JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 117

Mapping Approach of ITIL Service

Management Processes to ISO/IEC 27001
Controls
Razieh Sheikhpour, Nasser Modiri

Abstract Information security plays an important role in protecting the assets of an organization. A number of best practice
frameworks exist to help organizations assess their security risks and implement appropriate security controls. Integration of
security best practices like ISO/IEC 27001 into service management best practices processes like ITIL enables the organization
to lower the overall cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk levels. ITIL
provides a framework of best practice guidances for information technology service management. ISO/IEC 27001 i s a set of
guidelines, which can be used by an or ganization to design, deploy and maintain information security management system.
From an I TIL perspective, most of the security controls identified in ISO/IEC 27001 ar e already part of service management.
This paper describes mapping of ITIL service management processes to controls of ISO/IEC 27001.

Index TermsInformation, Security, Organization, ITIL, ISO/IEC 27001.

1 INTRODUCTION

T HE rapid advances of the information and

communication technologies, in particularly the
internet, and its increase use, have promoted the
speed and accessibility of operations, resulting in
significant changes in the way organizations conduct
their activities. Consequently organizations become
increasingly dependent on the availability, reliability and
integrity of their information systems to be competitive
and create new business opportunities. However, the use
of information technology brings significant risks to
information systems and particularly to the critical
resources, due to its own nature. An increased number of
sophisticated attacks are expected to evolve as wireless
and others technologies transcend. This fact enforces the
need to ensure the security of the organizations
information systems [1].
There are several security standards and best practice
models available for information security. Standards can
not only provide a framework for implementing effective
information security practices, they can also make sure
that information security and organizational objectives
are properly aligned. Furthermore, organizations
recognize that standards demonstrate to clients and
customers their commitment to good information security
practices. Two of the more widely used standards will be
briefly discussed here, namely ITIL and ISO/IEC 27001
[2].
ISO/IEC 27001:2005 specifies the requirements for
establishing, implementing, operating, monitoring,
information assets and incorporate this into an
Razieh Sheikhpour is with the Department of Computer Engineering,
North Tehran Branch, Islamic Azad University, Tehran, Iran.
Nasser Modiri is with the Department of Computer Engineering,
Zanjan Branch, Islamic Azad University, Zanjan, Iran.
reviewing, maintaining and improving a documented
Information Security.
The ITIL security management process describes the
structured fitting of security in the management organiza-
tion. ITIL security management is based on the ISO 27001
standard [3].
ISO 27001 and ITIL are very complementary. ITIL is
focused on service management best practices. ISO/IEC
27001 is focused on information security best practices.
From an ITIL perspective, most of the security controls
identified in ISO/IEC 27001 are already part of service
management. Both ITIL and ISO 27001 identify the
requirement to build security into all aspects of the
service in order to effectively manage risks in the
infrastructure [4].
In this paper, we describe a mapping of ITIL service
management processes to ISO/IEC 27001 controls. Rest of
the paper is organized as follows: Section 2 describes
ISO/IEC 27001 concepts. Section 3 presents an overview
of ITIL service management concepts. In Section 4 which
contains the main focus of the paper, we describe a
mapping of ITIL processes to ISO/IEC 27001 controls.
Finally, Section 5 concludes the paper.
2 ISO/IEC 27001:2005
ISO/IEC 27001:2005 is the international standard for
entities to manage their Information Security. It sets out
how a company should address the requirements of
confidentiality, integrity and availability of its
Information Security Management System (ISMS) [3, 5].
It specifies the requirements for establishing,

2011 Journal of Computing Press, NY, USA, ISSN 2151-9617

http://sites.google.com/site/journalofcomputing/
 JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 118

implementing, operating, monitoring, reviewing, review or other relevant information, to achieve continual
maintaining and improving a documented Information improvement of the ISMS [6].
Security Management System within an organization. It is Figure 1 shows PDCA model applied to ISMS
designed to ensure the selection of adequate and processes.
proportionate security controls to protect information
assets. This standard is usually applicable to all types of
organizations, including business enterprises,
government agencies, and so on. The standard introduces
a cyclic model known as the Plan-Do-Check-Act
(PDCA) model that aims to establish, implement, monitor
and improve the effectiveness of an organizations ISMS.
The PDCA cycle has these four phases: [6, 7]
a) Plan phase Establishing the ISMS: Establish
ISMS policy, objectives, processes and procedures
relevant to managing risk and improving information
security to deliver results in accordance with an
organizations overall policies and objectives.
b) Do phase Implementing and operating the
ISMS: Implement and operate the ISMS policy, controls, Fig.1. PDCA model applied to ISMS processes [5].
processes and procedures.
c) Check phase Monitoring and reviewing the
ISMS: Assess and, where applicable, measure process 2.1 ISO/IEC 27001 Control Objectives and Controls
performance against ISMS policy, objectives and practical ISO/IEC 27001:2005 contains 39 control objectives and
experience and report the results to management for 133 specific controls, organized into 11 main sections.
review. Table 1 shows the controls and control objectives of
d) Act phase Maintaining and improving the ISMS: ISO/IEC 27001.
Take corrective and preventive actions, based on the
results of the internal ISMS audit and management

TABLE 1 CONTROL OBJECTIVES AND CONTROLS OF ISO/IEC 27001 [5]

Domain Control Objective Control
A.5 Security policy A.5.1 Information security A.5.1.1 Information security policy document
policy A.5.1.2 Review of the information security policy
A.6 Organization of A.6.1 Internal organization A.6.1.1 Management commitment to information security
information security A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.1.4 Authorization process for information processing facilities
A.6.1.5 Confidentiality agreements
A.6.1.6 Contact with authorities
A.6.1.7 Contact with special interest groups
A.6.1.8 Independent review of information security
A.6.2 External parties A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.7 Asset manage- A.7.1 Responsibility for A.7.1.1 Inventory of assets
ment assets A.7.1.2 Ownership of assets
A.7.1.3 Acceptable use of assets
A.7.2 Information A.7.2.1 Classification guidelines
classification A.7.2.2 Information labeling and handling
A.8 Human resources A.8.1 Prior to employment A.8.1.1 Roles and responsibilities
security A.8.1.2 Screening
A.8.1.3 Terms and conditions of employment
A.8.2 During employment A.8.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.8.3 Termination or A.8.3.1 Termination responsibilities
change of employment A.8.3.2 Return of assets
A.8.3.3 Removal of access rights
A.9 Physical and A.9.1 Secure areas A.9.1.1 Physical security perimeter
environmental security A.9.1.2 Physical entry controls
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
A.9.2 Equipment security
A.10 Communications and A.10.1 Operational proce-
operations management dures and responsibilities
A.10.2 Third party service
delivery management
A.10.3 System planning
and acceptance
A.10.4 Protection against
malicious and mobile code
A.10.5 Back-up
A.10.6 Network security
management
A.10.7 Media handling
A.10.8 Exchange of
information
A.10.9 Electronic
commerce services
A.10.10 Monitoring
A.11 Access control A.11.1 Business require-
ment for access control
A.11.2 User access
management
A.11.3 User responsibilities
A.11.4 Network access
control
119
A.9.1.3 Securing offices, rooms and facilities
A.9.1.4 Protecting against external and environmental threats
A.9.1.5 Working in secure areas
A.9.1.6 Public access, delivery and loading areas
A.9.2.1 Equipment sitting and protection
A.9.2.2 Supporting utilities
A.9.2.3 Cabling security
A.9.2.4 Equipment maintenance
A.9.2.5 Security of equipment off premises
A.9.2.6 Secure disposal or re-use of equipment
A.9.2.7 Removal of property
A.10.1.1 Documented operating procedures
A.10.1.2 Change management
A.10.1.3 Segregation of duties
A.10.1.4 Separation of development, test and operational facilities
A.10.2.1 Service delivery
A.10.2.2 Monitoring and review of third party services
A.10.2.3 Managing changes to third party services
A.10.3.1 Capacity management
A.10.3.2 System acceptance
A.10.4.1 Controls against malicious code
A.10.4.2 Controls against mobile code
A.10.5.1 Information back-up
A.10.6.1 Network controls
A.10.6.2 Security of network services
A.10.7.1 Management of removable media
A.10.7.2 Disposal of media
A.10.7.3 Information handling procedures
A.10.7.4 Security of system documentation
A.10.8.1 Information exchange policies and procedures
A.10.8.2 Exchange agreements
A.10.8.3 Physical media in transit
A.10.8.4 Electronic messaging
A.10.8.5 Business information systems
A.10.9.1 Electronic commerce
A.10.9.2 On-line transactions
A.10.9.3 Publicly available information
A.10.10.1 Audit logging
A.10.10.2 Monitoring system use
A.10.10.3 Protection of log information
A.10.10.4 Administrator and operator logs
A.10.10.5 Fault logging
A.10.10.6 Clock synchronization
A.11.1.1 Access control policy
A.11.2.1 User registration
A.11.2.2 Privilege management
A.11.2.3 User password management
A.11.2.4 Review of user access rights
A.11.3.1 Password use
A.11.3.2 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy
A.11.4.1 Policy on use of network services
A.11.4.2 User authentication for external connections
A.11.4.3 Equipment identification in networks
A.11.4.4 Remote diagnostic and configuration port protection
A.11.4.5 Segregation in networks
A.11.4.6 Network connection control
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
A.12 Information systems
acquisition, development
and maintenance
A.13 Information security
incident management
A.14 Business continuity
management
A.15 Compliance
A.11.5 Operating system
access control
A.11.6 Application and
information access control
A.11.7 Mobile computing
and teleworking
A.12.1 Security require-
ments of information sys-
tems
A.12.2 Correct processing
in applications
A.12.3 Cryptographic
controls
A.12.4 Security of system
files
A.12.5 Security in
development and support
processes
A.12.6 Technical
Vulnerability Management
A.13.1 Reporting
information security events
and weaknesses
A.13.2 Management of
information security inci-
dents and improvements
A.14.1 Information security
aspects of business
continuity management
A.15.1 Compliance with
legal requirements
A.15.2 Compliance with
security policies and
standards, and technical
compliance
A.15.3 Information systems
audit considerations
120
A.11.4.7 Network routing control
A.11.5.1 Secure log-on procedures
A.11.5.2 User identification and authentication
A.11.5.3 Password management system
A.11.5.4 Use of system utilities
A.11.5.5 Session time-out
A.11.5.6 Limitation of connection time
A.11.6.1 Information access restriction
A.11.6.2 Sensitive system isolation
A.11.7.1 Mobile computing and communications
A.11.7.2 Teleworking
A.12.1.1 Security requirements analysis and specification
A.12.2.1 Input data validation
A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.3.1 Policy on the use of cryptographic controls
A.12.3.2 Key management
A.12.4.1 Control of operational software
A.12.4.2 Protection of system test data
A.12.4.3 Access control to program source code
A.12.5.1 Change control procedures
A.12.5.2 Technical review of applications after operatingsystem changes
A.12.5.3 Restrictions on changes to software packages
A.12.5.4 Information leakage
A.12.5.5 Outsourced software development
A.12.6.1 Control of technical vulnerabilities
A.13.1.1 Reporting information security events
A.13.1.2 Reporting security weaknesses
A.13.2.1 Responsibilities and procedures
A.13.2.2 Learning from information security incidents
A.13.2.3 Collection of evidence
A.14.1.1 Including information security in the business continuity man-
agement process
A.14.1.2 Business continuity and risk assessment
A.14.1.3 Developing and implementing continuity plans including in-
formation security
A.14.1.4 Business continuity planning framework
A.14.1.5 Testing, maintaining and reassessing business continuity plans
A.15.1.1 Identification of applicable legislation
A.15.1.2 Intellectual property rights (IPR)
A.15.1.3 Protection of organizational records
A.15.1.4 Data protection and privacy of personal information
A.15.1.5 Prevention of misuse of information processing facilities
A.15.1.6 Regulation of cryptographic controls
A.15.2.1 Compliance with security policies and standards
A.15.2.2 Technical compliance checking
A.15.3.1 Information systems audit controls
A.15.3.2 Protection of information systems audit tools
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 121

The goal of the ISM process is to align IT security with

3 ITIL V3 FRAMEWORK
The Information Technology Infrastructure Library (ITIL)
provides a framework of Best Practice guidances for
information technology service management and since its
creation, ITIL has grown to become the most widely
accepted approach to IT service management in the world
[8].
The primary objective of service management is to
ensure that the IT services are aligned to the business
needs and actively support them. If IT processes and IT
services are implemented, managed and supported in the
appropriate way, the business will be more successful,
suffer less disruption and loss of productive hours,
reduce costs, increase revenue, improve public relations
and achieve its business objectives [8].
The ITIL v3 Core consists of five publications, each
providing guidance on a specific phase in the service
management lifecycle. The ITIL core publications are as
follows: [4]
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
ITIL describes processes, functions and structures that
support most areas of IT service management, mostly
from the viewpoint of the service provider. One of the
many processes it describes is Information Security
Management (ISM) [9].
With the placement on Information Security
Management within the Service Design core book the
process is integrated with several other processes which
enables the ISM process to be streamlined in the Service
Lifecycle more easily[10].
business security and ensure that information security is
effectively managed in all service and service
management activities. The ITIL security management
process describes the structured fitting of security in the
management organization. ITIL security management is
based on the ISO 27001 standard [3].
The ISM process contains several sub processes in ITIL
v3. They are design of security controls, security testing,
management of security incidents and security review.
The objective of the sub process of the security controls is
to design the appropriate technical and organizational
measures in order to ensure the confidentiality, integrity,
security, availability of an organizations assets,
information, data and services [11].
4 MAPPING OF ITIL V3 PROCESSES TO
ISO/IEC 27001:2005 CONTROLS
Fox IT Ltd and QT&C Group Ltd have performed a
mapping exercise that looked at each of the 11
information security control areas [7]. Integration of
security best practices into service management best
practices processes enables the organization to lower the
overall cost of maintaining acceptable security levels,
effectively manage risks and reduce overall risk levels.
ISO 27001 and ITIL v3 are very complementary. From an
ITIL perspective, most of the security controls identified
in ISO 27001 are already part of service management.
Both ITIL and ISO 27001 identify the requirement to build
security into all aspects of the service in order to
effectively manage risks in the infrastructure [4]. Table 2
describes mapping of ITIL processes to controls of
ISO/IEC 27001.

TABLE 2 MAPPING OF ITIL PROCESSES TO ISO/IEC 27001CONTROLS

ITIL processes
Service Strategy
Demand management
Financial management
Service Design
Service Catalog management
Service Level management
Capacity management
Availability management
IT service continuity management
ISO/IEC 27001 Controls
-
-
A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.10.2.1 Service delivery
A.10.6.2 Security of network services
A.10.8.2 Exchange agreements
A.12.3.2 Key management
A.10.3.1 Capacity management
A.10.5.1 Information back-up
A.10.8.4 Electronic messaging
A.6.2.3 Addressing security in third party agreements
A.9.2.2 Supporting utilities
A.10.4.1 Controls against malicious code
A.10.5.1 Information back-up
A.14.1.1 Including information security in the business continuity management process
A.14.1.2 Business continuity and risk assessment
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 122

Information security management A.5.1.1 Information security policy document

A.5.1.2 Review of the information security policy
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.2.1 Identification of risks related to external parties
A.10.6.2 Security of network services
A.11.1.1 Access control policy
Supplier Management A.6.2.3 Addressing security in third party agreements
A.6.2.1 Identification of risks related to external parties
A.10.2.1 Service delivery
A.10.2.2 Monitoring and review of third party services
A.10.8.2 Exchange agreements
A.12.3.2 Key management
Service Transition
Change management A.6.1.4 Authorization process for information processing facilities
A.6.2.3 Addressing security in third party agreements
A.9.2.6 Secure disposal or re-use of equipment
A.9.2.7 Removal of property
A.10.1.2 Change management
A.10.2.3 Managing changes to third party services
A.11.2.4 Review of user access rights
A.12.4.1 Control of operational software
A.12.4.3 Access control to program source code
A.12.5.1 Change control procedures
A.13.2.1 Responsibilities and procedures
Service asset & configuration A.7.1.1 Inventory of assets
management A.9.1.6 Public access, delivery and loading areas
A.9.2.1 Equipment sitting and protection
A.9.2.3 Cabling security
A.9.2.4 Equipment maintenance
A.9.2.7 Removal of property
A.10.4.1 Controls against malicious code
A.12.4.1 Control of operational software
A.12.4.3 Access control to program source code
A.12.6.1 Control of technical vulnerabilities
A.14.1.1 Including information security in the business continuity management process
Release & deployment A.10.3.2 System acceptance
management
Service validation & testing A.10.3.2 System acceptance
A.12.4.1 Control of operational software
A.12.5.2 Technical review of applications after operating system changes
Evaluation A.10.3.2 System acceptance
A.12.5.2 Technical review of applications after operating system changes
Risk management A.6.1.2 Information security coordination
A.6.2.1 Identification of risks related to external parties
A.7.2.1 Classification guidelines
A.9.1.4 Protecting against external and environmental threats
A.9.2.5 Security of equipment off premises
A.9.2.6 Secure disposal or re-use of equipment
A.10.6.1 Network controls
A.14.1.2 Business continuity and risk assessment
Knowledge management -
Service Operation
Event management A.10.3.1 Capacity management
A.10.10.1 Audit logging
A.10.10.2 Monitoring system use
A.10.10.3 Protection of log information
A.10.10.4 Administrator and operator logs
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 123

Incident management A.6.1.2 Information security coordination

Request management
Problem management
Access management
Continual Service Improvement
CSI Process
Service Reporting
Document management
Human resource management
A.9.2.4 Equipment maintenance
A.10.3.1 Capacity management
A.10.10.5 Fault logging
A.13.1.1 Reporting information security events
A.13.1.2 Reporting security weaknesses
A.13.2.1 Responsibilities and procedures
A.13.2.2 Learning from information security incidents
-
A.6.2.3 Addressing security in third party agreements
A.13.2.2 Learning from information security incidents
A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.8.3.3 Removal of access rights
A.9.1.6 Public access, delivery and loading areas
A.11.1.1 Access control policy
A.11.2.1 User registration
A.11.2.3 User password management
A.11.2.4 Review of user access rights
A.11.4.1 Policy on use of network services
A.11.5.2 User identification and authentication
A.11.6.1 Information access restriction
A.12.4.3 Access control to program source code
A.13.2.2 Learning from information security incidents
A.6.2.3 Addressing security in third party agreements
A.10.1.1 Documented operating procedures
A.10.7.3 Information handling procedures
A.10.7.4 Security of system documentation
A.6.1.3 Allocation of information security responsibilities
A.6.1.5 Confidentiality agreements
A.8.1.1 Roles and responsibilities
A.8.1.2 Screening
A.8.1.3 Terms and conditions of employment
A.8.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.8.3.1 Termination responsibilities
A.8.3.2 Return of assets
A.8.3.3 Removal of access rights
A.11.3.1 Password use
A.11.3.2 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy

within the Service Design core practice of ITIL v3

5 CONCLUSION
Information Security aspects are really important for
company success and business stability. As no single
formula can guarantee 100% security, there is a need for a
set of benchmarks or standards to help ensure an
adequate level of security is attained, resources are used
efficiently, and the best security practices are adopted. By
implementing ITIL and ISO/IEC 27001, organizations can
better meet information security service expectations with
internal and external customers.
ISO/IEC 27001 helps an organization to develop a
business continuity plan that will minimize the impact of
security breaches. ITIL is a framework of best practices that
promote quality computing services in IT sector. ISM process
provides several ways that information security can be
improved. The ISM process encourages organizations to
incorporate security controls, and to test these controls
regularly.
This paper described a mapping of ITIL service
management processes to ISO/IEC 27001 controls. ITIL
and ISO 27001 identify the requirement to build security
into all aspects of the service in order to effectively
manage risks in the infrastructure.
REFERENCES
[1] T. Pereira, H. Santos, A Security Audit Framework to Manage
Information System Security, pp. 918, Springer-Verlag Berlin
Heidelberg 2010.
[2] N. Zegers, A methodology for Improving information securi-
 JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 124

ty incident identification and response, Master Thesis

Informatics & Economics, Erasmus University Rotterdam, 2006.
[3] A. Rezakhani, A. Hajebi, N. Mohammadi, Standardization of
all Information Security Management Systems, International
Journal of Computer Applications (0975 8887) Volume 18
No.8, March 2011.
[4] K V Warre, Security Controls in Service Management, SANS
Institute, December 2010.
[5] ISO/IEC 2005, Information technology- Security techniques -
Information security management systems- requirements, ISO
copyright office, Published in Switzerland.
[6] The Government of the Hong Kong Special Administrative
Region, AN OVERVIEW OF INFORMATION SECURITY
STANDARDS, February 2008.
[7] M.Sykes, N.Landman, ITIL and ISO/IEC 27001- How ITIL can
be used to support the delivery of compliant practices for In-
formaton Security Management Systems Fox IT Ltd and
QT&C Group Ltd, 2010.
[8] H. Liu, Y. Lin, P. Chen, L. Jin, F. Ding, Practical Availability
practices Risk Assessment Framework in ITIL, proceeding of
Fifth IEEE International Symposium on Service Oriented Sys-
tem Engineering, 2010.
[9] J. Clinch, ITIL V3 and information security, White paper,
May 2009.
[10] G. Taylor, ITIL V3 Improves Information Security Manage-
ment, East Carolina University.
[11] E. R. Larrocha, J. M. Minguet, G. Diaz, M, Castro, A. Vara, Fill-
ing the gap of Information Security Management inside ITIL:
proposals for postgraduate students, IEEE EGUCON Educa-
tion Engineering,2010.

Razieh Sheikhpour received the BS degree in software engineering

from department of computer engineering, Islamic Azad University of
Iran in 2007. She is currently working toward the MS degree in
software engineering from Islamic Azad University of Iran. Her
research interests include information security, IT Governance and
Sensor networks.

Nasser Modiri received the MS degree in MicroElectronics from

university of Southampton, UK in 1986. He received PHD degree in
Computer Networks from Sussex university of UK in 1989. He is a
lecture at department of computer engineering at Islamic Azad
University of Zanjan, Iran. His research interests include Network
Operation Centres, Framework for Securing Networks, Virtual
Organizations, RFID, Product Life Cycle Development and
Framework For Securing Networks.