Open Access Open Access  Restricted Access Subscription Access

Evaluation of Information and Industry Security Risk Management Methodology

Yu-Chih Wei,
Yi-Shng Wu,
Ya-Chi Chu,


Under the trend of Internet of Things and Industry 4.0, two major fields, IT and OT, are integrated. However, this has also led to frequent information security incidents, and these incidents have made information security an issue that OT must face. This research compares the risk management standard IEC 62443-3-2 for industrial system security in OT domain, ISO/IEC 27005 for information security in IT domain, Risk IT Framework and NIST SP800-39 to evaluate the key concerns of integrated information security risk management approach, and focuses on the risk management process, granularity of concerns, and classification methods in OT and IT standards.
We propose the application of ISO/IEC 27005 to IEC 62443-3-2 to provide organizations with the concept of integrating OT and IT to reduce information and network security risks in industrial areas, reduce the huge losses caused by information security incidents, and improve information security. It also improves the quality of information security protection and ensures the security of organization information and network, thus enabling organizations to operate sustainably.

Citation Format:
Yu-Chih Wei, Yi-Shng Wu, Ya-Chi Chu, "Evaluation of Information and Industry Security Risk Management Methodology," Communications of the CCISA, vol. 26, no. 4 , pp. 17-33, Dec. 2020.

Full Text:



  • There are currently no refbacks.

Published by Chinese Cryptology and Information Security Association (CCISA), Taiwan, R.O.C
CCCISA Editorial Office, No.1, Sec. 1, Shennong Rd., Yilan City, Yilan County 260, Taiwan (R.O.C.)