Analysis of Strongly and Weakly Coupled Management Systems in Information Security

In an effort to enhance enterprise security, three standard management systems have been established as applications of the Deming cycle: the Information Security Management System (ISMS) in accordance with the ISO 27001 standard, the Business Continuity Management System (BCM) in accordance with the BS 25999 standard and the Information Technology Service Management System (ITSM) in accordance with the ISO 20000 standard. These three management systems have been developed to operate independent of one another, but are often used together within a given company. It can be shown that management systems modeled after the Deming cycle behave as bisimulations with dynamic feedback policies and can be expressed formally as control circuits within the Discrete Event Systems (DES) theory. In this article, we present an analytical description of the optimal structure through which the three management systems (ISMS, BCMS, and ITSM) should be linked in a company. We define a coupling parameter and, using an equation for the discrete control loop, show that ISMS and ITSM should ideally be strongly coupled, and ISMS and BCMS should be weakly coupled.