ITIL-İSO-COBİT

8/20/2019 ITIL-İSO-COBİT

1/12

What Is ITILITIL is an IT Service Management framework that aligns IT with the needs ofthe business. ITIL key areas of focus include Services, Lifecycle Phases,Processes, Roles, and unctions. !o doubt, ITIL has made its way to being themost "o"ular and well known Service Management solution, and has "roven

its utility. #lthough early ado"ters of ITIL were generally large cor"orations, itis $nally esca"ing the %it&s for big com"anies only' curse, and more small tomid(si)ed businesses are $nding the "ractices useful. ITIL is a great starting"oint for IT Service Providers who are *ust beginning to drive "rocessdisci"line, as well as "rovides structure and accountability around an alreadymature organi)ation. The biggest advantage is how ITIL uses +ontinualService Im"rovement to "rovide a constant feedback mechanism to hel" youensure that what you are delivering is in line with customer e"ectations

Overview of ITIL

What Is COBIT

Today, +-IT is internationally recogni)ed as the %go to' solution for IT

governance, with as"ects in security, /uality and com"liance. Its focus is not

necessarily on how to eecute a "rocess, rather what should be done to

ensure "ro"er control of that "rocess. Therefore, you won&t technically

im"lement +-IT "rocesses from the bottom u", but use it as a tool to hel"

you control "rocesses from to" down as a "art of a larger governance

initiative. This is a very constructive and useful tool. Starting out as a tool

designed for IT auditors to assist in the control of IT, it has grown into a model

to hel" com"anies meet com"liance and statutory re/uirements as well. It

hel"s you understand IT systems, and guides decisions around the level of security and control that is necessary to "rotect assets through the leverage

of an IT governance model. More s"eci$cally, it bridges the ga" among

control re/uirements, technical issues, and business risks rather than

focusing on the actual "rocess 0i.e. ITIL1 and enables "olicy develo"ment and

good IT control "ractices. 2enerally s"eaking, +-IT is the most broad of all

IT related frameworks and bodies of knowledge today.

Overview of COBIT

What Is ISO 20071

It is the only auditable international standard which de$nes there/uirements for an Information Security Management System 0ISMS1.

The standard is designed to ensure the selection of ade/uate and"ro"ortionate securitycontrols3 these controls hel" "rotect information assets and gives con$dence


2/12

to stakeholders

The standard itself ado"ts a "rocess a""roach for establishing, im"lementing,o"erating,monitoring, reviewing, maintaining, and im"roving the ISMS. IS-4I5+ 67889 isintended to

be used in con*unction with ISO/IEC 27002, the “Code of Practice forInformationSecurity Management”, which lists security control ob*ectives andrecommends a range of s"eci$c security controls.

COBIT vs ITIL

+-IT and ITIL have been used by information technology "rofessionals in the

IT service management 0ITSM1 s"ace for many years. :sed together, +-IT

and ITIL "rovide guidance for the governance and management of IT(related

services by enter"rises.

+-IT is broader than ITIL in its sco"e of coverage.It is based on four

"rinci"les 0meeting stakeholder needs3 covering the enter"rise end to end3

a""lying a integrated framework3se"arating governance from management1

and seven enablers 0"rinci"les, "olicies and frameworks3 "rocesses3

organi)ational structures3 culture, ethics and behavior3 information3 services,

infrastructure and a""lications3 "eo"le, skills and com"etencies1.

The distinction between the two is sometimes described as %+-IT "rovides

the ;why&3 ITIL "rovides the ;how.&'


3/12

confusion about how best to use them. ITIL and +-IT are com"lementary

and can be used together to facilitate the transition to usiness Service

Management. ITIL "rovides a framework for best "ractice "rocesses in ITSM

that hel" IT manage resources from a business "ers"ective. +-IT "rovides

the framework for setting business goals and ob*ectives, and measuring the

"rogress of %ITIL-iing' the organi)ation to meet those goals and ob*ectives.

owever, ITIL is easier to do with more checklists and "rocedures

The function of +-IT is to ma" IT "rocesses to business ob*ectives. ITIL is to

address service management. IS- 67889 is to get com"anies com"liant to

international standards regarding various as"ects of security management

such as establishment, im"lementations and im"rovement of information

security management systems.ITIL is /uite similar to +-IT but ITIL is more IT service(based and +-IT ismore "rocess(based. In other words, the unit for measuring in ITIL is servicebut "rocess in +-IT.ITIL is quite similar to COBIT but ITIL is more IT service-based and COBIT is moreprocess-based. In other words, the unit for measuring in ITIL is service but process inCOBIT.ITIL a"# ISO$I%C 27001 &e'atio"ship (atri)the relationship matri, shows a number of the !erviceTransition processes within ITIL and their direct connection to the controls withinI!O"I#C$ $%&&'


4/12

İnfo.s below will assist us for grasping the concept of the matrix:

!-"-# Information $ecurity %o&icy-b*ective? To "rovide management direction and su""ort for informationsecurity in accordance with business re/uirements and relevant laws and

regulations.

!'"'#'# Information $ecurity %o&icy document

#n information security "olicy document shall be a""roved by management,and "ublished and communicated to all em"loyees and relevant eternal"arties.

!'"'#'2 (e)ie* of t+e information $ecurity %o&icy

The information security "olicy shall be reviewed at "lanned intervals or ifsigni$cant changes occur to ensure its continuing suitability, ade/uacy, ande=ectiveness.

!-,-# Interna& organi$ation-b*ective? To manage information security within the organisation.

!','#'# Management commitment to information $ecurityManagement shall actively su""ort security within the organi)ation throughclear direction, demonstrated commitment, e"licit assignment,and acknowledgement of information security res"onsibilities.

!','#'2 Information $ecurity coordinationInformation security activities shall be coordinated by re"resentatives fromdi=erent "arts of the organi)ation with relevant roles and *ob functions.

!','#' !&&ocation of information $ecurity re$%on$i.i&itie$#ll information security res"onsibilities shall be clearly de$ned.

!','#' !ut+oriation %roce$$ for information %roce$$ing faci&itie$# management authori)ation "rocess for new information "rocessing facilitiesshall be de$ned and im"lemented.

!','#'" Condentia&ity agreement$Re/uirements for con$dentiality or non(disclosure agreements re@ecting theorgani)ation&s needs for the "rotection of information shall be identi$ed andregularly reviewed.

!-,-2 E1terna& %artie$-b*ective? To maintain the security of the organi)ation&s information andinformation "rocessing facilities that are accessed, "rocessed, communicatedto, or managed by eternal "arties.

!','2'# Identication of ri$$ re&ated to e1terna& %artie$+ontrol ( The risks to the organi)ation&s information and information"rocessing facilities from business "rocesses involving eternal "arties shallbe identi$ed and a""ro"riate controls im"lemented before granting access.


5/12

!','2'2 !ddre$$ing $ecurity *+en dea&ing *it+ cu$tomer$+ontrol ( #ll identi$ed security re/uirements shall be addressed before givingcustomers access to the organi)ation&s information or assets.!','2' !ddre$$ing $ecurity in t+ird %arty agreement$+ontrol ( #greements with third "arties involving accessing, "rocessing,communicating or managing the organi)ation&s information or information

"rocessing facilities, or adding "roducts or services to information "rocessingfacilities shall cover all relevant security re/uirements.

!'7'# (e$%on$i.i&ity for a$$et$-b*ective? To achieve and maintain a""ro"riate "rotection of organi)ationalassets.!'7'#'# In)entory of a$$et$#ll assets shall be clearly identi$ed and an inventory of all im"ortant assetsdrawn u" and maintained.

!'7 !$$et Management!'7'2 Information c&a$$ication-b*ective? To ensure that information receives an a""ro"riate level of

"rotection.!'7'2'# C&a$$ication guide&ine$Information shall be classi$ed in terms of its value, legal re/uirements,sensitivity and criticality to the organi)ation.

!'3 4uman re$ource$ $ecurity!'3'# 4uman re$ource$ $ecurity Prior to em%&oyment-b*ective? To ensure that em"loyees, contractors and third "arty usersunderstand their res"onsibilities, and are suitable for the roles they areconsidered for, and to reduce the risk of theft, fraud or misuse of facilities.!'3'#'# (o&e$ and re$%on$i.i&itie$+ontrol ( Security roles and res"onsibilities of em"loyees, contractors andthird "arty users shall be de$ned and documented in accordance with theorgani)ation&s information security "olicy.!'3'#'2 Screening+ontrol ( ackground veri$cation checks on all candidates for em"loyment,contractors, and third "arty users shall be carried out in accordance withrelevant laws, regulations and ethics, and "ro"ortional to the businessre/uirements, the classi$cation of the information to be accessed, and the"erceived risks.!'3'#' Term$ and condition$ of em%&oyment+ontrol ( #s "art of their contractual obligation, em"loyees, contractors andthird "arty users shall agree and sign the terms and conditions of theirem"loyment contract, which shall state their and the organi)ation&sres"onsibilities for information security.

!'3'2 4uman re$ource$ $ecurity duringem%&oyment-b*ective? To ensure that all em"loyees, contractors and third "arty users areaware of information security threats and concerns, their res"onsibilities andliabilities, and are e/ui""ed to su""ort organi)ational security "olicy in thecourse of their normal work, and to reduce the risk of human error.

!'3'2'# Management re$%on$i.i&itie$+ontrol ( Management shall re/uire em"loyees, contractors and third "arty


6/12

users to a""ly security in accordance with established "olicies and"rocedures of the organi)ation.

!'3'2'2 Information $ecurity a*arene$$5 education and training+ontrol ( #ll em"loyees of the organi)ation and, where relevant, contractorsand third "arty users shall receive a""ro"riate awareness training and regular

u"dates in organi)ational "olicies and "rocedures, as relevant for their *obfunction.

!'3'2' 6i$ci%&inary %roce$$+ontrol ( There shall be a formal disci"linary "rocess for em"loyees who havecommitted a security breach.

!'3 4uman re$ource $ecurity!'3' 4uman re$ource$ $ecurity t+e Termination or c+ange ofem%&oyment-b*ective? To ensure that em"loyees, contractors and third "arty users eit anorgani)ation or change em"loyment in an orderly manner.!'3''# Termination re$%on$i.i&itie$

+ontrol ( Res"onsibilities for "erforming em"loyment termination or changeof em"loyment shall be clearly de$ned and assigned.!'3''2 (eturn of a$$et$+ontrol ( #ll em"loyees, contractors and third "arty users shall return all ofthe organi)ation&s assets in their "ossession u"on termination of theirem"loyment, contract or agreement.!'3'' (emo)a& of acce$$ rig+t$+ontrol ( The access rights of all em"loyees, contractors and third "arty usersto information and information "rocessing facilities shall be removed u"ontermination of their em"loyment, contract or agreement, or ad*usted u"onchange.

!' P+y$ica& and en)ironmenta& $ecurity!''# Secure area$-b*ective? To "revent unauthori)ed "hysical access, damage and interferenceto the organi)ation&s "remises and information.

!''#' Protecting again$t e1terna& and en)ironmenta& t+reat$+ontrol ( Physical "rotection against damage from $re, @ood, earth/uake,e"losion, civil unrest, and other forms of natural or man(made disaster shallbe designed and a""lied.

!''#', Pu.&ic acce$$5 de&i)ery and &oading area$+ontrol ( #ccess "oints such as delivery and loading areas and other "ointswhere unauthori)ed "ersons may enter the "remises shall be controlled and,

if "ossible, isolated from information "rocessing facilities to avoidunauthori)ed access.

!''2 E8ui%ment $ecurity-b*ective? To "revent loss, damage, theft or com"romise of assets andinterru"tion to the organi)ation&s activities.!''2'# E8ui%ment $iting and %rotection+ontrol ( 5/ui"ment shall be sited or "rotected to reduce the risks fromenvironmental threats and ha)ards, and o""ortunities for unauthori)ed


7/12

access.!''2'2 Su%%orting uti&itie$+ontrol ( 5/ui"ment shall be "rotected from "ower failures and otherdisru"tions caused by failures in su""orting utilities.!''2' Ca.&ing $ecurity+ontrol ( Power and telecommunications cabling carrying data or su""orting

information services shall be "rotected from interce"tion or damage.!''2' E8ui%ment maintenance+ontrol ( 5/ui"ment shall be correctly maintained to ensure its continuedavailability and integrity.!''2'" Security of e8ui%ment o9 %remi$e$+ontrol ( Security shall be a""lied to o=(site e/ui"ment taking into accountthe di=erent risks of working outside the organi)ation&s "remises.!''2', Secure di$%o$a& or re-u$e of e8ui%ment+ontrol ( #ll items of e/ui"ment containing storage media shall be checked toensure that any sensitive data and licensed software has been removed orsecurely overwritten "rior to dis"osal.!''2'7 (emo)a& of %ro%erty+ontrol ( 5/ui"ment, information or software shall not be taken o=(site

without "rior authori)ation.

!'#0 Communication$ and o%eration$management!'#0'# O%erationa& %rocedure$ and re$%on$i.i&itie$'-b*ective? To ensure the correct and secure o"eration of information"rocessing facilities.!'#0'#'# 6ocumented o%erating %rocedure$+ontrol ( -"erating "rocedures shall be documented, maintained, and madeavailable to all users who need them.!'#0'#'2 C+ange management+ontrol ( +hanges to information "rocessing facilities and systems shall becontrolled

!'#0'2 T+ird %arty $er)ice de&i)erymanagement-b*ective? To im"lement and maintain the a""ro"riate level of informationsecurity and service delivery in line with third "arty service deliveryagreements.!'#0'2'# Ser)ice de&i)eryIt shall be ensured that the security controls, service de$nitions and deliverylevels included in the third "arty service delivery agreement areim"lemented, o"erated, and maintained by the third "arty.!'#0'2'2 Monitoring and re)ie* of t+ird %arty $er)ice$

The services, re"orts and records "rovided by the third "arty shall be

regularly monitored and reviewed, and audits shall be carried out regularly.

!'#0' Sy$tem %&anning and acce%tance-b*ective? To minimi)e the risk of systems failures.!'#0''# Ca%acity management+ontrol ( The use of resources shall be monitored, tuned, and "ro*ectionsmade of future ca"acity re/uirements to ensure the re/uired system"erformance.!'#0''2 Sy$tem acce%tance+ontrol ( #cce"tance criteria for new information systems, u"grades, and new


8/12

versions shall be established and suitable tests of the system0s1 carried outduring develo"ment and "rior to acce"tance.

!'#0 Communication$ and o%eration$management!-#0- Protection again$t ma&iciou$ and mo.i&e code

-b*ective? To "rotect the integrity of software and information.!'#0''# Contro&$ again$t ma&iciou$ codeAetection, "revention, and recovery controls to "rotect against maliciouscode and a""ro"riate user awareness "rocedures shall be im"lemented.!'#0''2 Contro&$ again$t mo.i&e code


9/12

Logging facilities and log information shall be "rotected against tam"eringand unauthori)ed access.!'#0'#0' !dmini$trator and o%erator &og$System administrator and system o"erator activities shall be logged.

!'##'# :u$ine$$ re8uirement for acce$$

contro&-b*ective? To control access to information.!'##'#'# !cce$$ contro& %o&icy#n access control "olicy shall be established, documented, and reviewedbased on business and security re/uirements for access.

!'##'2


10/12

!'##','# Information acce$$ re$triction#ccess to information and a""lication system functions by users and su""ort"ersonnelshall be restricted in accordance with the de$ned access control "olicy.

!'#2' Cry%togra%+ic contro&$-b*ective? To "rotect the con$dentiality, authenticity or integrity ofinformation by cry"togra"hic means.!'#2''2 =ey managementBey management shall be in "lace to su""ort the organi)ation&s use ofcry"togra"hic techni/ues.

!'#2' Security of $y$tem &e$-b*ective? To ensure the security of system $les.!'#2''# Contro& of o%erationa& $oft*are

There shall be "rocedures in "lace to control the installation of software ono"erational systems.!'#2'' !cce$$ contro& to %rogram $ource code#ccess to "rogram source code shall be restricted.

!'#2'" Security in de)e&o%ment and$u%%ort %roce$$e$-b*ective? To maintain the security of a""lication system software andinformation.!'#2'"'# C+ange contro& %rocedure$

The im"lementation of changes shall be controlled by the use of formalchange control "rocedures.!'#2'"'2 Tec+nica& re)ie* of a%%&ication$ after o%erating $y$temc+ange$


11/12

of information security incidents to be /uanti$ed and monitored.

!'#'# Information $ecurity a$%ect$ of.u$ine$$ continuity management-b*ective? To counteract interru"tions to business activities and to "rotectcritical business "rocesses from the e=ects of ma*or failures of information

systems or disasters and to ensure their timely resum"tion.!'#'#'# Inc&uding information $ecurity in t+e .u$ine$$ continuitymanagement %roce$$# managed "rocess shall be develo"ed and maintained for businesscontinuity throughout the organi)ation that addresses the informationsecurity re/uirements needed for the organi)ation&s business continuity.!'#'#'2 :u$ine$$ continuity and ri$ a$$e$$ment5vents that can cause interru"tions to business "rocesses shall be identi$ed,along with the "robability and im"act of such interru"tions and theirconse/uences for information security.!'#'#' 6e)e&o%ing and im%&ementing continuity %&an$ inc&udinginformation $ecurityPlans shall be develo"ed and im"lemented to maintain or restore o"erations

and ensure availability of information at the re/uired level and in the re/uiredtime scales following interru"tion to, or failure of, critical business "rocesses.

COBIT vs ISO 27001

+-IT can be used at the highest level of IT governance, "roviding an overallcontrolframework based on an IT "rocess model that is intended by IT2I togenerically suitevery organi)ation. There is also a need for detailed, standardi)ed"ractitioner "rocesses.S"eci$c "ractices and standards, such as IS- 6788946, cover s"eci$c areasand can bema""ed to the +-IT framework, thus "roviding a hierarchy of guidancematerials.


12/12

Documents

ITIL-İSO-COBİT