INTERACTIONS(RELATIONS) BETWEEN ITIL,COBIT AND ISO27001
What Is ITIL
ITIL is an IT Service Management framework that aligns IT with the needs of the business. ITIL key areas of focus include Services, Lifecycle Phases, Processes, Roles, and Functions. No doubt, ITIL has made its way to being the most popular and well known Service Management solution, and has proven its utility. Although early adopters of ITIL were generally large corporations, it is finally escaping the “it’s for big companies only” curse, and more small to mid-sized businesses are finding the practices useful. ITIL is a great starting point for IT Service Providers who are just beginning to drive process discipline, as well as provides structure and accountability around an already mature organization. The biggest advantage is how ITIL uses Continual Service Improvement to provide a constant feedback mechanism to help you ensure that what you are delivering is in line with customer expectations
Overview of ITIL
What Is COBIT
Today, COBIT is internationally recognized as the “go to” solution for IT governance, with aspects in security, quality and compliance. Its focus is not necessarily on how to execute a process, rather what should be done to ensure proper control of that process. Therefore, you won’t technically implement COBIT processes from the bottom up, but use it as a tool to help you control processes from top down as a part of a larger governance initiative. This is a very constructive and useful tool. Starting out as a tool designed for IT auditors to assist in the control of IT, it has grown into a model to help companies meet compliance and statutory requirements as well. It helps you understand IT systems, and guides decisions around the level of security and control that is necessary to protect assets through the leverage of an IT governance model. More specifically, it bridges the gap among control requirements, technical issues, and business risks rather than focusing on the actual process (i.e. ITIL) and enables policy development and good IT control practices. Generally speaking, COBIT is the most broad of all IT related frameworks and bodies of knowledge today.
Overview of COBIT
What Is ISO 20071
It is the only auditable international standard which defines the
requirements for an Information Security Management System (ISMS).
The standard is designed to ensure the selection of adequate and proportionate security
controls; these controls help protect information assets and gives confidence to stakeholders
The standard itself adopts a process approach for establishing, implementing, operating,
monitoring, reviewing, maintaining, and improving the ISMS. ISO/IEC 27001 is intended to
be used in conjunction with ISO/IEC 27002, the “Code of Practice for Information
Security Management”, which lists security control objectives and recommends a range of
specific security controls.
COBIT vs ITIL
COBIT and ITIL have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises.
COBIT is broader than ITIL in its scope of coverage.It is based on four principles (meeting stakeholder needs; covering the enterprise end to end; applying a integrated framework;separating governance from management) and seven enablers (principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies).
The distinction between the two is sometimes described as “COBIT provides the ‘why’; ITIL provides the ‘how.’” While catchy, that view is simplistic.It is more accurate to state that enterprises and IT professionals who need to address business needs in the ITSM area would be well served to consider using both COBIT and ITIL guidance.
ITIL could be seen as the way to manage the IT services accross their lifecycle while COBIT is about how to govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments while optimizing the risks and the resources.
This is definitely two very different things which are complementary but with a huge difference in terms of scope and objectives.
Relation Between ITIL and Cobit
IT organizations are facing the challenging,but necessary, transition to manage IT based on business priorities. They are looking to frameworks, such as ITIL and COBIT, to help them meet the challenge, but there is some confusion about how best to use them. ITIL and COBIT are complementary and can be used together to facilitate the transition to Business Service Management. ITIL provides a framework for best practice processes in ITSM that help IT manage resources from a business perspective. COBIT provides the framework for setting business goals and objectives, and measuring the progress of “ITIL-izing” the organization to meet those goals and objectives.
With the combination of ITIL and COBIT, IT can meet business objectives and reap the resulting rewards, including the delivery of higher quality business services at lower costs to the organization.
A Cursory Look-up to the Subject
ISO 27001 is a security standard but COBIT and ITIL are frameworks with best practices. ISO 27001 are often used in conjunction with ISO 27002 because ISO 27001 include only requirements for what needs to be done.
According to the diagram, COBIT covers more domains than ISO 27001 and ITIL. However, ITIL is easier to do with more checklists and procedures
The function of COBIT is to map IT processes to business objectives. ITIL is to address service management. ISO 27001 is to get companies compliant to international standards regarding various aspects of security management such as establishment, implementations and improvement of information security management systems.
ITIL is quite similar to COBIT but ITIL is more IT service-based and COBIT is more process-based. In other words, the unit for measuring in ITIL is service but process in COBIT.
ITIL is quite similar to COBIT but ITIL is more IT service-based and COBIT is more process-based. In other words, the unit for measuring in ITIL is service but process in COBIT.
ITIL and ISO/IEC 27001 Relationship Matrix
the relationship matrix, shows a number of the Service
Transition processes within ITIL and their direct connection to the controls within ISO/IEC2 27001
İnfo.s below will assist us for grasping the concept of the matrix:
A-5-1 Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.5.1.1 Information security policy document
An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties.
A.5.1.2 Review of the information security policy
The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
A-6-1 Internal organisation
Objective: To manage information security within the organisation.
A.6.1.1 Management commitment to information security
A.6.1.1 Management commitment to information security
Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
A.6.1.2 Information security coordination
A.6.1.2 Information security coordination
Information security activities shall be coordinated by representatives from different parts of the organization with relevant roles and job functions.
A.6.1.3 Allocation of information security responsibilities
A.6.1.3 Allocation of information security responsibilities
All information security responsibilities shall be clearly defined.
A.6.1.4 Authorization process for information processing facilities
A.6.1.4 Authorization process for information processing facilities
A management authorization process for new information processing facilities shall be defined and implemented.
A.6.1.5 Confidentiality agreements
A.6.1.5 Confidentiality agreements
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
A-6-2 External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
A.6.2.1 Identification of risks related to external parties
Control - The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.
A.6.2.2 Addressing security when dealing with customers
Control - All identified security requirements shall be addressed before giving customers access to the organization’s information or assets.
A.6.2.3 Addressing security in third party agreements
Control - Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.
A.7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets.
A.7.1.1 Inventory of assets
All assets shall be clearly identified and an inventory of all important assets drawn up and maintained.
A.7 Asset Management
A.7.2 Information classification
Objective: To ensure that information receives an appropriate level of protection.
A.7.2.1 Classification guidelines
Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization.
A.8 Human resources security
A.8.1 Human resources security Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
A.8.1.1 Roles and responsibilities
Control - Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization’s information security policy.
A.8.1.2 Screening
Control - Background verification checks on all candidates for employment, contractors, and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
A.8.1.3 Terms and conditions of employment
Control - As part of their contractual obligation, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organization’s responsibilities for information security.
A.8.2 Human resources security during employment
Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
A.8.2.1 Management responsibilities
Control - Management shall require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.
A.8.2.2 Information security awareness, education and training
Control - All employees of the organization and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
A.8.2.3 Disciplinary process
Control - There shall be a formal disciplinary process for employees who have committed a security breach.
A.8 Human resource security
A.8.3 Human resources security the Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
A.8.3.1 Termination responsibilities
Control - Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned.
A.8.3.2 Return of assets
Control - All employees, contractors and third party users shall return all of the organization’s assets in their possession upon termination of their employment, contract or agreement.
A.8.3.3 Removal of access rights
Control - The access rights of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
A.9 Physical and environmental security
A.9.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.
A.9.1.4 Protecting against external and environmental threats
Control - Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster shall be designed and applied.
A.9.1.6 Public access, delivery and loading areas
Control - Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
A.9.2 Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.
A.9.2.1 Equipment siting and protection
Control - Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
A.9.2.2 Supporting utilities
Control - Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
A.9.2.3 Cabling security
Control - Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.
A.9.2.4 Equipment maintenance
Control - Equipment shall be correctly maintained to ensure its continued availability and integrity.
A.9.2.5 Security of equipment off premises
Control - Security shall be applied to off-site equipment taking into account the different risks of working outside the organization’s premises.
A.9.2.6 Secure disposal or re-use of equipment
Control - All items of equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.
A.9.2.7 Removal of property
Control - Equipment, information or software shall not be taken off-site without prior authorization.
A.10 Communications and operations management
A.10.1 Operational procedures and responsibilities.
Objective: To ensure the correct and secure operation of information processing facilities.
A.10.1.1 Documented operating procedures
Control - Operating procedures shall be documented, maintained, and made available to all users who need them.
A.10.1.2 Change management
Control - Changes to information processing facilities and systems shall be controlled
A.10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
A.10.2.1 Service delivery
It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.
A.10.2.2 Monitoring and review of third party services
The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly.
A.10.3 System planning and acceptance
Objective: To minimize the risk of systems failures.
A.10.3.1 Capacity management
Control - The use of resources shall be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.
A.10.3.2 System acceptance
Control - Acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance.
A.10 Communications and operations management
A-10-4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
A.10.4.1 Controls against malicious code
Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented.
A.10.4.2 Controls against mobile code
Where the use of mobile code is authorized, the configuration shall ensure that the authorized mobile code operates according to a clearly defined security policy, and unauthorized mobile code shall be prevented from executing.
A-10-5 ISO27001 Backup
Objective: To maintain the integrity and availability of information and information processing facilities.
A.10.5.1 Information back-up
Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy.
A.10.6 Network security management
Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
A.10.6.1 Network controls
Control - Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.
A.10.6.2 Security of network services
Control - Security features, service levels, and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced.
A.10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within an organization and with any external entity.
A.10.8.2 Exchange agreements
Agreements shall be established for the exchange of information and software between the organization and external parties.
A.10.8.4 Electronic messaging
Information involved in electronic messaging shall be appropriately protected.
A.10.10 Monitoring
Objective: To detect unauthorized information processing activities.
A.10.10.1 Audit logging
Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.
A.10.10.2 Monitoring system use
Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly.
A.10.10.3 Protection of log information
Logging facilities and log information shall be protected against tampering and unauthorized access.
A.10.10.4 Administrator and operator logs
System administrator and system operator activities shall be logged.
A.11.1 Business requirement for access control
Objective: To control access to information.
A.11.1.1 Access control policy
An access control policy shall be established, documented, and reviewed based on business and security requirements for access.
A.11.2 User access management
Objective: To ensure authorized user access and prevent unauthorized access to info systems.
A.11.2.1 User registration
There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
A.11.2.3 User password management
The allocation of passwords shall be controlled through a formal management process.
A.11.2.4 Review of user access rights
Management shall review users’ access rights at regular intervals using a formal process.
A.11.3 User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
A.11.3.1 Password use
Users shall be required to follow good security practices in the selection and use of passwords.
A.11.3.2 Unattended user equipment
Users shall ensure that unattended equipment has appropriate protection.
A.11.3.3 Clear desk and clear screen policy
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.
A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.
A.11.4.1 Policy on use of network services
Users shall only be provided with access to the services that they have been specifically authorized to use.
A.11.5 Operating system access control
Objective: To prevent unauthorized access to operating systems.
A.11.5.2 User identification and authentication
All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user.
A.11.6 Application and information access control
Objective: To prevent unauthorized access to information held in application systems.
A.11.6.1 Information access restriction
Access to information and application system functions by users and support personnel
shall be restricted in accordance with the defined access control policy.
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
A.12.3.2 Key management
Key management shall be in place to support the organization’s use of cryptographic techniques.
A.12.4 Security of system files
Objective: To ensure the security of system files.
A.12.4.1 Control of operational software
There shall be procedures in place to control the installation of software on operational systems.
A.12.4.3 Access control to program source code
Access to program source code shall be restricted.
A.12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.
A.12.5.1 Change control procedures
The implementation of changes shall be controlled by the use of formal change control procedures.
A.12.5.2 Technical review of applications after operating system changes
When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
A.13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
A.13.1.1 Reporting information security events
Control - Information security events shall be reported through appropriate management channels as quickly as possible.
A.13.1.2 Reporting security weaknesses
Control - All employees, contractors and third party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services.
A.13.2 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
A.13.2.1 Responsibilities and procedures
Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents.
A.13.2.2 Learning from information security incidents
There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored.
A.14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A.14.1.1 Including information security in the business continuity management process
A managed process shall be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization’s business continuity.
A.14.1.2 Business continuity and risk assessment
Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security.
A.14.1.3 Developing and implementing continuity plans including information security
Plans shall be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.
COBIT vs ISO 27001
COBIT can be used at the highest level of IT governance, providing an overall control
framework based on an IT process model that is intended by ITGI to generically suit
every organization. There is also a need for detailed, standardized practitioner processes.
Specific practices and standards, such as ISO 27001/2, cover specific areas and can be
mapped to the COBIT framework, thus providing a hierarchy of guidance materials.
Hiç yorum yok:
Yorum Gönder