Governing Information Security in Conjunction with COBIT and ISO 27001 (original) (raw)
Related papers
2015
Information, like other economic assets, is a precious asset for an enterprise so it must be properly protected. The basic solution to protect is to provide "information security". To understand information technology security, it is fundamental to understand the importance of IT management and governance concepts. In this study, the most widely practised and popular information technology security, management and governance standards, ISO 27001 standard, COBIT (Control Objectives for Information Technology) and ITIL (Information Technologies Infrastructure Library), will be investigated and compared.
An Approach to Map COBIT Processes to ISO/IEC 27001 Information Security Management Controls
Information is a fundamental asset within any organization and the protection of this asset, through a process of information security is of equal importance. COBIT and ISO27001 are as reference frameworks for information security management to help organizations assess their security risks and implement appropriate security controls. One of the most important sections of IT within the COBIT framework is information security management that cover confidentiality, integrity and availability of resources. Since the issues raised in the information security management of COBIT, are the area covered by the ISO/IEC27001 standard, the best option to meet the information security management in COBIT infrastructure, is using of ISO/IEC27001 standard. For coexistence of and complementary use of COBIT and ISO27001, mapping of COBIT processes to ISO/IEC 27001 controls is beneficial. This paper explores the role of information security within COBIT and describes mapping approach of COBIT processes to ISO/IEC27001 controls for information security management.
Cobit, Itil and ISO 27002 Alignments for Information Security Governance in Modern Organisations
Over the years; there have been a number of methodologies and standards designed to help IT Governance and information security within modern organizations to achieve optimum process to achieve business objectives. Companies pursue the use of various mechanisms to ensure that their IT infrastructure is aligned with the objectives of the business and comply with local and global IT governance rules and regulations. Despite the vast amount of options available, there has been considerable confusion over the various methods used IT manager due to their lack of compressive information Governess approach. This paper proposes the comprehensive alignment of ITIL, COBIT and ISO/IEC 27002 that can be effectively used by any organization as a comprehensive solution to handle IT Governance and Information Technology Management in their organizations.
COBIT, ITIL and ISO 27002 Alignment for Information Security Governance in Modern Organisations
Over the years; there have been a number of methodologies and standards designed to help IT Governance and information security within modern organizations to achieve optimum process to achieve business objectives. Companies pursue the use of various mechanisms to ensure that their IT infrastructure is aligned with the objectives of the business and comply with local and global IT governance rules and regulations. Despite the vast amount of options available, there has been considerable confusion over the various methods used IT manager due to their lack of compressive information Governess approach. This paper proposes the comprehensive alignment of ITIL, COBIT and ISO/IEC 27002 that can be effectively used by any organisation as a comprehensive solution to handle IT Governance and Information Technology Management in their organisations.
2008 Second International Conference on Emerging Security Information, Systems and Technologies, 2008
The ISO27001:2005, as an information security management system (ISMS), is establishing itself more and more as the security standard in enterprises. In 2008 more than 4457 certified enterprises could be registered worldwide 1 . Nevertheless, the registering an ISMS still says nothing about the quality and performance of its implementation. Therefore, in this article, a method for measuring the performance of the implementation and operation of an ISMS is presented.
Implementation of Information Security Management System (ISMS) Aligned with ISO 27001
International Journal for Research in Applied Science and Engineering Technology, 2019
Information and information systems are an important foundation for organizations. Transfer of Organizations information, data and utilization of open networks increase the risks that information and information systems are exposed to. To reduce risks and avoid damages to Organization, security measures must be taken to assure information security. I.
Advanced Materials Research, 2014
The aim of the study is to design remediation information systems security governance at Bank. This study provided proposed solutions to solve the existing gaps between the current condition and the expected information systems of the bank's security governance. A case study of a commercial bank is used in this study. There are 7 process frameworks of COBIT 4.1 used to measure the maturity level of information systems security governance. Of these processes, appropriate controls within the framework of COBIT 4.1 and ISO27001 are undertaken. As a result, the security of governance information systems is increasing. In conclusion, there is a need of reliable information systems security governance to achieve the intended business goals.
ISO 27001-Information Security Management Systems
2006
About the book: Modern IT managers are confronted with an overwhelming number of management frameworks, methods and methodologies–making it difficult to see the wood for the trees. In addition many IT service providers believe they can't be taken seriously if they don't also have a proprietary framework to offer–which makes it even more difficult to find your way through the framework forest.
ISO Security Standards as a Leverage on IT Security Management
2007
Information security is a very important component in the context of an organization's dependence on ICT. The operational environment where these technologies are operating is a very complex one. Offering a good level of protection by information security process needs a well defined managerial framework. This paper discusses the reasons why having a well defined managerial security framework is needed in an information security area, as well as which are the tools to build and implement such a management framework. After a short presentation, two international standards related to Information Security Management, the ISO 17799:2005 and ISO 27001 standards, and the implications of being conforming to these standards are analysed and their advantages and limits in a security management framework are pointed out.
Information Systems Security Management: A Review and a Classification of the ISO Standards
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2010
The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the "correct" system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.