An expert system for risk assessment of information system security based on ISO 27002

摘要

Information system security in a company is an important element that every company should pay more attention due to the attacks against the security of the data that may not be inevitable. Probably every company knows how to protect their data even though this paper proposes something new which is more efficient. One of the ways that can be used to determine the security status of the company is by doing a risk assessment. This study proposes an expert system to determine the position or the level of the security system of a company by doing a risk assessment. The standard of risk assessment is based on the ISO 27002. Forward chaining method is used for the determination of rules and scoring in this expert system. The conclusion of this study is that the integration between the risk assessment and expert system helps in determining the position of a company-level security and also determining whether the company needs to do an audit of their information systems security or not.