INFORMATION
SECURITY AND ISMS STANDARDS
Information security is defined as protecting
the confidentiality, integrity and accessibility of the information. It is
impossible to ensure information security during business activities only
through technological measures (virus protection, firewall systems and
encoding, etc.). Information security should be integrated into processes, and
thus it needs to be addressed as a business matter as well as a management and
cultural problem.
INFORMATION
SECURITY MANAGEMENT SYSTEMS
The
objectives of this section are to provide general information concerning ISO
27001, ITIL and COBIT, including
structural characteristics of these standards and approaches and their
application methodologies, and to explain these concepts in the light of this
information.
A. ISO
27001
ISO 27000 series is a family of IS
management standards. It is the set of standards in this family that focuses on
Information Systems Management (ISM).
Initially known as the BS7799 standard, this
was included in the set of ISO standards when ISO decided to include ISMS
standards as one of the set of ISO standards. As a result of this, the
standards' name/number was adopted and it was called the ISO17799:2005 series.
To bring the Information Security Management
Systems (ISMS) standard BS7799-2 in line with other IS standards, this standard
was included in the ISO 27000 series as ISO 27001.
ISO 27001 defines methods and practices of
implementing information security in organizations with detailed steps on how
these implemented. They aim to provide reliable and secure communication and
data exchange in organizations. Also, it stresses on a risk approach to
accomplishing its objectives.
This standard dives deep into ways to
implement its subobjectives. This puts managers who are looking for
clarifications on implementation, at an advantage. However, it fails to achieve
the goal of integrating into a larger system. It is standalone in its nature,
and does not work as a complete ISM solution.
Figure 1
shows inputs and outputs of the ISO process and the content of this process.
This system, called a Plan-DoCheck-Act (PDCA) cycle, also forms the basis of
ISO 27001 ISMS standard.
ISO
27000 series security standards constitute a fundamental reference guide in
raising the awareness of users, reducing the security risks and determining the
measures to be taken when security gaps are encountered. ISO 27000 is a
standard explaining the concepts related to the ISO 27000 family of standards
and including basic information concerning information security management.
While a majority of ISO 27000 standards are known, some of them are in the
press.
B. ITIL
ITIL provides a detailed and structural
series of best practice examples in managing information technologies services.
ITIL allows for a sound communication between client, supplier, IT department
and users owing to its process approach.
ITIL is a process and method library where
IT infrastructure and service processes are explained and standards are defined
considering the available best practice examples. ITIL puts forward appropriate
processes and methods in order to provide IT services as a whole at maximum
quality, order and continuity, to ensure maximum harmonization between IT
services and business targets of institutions and to meet customer expectations
at the highest level possible.
We
can list the reasons for worldwide acceptance of ITIL as a standard as follows
(OGC, 2001) :
· It is available for public use
· It consists of best practices
· It is a de facto standard
· It presents a quality approach
Information security management is a process
or function that raises awareness and takes into consideration the information
security risks in the background for each step of a successful IT service management
system within ITIL.
While ISO standards investigate the
supporting guidelines, procedures, processes, improvements and requirements
necessary for effective and successful ISMS in depth with all headings, ITIL
does not address most of these headings in depth.
The
Structure of ITIL Version 2
ITIL
version 2 is delineated in a set of seven volumes. An eighth describes how to
implement ITIL. Each of these volumes is described in more depth below. Version
2 focuses on aligning business units with the IT organization using
technology-oriented processes.
As
mentioned above, the current iteration of ITIL breaks down
IT services into seven components.
These
are:
ISO
27000 series security standards constitute a fundamental reference guide in
raising the awareness of users, reducing the security risks and determining the
measures to be taken when security gaps are encountered. ISO 27000 is a
standard explaining the concepts related to the ISO 27000 family of standards
and including basic information concerning information security management.
While a majority of ISO 27000 standards are known, some of them are in the
press.
These
are:
1. Business Perspective
2. Service Delivery
3. Service Support
4. Application Management
5. Security
6. ICT Infrastructure Management
7. Software Asset Management
C. COBIT
COBIT is a framework for information
technologies risk management created by the Information Systems Audit and
Control Association & Foundation (ISACA) and the IT Governance Institute
(ITGI). COBIT provides generally accepted information technologies control
target sets in order to increase the benefits of using information technologies
as well as developing and controlling appropriate governance for information
technologies for information technologies managers, auditors and users.
COBIT
is composed of four main domains:
· Planning and Organization
· Acquisition and Implementation
· Delivery and Support
· Monitoring and Evaluation
COBIT
associates with 34 information technologies processes with the following
information criteria and sources:
· Information criteria: Efficacy,
efficiency, confidentiality, integrity, continuity, compatibility, and
reliability.
· Information sources: Human
resources, implementation systems, technology, physical environment, and data.
While the objective of ISO 20000 is to
ensure the provision of information technologies services at a certain service
level, continuity, quality, pace and cost, COBIT places the business
requirements and the nature of the business to the forefront and prefers
shaping the information technologies needs accordingly. ISO 20000 standards are
based on best information technologies practices. However, COBIT demonstrates
how information technologies will be used for business targets.
COBIT is generally preferred by institutions
that have transferred all of their processes into an information technologies
environment and whose business lives are dependent on the protection of their
information.
COBIT or ISO 27001?
In trying to understand whether an
organization should implement any of these two frameworks, we must realize that
while COBIT and ISO 27001 are different in many aspects, they do have some
overlap and similarities. It is a particularly difficult decision for the
manager, as he/she is required to deeply read through and understand which
objectives are similar but worded differently in the two frameworks, and which
objectives, that may look very identical in their scope, and vastly different
due a minor difference in wording the objective.
As it turns out, there is more than just the
above mentioned factor for an organization to choose a preferred framework.
These include: alignment with the goals and objectives of the organization,
relationships with other organizations following common standards, ability to
accomplish objectives with existing infrastructure and smaller budgets,
risk-assessment and riskmanagement, training of employees, and many more.
CONCLUSIONS
Within the scope of this study, COBIT, ITIL,
27001/2 standards and frameworks which guided the installation of ISMS as
regards to COBIT, ISO 20000 and ITIL Information Technologies Service
Management Systems or supported ISMS installation from various aspects
(information security, IT service continuity, IT governance, etc.) were
examined from the aspects of risk management and ISMS by addressing the
applications of ITMS.
ISO ISO27001 / ISO27002 standards are substantially
different from COBIT and ITIL standards. While ISO27001 / ISO27002 standards
address information security in-depth from a narrow point of view, COBIT and
ITIL standards address many information technologies processes, including
information security, from a broad perspective but they are not as
comprehensive as the ISO 27001 standard in terms of information security. Thus
it is difficult to compare these standards.
A question of this study is “Which one of
the abovementioned standards should be applied to ensure information security?”
This is a difficult question to answer and it does not have an obvious answer.
Its answer differs according to the strategies, requirements and policies of
the company. Even though there are a lot of points distinguishing these
standards from one another, they have much in common, especially in the field
of information security.
Other
factors affecting the selection are budget and authorities. COBIT practices are
usually implemented with funds received from the auditing budget, while ITIL
and ISO27001 / ISO27002 practices generally use the IT budget. Therefore,
management policy will determine the standard to be given priority.
Another question concerning these standards
is in relation to which standard can be implemented more easily than the
others. Implementation of ITIL practices is much easier than COBIT and ISO
ISO27001 / ISO27002 processes, as ITIL practices can be easily implemented
separately at different times, while partial implementations of COBIT and ISO
standards are difficult.
This study is part of a more comprehensive
thesis study of information technologies management systems, information
security management systems and the importance of risk management and its
effects on information security, which also contains a case study where an ISMS
application is performed. Based on the basic points emphasized in the study,
three important points need to be taken into consideration during the
implementation of an ISMS system.
· Risk analysis must be as accurate
as possible: a proper risk analysis allows an understanding of the system and
its relationships with the surrounding assets. When a complete list of assets
is analyzed in accordance with the risk analysis methodologies, risk and effect
estimates of possible problems will largely turn out to be correct and risk
measures will be sufficient to overcome high risks.
· System and business continuity
must be ensured: an organization develops together with its surroundings and
thus systems and processes need to be updated to adapt to these changes.
Skipping the continuous improvement approach will result in old and ineffective
security control processes.
· An ISMS can never provide constant and 100%
security: today, it is impossible to ensure 100% security in computer systems.
The complexity of these systems and the high number of possibilities that ISMS
should handle make system security impossible in the long term. The cost of
such complete security will be high; it can even exceed the cost of the system.
Despite these facts, information security is an appropriate field to
invest in. Information assets are of crucial importance and measures are
necessary for them. Information security can be executed successfully in a
balanced and well-organised company if it is appropriate in terms of budget and
planning.
In conclusion, it should be noted that information security is not a
technological problem but a matter of business management. Organizations need
to protect their information assets, ensure and guarantee their business
continuity and spread these at the institutional level with a management system
approach to survive in today’s competitive global economy. Thus they are
obliged to adopt, establish, use and spread an ISMS in line with their strategic
decisions.