ISO 27002 vs. COBIT – Security
information planning
examines the effectiveness of information security planning
The more interaction an organization has with the business world, the greater the need becomes to introduce new technologies to help stay competitive. Today, businesses rely on technology to generate and store huge amounts of information. However, more technology and exposure can result in a higher risk of being targeted by all kinds of unauthorized attacks to IT systems, that can violate safety and security in an organization.
Information security is important at times when organizations decide that their assets should be protected against threats and when establishing measures to protect confidentiality and integrity.
To obtain such protection, an organization must go beyond merely thinking about such measures, to developing security information planning through an Information Security Management System (ISMS). The organization must manage a plan to help it define what should be done to ensure the security of information assets, IT and the associated risks. This is where best practices or frameworks such as ISO 27002 or COBIT provide a structural methodology.
What is information security planning?
Information security planning is the information security design for an organization, which sets the organizational and functional standards and policies of activity, defines the responsibilities of each participant in the process of IT assurance, and specifies the safeguard, countermeasures and procedures that will prevent, detect and respond to threats and vulnerabilities that impact the security of information assets.
To develop the plan, it is necessary to perform a series of prior activities, to give an exact account of the need for protection and to:
- classify information assets that need protection such as critical business services and processes
- identify internal and external threats that can come to reveal the assets and vulnerabilities or weaknesses
- identify and assess risk, calculating the probability of occurrence of threats and vulnerabilities of information assets
- establish the risk treatment options, which should be applied to reduce safeguards and countermeasures.
What are safeguards and countermeasures?
In the presence of vulnerability (weakness of assets or groups that can exploit one or more threats ISO/IEC 13335-1:2004), the organizations must establish safeguards or measures that define what must be achieved. These are better known as control objectives.
Problem: Lack of information security awareness
Solution:
- Provide guidance and support for management information security, according to business requirements, laws and regulations (ISO 27002 – 5.1)
- Communicate management aims and direction (COBIT – PO6).
With a threat (a potential unwanted incident, which may result in damage to a system or organization – for more information see ISO/IEC 13335-1:2004), organizations must establish countermeasures: actions that are applied to achieve the control objectives. This is to verify, analyze, and measure whether the activity, process, service or system is meeting expected results, otherwise known as controls.
Why ISO 27002 and COBIT?
In general the standards:
- are internationally designed and tested tools that have effective actions for assurance IT
- enable organizations, based on their particular circumstances, to adjust according to their needs
- can, when faced with regulatory entities, enable action and effective response.
In particular, the COBIT framework, geared to general management, allows sponsors and IT responsible elements to control and manage IT governance and the basis for the design of information security planning. Information and technology are the most important assets, together with managing within strategic guidelines and approving and providing the necessary resources for establishing the security plan.
ISO 27002 covers best practice for information security, the elements needed to manage security, guidelines for structuring security planning, controls necessary to implement security in the organization and key actions to minimize the risks that can jeopardize information security.
In conclusion, ISO 27002 and COBIT provide the necessary elements to develop information security planning, not only for being easily adjustable to best practice business, but also from the organizational strategy perspective, which helps to understand IT and security requirements. The standards also help in designing those policies and procedures, implementing and operating controls to manage risks and add value to the protection of information as a core asset in an organization.
About the author
Mónica María Toro García is an IRCA ISMS auditor and manages technology auditing. She is also a BSI lead auditor and is certified in risk and information systems control.
