compliances , itil , security

ISO 17999, 2700x and COBIT shorthand

February 19, 2010

The 27000 standard contains 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

1. Security Policy (1);

2. Organizing Information Security (2);

3. Asset Management (2);

4. Human Resources Security (3);

5. Physical and Environmental Security (2);

6. Communications and Operations Management (10);

7. Access Control (7);

8. Information Systems Acquisition, Development and Maintenance (6);

9. Information Security Incident Management (2);

10. Business Continuity Management (1);

11. Compliance (3).

ISO 27001 Domains to focus on

4. Establish an ISMS

4.1 Study ISMS requirements

4.2 Develop your ISMS

4.3 Document your ISMS

5. Manage your ISMS

5.1 Show that you support your ISMS

5.2 Manage your ISMS resources

6. Audit your ISMS

Establish an audit procedure

Plan your internal audits

Conduct internal audits

Take remedial actions

7. Review your ISMS

7.1 Perform management reviews

7.2 Examine management review inputs

7.3 Generate management review outputs

8. Improve your ISMS

8.1 Continually improve your ISMS

8.2 Correct  nonconformities

8.3 Prevent nonconformities

The COBIT-based security baseline, providing key controls and mapping to ISO 17799

1.      Information security survival kits, providing essential awareness messages

2.      IT governance guideline

3.      Generic IT process guideline

4.      For each of the 34 IT processes

• One maturity model

• 5 to 7 KGIs    Key Goal Indicators

• 8 to 10 CSFs   Critical success factors

• 6 to 8 KPIs       key performance indicators

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:

1. Making a link to the business requirements

2. Organizing IT activities into a generally accepted process model

3. Identifying the major IT resources to be leveraged

4. Defining the management control objectives to be considered

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identifies the resources essential for process success, i.e., applications, information, infrastructure and people.

ISO 17799 Domains

1. Security policy
2. Organizational security
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. System development and maintenance
9. Business continuity management
10. Compliance

The Information Technology Infrastructure Library (ITIL®) is a framework of best practice approaches intended to facilitate the delivery of high quality information technology (IT) services. ITIL outlines an extensive set of management procedures that are intended to support businesses in achieving both high financial quality and value in IT operations. These procedures are supplier-independent and have been developed to provide guidance across the breadth of IT infrastructure, development, and operations.

www.bestitdocuments.com