[Review Journal] Information Security Governance: COBIT or ISO 17799 or Both?
“Information Security Governance: COBIT or ISO 17799 or Both?”
Basie von Solms
Computers & Security (2005) 24, 99-104
Information Security governance has become an established and recognized component of Corporate Governance, and specifically Information Technology governance,‘Corporate Governance consists of the set of policies and internal controls by which organizations,irrespective of size or form, are directed and managed. Information security governance is a subset of organizations’ overall (corporate) governance program’ (Information Security Governance A Call to Action).
The question companies are asking, is therefore:‘What is the best reference framework for an Information Security governance environment for our company?’The two options which will be investigated are COBIT (2000) and ISO 17799 (ISO/IEC 17799, 2000).
This paper will not compare these two options,but will rather reason that these two frameworks are complementary, and are actually very good choices as reference frameworks for Information Security governance. Used together, they provide a synergy which can be very beneficial to companies.
In COBIT Mapping: Mapping of ISO/IEC 17799:2000with COBIT, a detailed mapping between COBIT and ISO 17799 is provided.Every COBIT DCO is investigated, and the corresponding,if any, ISO 17799 objectives and/or sub-objectives are indicated. This clears up the un clarity referred to in the previous section.
Suppose the company does not have a comprehensiveInformation Technology governance plan, butthe Information Security Department (ISD) hadbeen proactive, and had started using ISO 17799as an information security management guideline.The Risk Management Department (RMD), or theAudit Department, or someone else, now decidesto use COBIT as an enterprise wide IT Governanceframework, and expects the ISD to follow suit.
The benefit of the complementary approachdiscussed above, is that the ISD does not have tochange anything e using the mapping, they can nowimmediately inform the RMD or other, preciselywhich DCOs from COBIT have been implementedthrough ISO 17799. The RMD can carry on and createtheir enterprise wide plan with the knowledge thatthey know where Information Security governancefits in, and what has already been done.
Suppose, as above, that the Information SecurityDepartment (ISD) had been proactive, and hadstarted using ISO 17799 as an information securitymanagement guideline.
An IT audit is scheduled, and the auditors(internal or external) will be using COBIT as theirIT audit framework.Without the complementary approach discussedabove, and without using the mapping, seriousdisagreement between the auditors and the ISD canarise, because of apples being compared with pears,or existing apples expected to be pears, even thoughthey actually are apples, but just look like pears!This scenario is not uncommon from the author’sexperience.
Using the mapping, the auditors can, from thebeginning inform the ISD which ISO 17799 objectivesand sub-objectives-driven control measuresthey will expect to be in place. The ISD also knowswhat they are in for.Apples are compared with apples!
The company had implemented an enterprise wideIT governance framework based on COBIT, and theISD had subsequently also based their governanceplan on the some COBIT DCOs (probably DS 5 andsome more).
The ISD now decides to use ISO 17799, maybebecause of its more detailed contents, or maybebecause the company has decided to get officiallycertificated against ISO 17799, or for whateverreason.Using the mapping, the ISD can now easily determinewhich of the ISO 17799 objectives and sub objectivesare already satisfied through their use ofCOBIT, and which must still be given attention.Again a seamless move is possible.Several more similar types of scenarios arepossible, but those discussed above clearly makesthe point.
Company A, having an IT governance frameworkbased on COBIT, takes over company B, who has anInformation Security governance framework basedon ISO 17799.The benefit in the complementary approach,made possible by the mapping (COBIT Mapping:Mapping of ISO/IEC 17799:2000 with COBIT),should be clear.
The appearance of the mapping (COBIT Mapping: Mapping of ISO/IEC 17799:2000 with COBIT) has been timely, and will definitely help to make the very useful content provided by COBIT and the very useful content provided by ISO 17799, much more useful in implementing comprehensive and standardized Information Security governance environments.