Fuzzy rule-based risk management under ISO/IEC27001:2013 standard for information security


  • Pichit Boonkrong College of Digital Innovation and Information Technology (DIIT), Rangsit University, Patumthani 12000, Thailand
  • Chuleekorn Nuansomsri College of Digital Innovation and Information Technology (DIIT), Rangsit University, Patumthani 12000, Thailand


fuzzy set, IEC, information security, ISO, Mamdani fuzzy model, risk management


This paper aims to identify, assess and offer management guideline of operational risk on information and communication technology (ICT) under ISO/IEC 27001:2013 standard using Mamdani fuzzy model-based management.  Qualitative research methodology and research standard questionnaires were employed for collecting data from 21 surveyees related to ICT fields in January 2017.  The fuzzy logic-based risk matrices were used in risk assessment.  The uncertainties and imprecision of the complex risk management are better described by fuzzy rule-based reasoning.  From the case study, the results show that the risk on ICT has high levels in five criteria including security policy for information, information security related to personnel, physical and environmental security, management in information security and organizational continuity management.  Guidelines on risk management are also introduced as an integral part of good management.


Berg, H. P. (2010). Risk management: Procedures, methods and experiences. Risk Management, 1, 79-95.

Capuder, L. (2004). ISO-7799-Standard for information security: A welcome boon for security management and audit. EDPACS, 31(11), 1-10.

Ciborra, C. (2006). Imbrication of representations: Risk and digital technologies. The Journal of Management Studies, 43(6), 1339-1356. https://doi.org/10.1111/j.1467-6486.2006.00647.x

Cox, L. A. (2008). What's wrong with risk matrices? Risk Analysis, 28(2), 497-512. https://doi.org/10.1111/j.1539-6924.2008.01030.x

Elsayed, T. (2009). Fuzzy inference system for the risk assessment of liquefied natural gas carriers. Applied Ocean Research, 31(3), 179-185.

Groves, S. (2003). The unlikely heroes of cyber security. Information Management Journal, 37(3), 34-40.

Hu, S., Fang, Q., Xia, H., & Xi, Y. (2007), Formal safety assessment based on relative risks model in ship navigation. Reliability Engineering and System Safety, 92, 369-377.

Humphreys, T. (2005). State-of-the-art information security management systems with ISO/IEC 27001. ISO Management Systems, 15-18.

Humphreys, E. (2011). Information Security Management System Standards. Datenschutz und Datensicherheit, 35(1), 7-11. DOI: 10.1007/s11623-011-0004-3

Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard (2nd Edition). Artech House.

Hussey, D .E. (1978). Portfolio analysis: Practical experience with the directional policy matrix. Long Range Planning, 11(4), 2-8. https://doi.org/10.1016/0024-6301(78)90001-8

Karwowski, W., & Mital, A. (1986). Potential applications of fuzzy sets in industrial safety engineering. Fuzzy Sets and Systems, 19(2): 105-120.

Mamdani, E. H., & Assilian, S. (1975). An experiment in linguistic synthesis with a fuzzy logic controller. International Journal of Man-Machine Studies, 7(1), 1-13.

Mansell, R. (1999). Information and communication technologies for development assessing the potential and the risks. Telecommunications Policy, 23(1), 35-50. DOI: 10.1016/S0308-5961(98)00074-3

Markowski, A. S., & Mannan, M. S. (2008), Fuzzy risk matrix. Journal of Hazardous Materials, 159, 152-157.

Mofarrah, A., & Husain, T. (2010). Modeling for uncertainty assessment in human health risk quantification: A fuzzy-based approach. International Congress on Environmental Modelling and Software, 1-8.

Pinder, P. (2006). Preparing information security for legal and regulatory compliance (Sarbanes-Oxley and Basel II). Information Security Technical Report, 11(1), 32-38. DOI: 10.1016/j.istr.2005.12.003

Philip, T., Bratvold, R., & Bickel, J. E. (2014). The risk of using risk matrices. SPE Economics & Management, 6(2), 56-66.

Ruddock, L. (2006). ICT in the construction sector: Computing the economic benefits. International Journal of Strategic Property Management, 10(1), 39-50. DOI: 10.1080/1648715X.2006.9637543

Segars, A. H., & Grover, V. (1996). Designing company-wide information systems: Risk factors and coping strategies. Long Range Planning, 29(3), 381-392. https://doi.org/10.1016/0024-6301(96)00024-6

Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799. Information Management Journal, 39(4), 60-66.

Shenkir, W. G., & Walker, P. L. (2006). Enterprise risk management and the strategy-risk focused organization. Cost Management, 20(3), 32-38.

Solms, B. V. (2001). Corporate governance and information security. Computers & Security, 20(3), 215-218.

Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4): 441-469.

Takács, M. (2011). Parameters and rules of fuzzy-based risk management models. Óbuda Univ. e-Bulletin, 2(1), 309-314.

Teneyuca, D. (2001). Organizational leader's use of risk management for information technology. Information Security Technical Report, 6(3), 54-59.

Wu, W., Cheng, G., Hu, H., & Zhou, Q. (2013). Risk analysis of corrosion failures of equipment in refining and petrochemical plants based on fuzzy set theory. Engineering Failure Analysis, 32, 23-34.

Zadeh, L. A. (1973). Outline of a new approach to the analysis of complex systems and decision processes. IEEE Transactions on Systems, Man, and Cybernetics, 3(1), 28-44. DOI: 10.1109/TSMC.1973.5408575.




How to Cite

Boonkrong, P. ., & Nuansomsri, C. . (2023). Fuzzy rule-based risk management under ISO/IEC27001:2013 standard for information security. Journal of Current Science and Technology, 8(1), 33–40. Retrieved from https://ph04.tci-thaijo.org/index.php/JCST/article/view/485



Research Article