one type among other services provided in internet, which all need to consider security in the cyber age.
ISO/IEC 27002:2013 contains controls to gather evidence in the case of a security incident. In KATAKRI, one finds very limited requirements to cover such collection of evidence. The KATAKRI requirements merely focus to protect audit trails, but don't include additional requirements to collect and secure the evidence.
Further complementing area in ISO/ IEC 27002, compared to KATAKRI, was the reporting of security weaknesses. ISO/IEC 27002 has a specific control (13.1.1 in version 2005 and 16.1.3 in version 2013) to emphasize employee responsibility to report observed or suspected security weaknesses and vulnerabilities. KATAKRI does not contain requirement that would highlight such responsibility, even if it clearly states that, for each employee, the security responsibilities must be defined in their job description.
The compliance was an area where the level of details varied between the specifications. Where ISO/IEC 27002 provides implementa-

KATAKRI Complements
KATAKRI has some topics that are not part of the ISO/IEC 27002 standard. On the administrative security, KATAKRI contains the concept of annual security action programme, which is covered in KATAKRI subdivision A200. It is an annual plan how security is to be developed comprising measures, responsibilities, schedules, and measurable results. The results of the implementation of the plan are expected to be monitored by the management as a continuous process. It is notable that there are no requirements for annual security programme at the base level, but they are only included in the recommendations for the industry. We identified number of requirements in KATAKRI that require documentation of the performed actions, but did not find equal control from ISO/IEC 27002 control objectives or implementation guidance. One such topic was training, where a requirement in KATAKRI defines that the arranged trainings must be documented, including training material and participants. ISO/IEC 27002 controls have similar control to raise the awareness, but implementation guidance does not cover the documentation of training. Similar widely used documentation requirement was in a job description, which is in several KATAKRI requirements referred as written definition of the responsibilities of an employee.
KATAKRI complements ISO/IEC 27002 on the high security requirements. KATAKRI contains requirements that must be fulfilled to be able to handle material that is classified "secret" by the Finnish national definition. For the organizations that don't consider information security as a competitive advantage, these controls may not be feasible to implement. They don't have high benefit-cost ratio and are only necessary for security critical businesses.
Hence, KATAKRI is a Finnish national security audition criteria and it contains also requirements that may be illegal in other countries. Such requirements are drug tests and probationary period used in the recruitment. KATAKRI also contains national requirements for physical security alarms. Such requirements are not included in the ISO/IEC 27002 standard.

Additional Results
We found out also more than 20 major translation errors in KATAKRI (original version is in Finnish, which is translated to English), where a translation error caused difference in the requirements. For example, in some criterions there was, for a certain security level, "No requirements" in English version, but the original Finnish version did contain requirements. Jo et al. (2010) concluded a comparative analysis of five ISMSs. The compared methods were Common Criteria, BS7799 (predecessor of ISO/ IEC 27001 and 27002), IT Baseline Protection Manual from Germany, ISMS in Japan, and Defense Information Assurance Certification and Accreditation Process (DITSCAP) by the United States Department of Defense (DoD). Analysis was focused on the process, not to the security baseline analysis. An enlarged comparative analysis by the same authors was realized in Jo et al. (2011), where, as a result, a new Information Security Management Evaluation System was proposed. Beckers et al. (2014) provided a structured method to compare security standards to derive a conceptual model, its template, and a common terminology. The method was applied to three standards; ISO 27001, Common Criteria, and the German IT-Grundschutz standards, resulting into a comprehensive comparison of these standards. Beckers et al. (2012) linked ISO/IEC 27001 and security requirements engineering (SRE) methods utilizing an existing conceptual framework. Reusing SRE methods supports or-ganizations to develop, improve, and document their own information security management systems, to be compliant with ISO/IEC 27001 or other standards. Martins et al. (2013) conducted a case study of applying ISO/IEC 27001 in a military context. In the further research, Martins et al. (2014) proposed a method for the identification of the best combination of security controls to be applied against a particular method of attack. The method takes into account, among other topics, existing security control frameworks, like ISO/IEC 27001, and lessons learned. As the research was conducted in a military context, they also provided support for the military decision making process. Giacalone et al. (2014) presented a lean approach for the identification of security requirements. The method focuses to overcome the problem of vast amount of resources required to continuously analyze security requirements, when an ISMS is implemented "by the book". The method utilized Security Survey and Triage process to quickly identify the level of relevance of a request for security assessment and the corresponding security requirements. It was recommended to embed such a process as a mandatory step in a company's production cycle.

DISCUSSION
In this study, we analyzed ISO/IEC 27002 versions 2005 and 2013 and compared them to the Finnish security audition criteria, KATAKRI. We found out that both contain largely same security controls that security aware organizations should implement, but under a completely different structural division. Analysis also illustrated the evolution of information security management trends (e.g., the role of eBusiness). Results can be applied in upcoming versions of KATAKRI to evaluate the overall scope and boundaries of the security controls. They are equally relevant for ISO/IEC standardization, even if a refined version already appeared in 2013.
We identified a number of common security topics that were covered by the both specifications. The results revealed the different scope and lack of some of the controls in KATAKRI compared to ISO/IEC 27001 and ISO/IEC 27002. Moreover, normative controls of KATAKRI were detected, which are not included, even as implementation guidance, in either versions of ISO/IEC 27002.
The structure of KATAKRI makes the evaluation of the organizations' information security management system easier than the one used in ISO/IEC 27002. Where KATAKRI is already structured in the form of the compliance criteria, ISO/IEC 27001 requires more expertise to analyze the appropriateness of the implementation of the security controls to the specific organization. Actually the specifications complement each other well and ISO/IEC 27001 auditor may find KATAKRI as a usable tool to perform the security auditions. One specific difference between the two specifications is the high security level requirements contained in KATAKRI. These can be in the interest of the organizations that need to perceive very high security level in their operations. ISO/ IEC 27002 implementation guidance does not contain such level of details that are included in KATAKRI's high security level requirements.
The common security topics are well covered by both specifications and majority of the controls and requirements are found in their intersection. KATAKRI adds more specific requirements on the increased and the high security levels. Organizations having these levels of KATAKRI's security certification should be able to obtain and retain ISO/IEC 27001 certification with little enhancements. From the structural point of view, KATAKRI defines more requirements to be fulfilled and, therefore, an organization may be required to fulfill additional requirements to those that has been acceptable in the ISO/IEC 27001 certification.
KATAKRI is an example of a national approach that it is not initially build as ISO/IEC 27001 compliant. On the other hand, German national BSI IT-Grundschutz has been developed to provide ISO/IEC 27001 compliance. Martins et al. (2014) used ISO/IEC 27001 in a military context, which was also the background of KATAKRI. Based on our analysis of the contents of these specifications, quantum of complements to ISO/IEC 27001 is not significant. Hence, KATAKRI could be modified to be ISO/IEC 27001 compliant with minor additions.
It has been noticed that SMEs have to focus more on the development of their information security procedures, but most of the ISMS standards are not usable from an SME organization point of view. While SMEs struggle with limited resources, but increased threads, it is important to develop new approaches that are especially suitable for SMEs. Majority of modern information security management systems, including ISO/IEC 27001, are developed for at least medium sized enterprises. One solution could be to provide methods with prioritization of controls to support, at least, a basic selection of potential roadmaps for smaller enterprises. KATAKRI contains basic prioritization using classification levels and recommendations for the industry while ISO/IEC 27002 states in its documentation that security controls are not in any means prioritized. Even at the lowest security level of KATAKRI, amount of controls is out reach for SMEs where security is not a strategic competence area. For example, the NIST standard 800-53 (2009) defining recommended security controls for the federal information systems and organizations, contains prioritization of the security controls. Our research continues to develop methods for SMEs to enhance their security management in a cost-effective fashion.