Previous Page Next Page

Best Practices Framework

Managing security risks and fulfilling audit requirements for regulatory compliance require an end-to-end integrated, collaborative, and adaptive approach. This allows for better manageability and ensures systemwide coverage touching every aspect of the operations and infrastructure.

Global organizations require a standard framework that not only complies with the regulations of the countries in which they operate but adheres to international regulations. This encompasses everything from privacy to security and to accountability.

With the complexity and intricate requirements laid out by various regulatory and legislations, requirements often contain overlaps, inconsistencies, and on some occasions contradictory laws and regulations. Therefore, organizations need to turn to common grounds and best practice frameworks and standards that address all the requirements of the security audit, risk management, IT governance, security controls, and meet the regulatory compliances.

There are two widely recognized and commonly deployed open standard frameworks that aim to address all individual IT governance, security controls and compliance requirements:

The following sections provide an overview of these two frameworks.

ISO/IEC 17799 (Now ISO/IEC 27002)

ISO/IEC 17799, titled "Code of Practice for Information Security Management," is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 17799 is essentially a comprehensive set of controls composing best practices in information security.

ISO/IEC 17799 was subsequently renumbered as ISO/IEC 27002 in July 2007, bringing it inline with the other ISO/IEC 27000 series standards. ISO initiated this renaming to align the information security standards under a common naming structure—the "ISO 27000 series."

In summary, ISO/IEC 27002 provides best-practice recommendations on information security management.

To date, ISO 17799 is often used as a generic term to describe what is actually a set of two different documents:

ISO/IEC 27002 has national equivalent standards in several other countries, such as


COBIT

COBIT, which stands for Control Objectives for Information and Related Technology, is a recognized set of best practices framework and an open standard for IT controls and security developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992.

COBIT was developed and used primarily by the IT community and has now become the internationally accepted framework for IT governance, IT security, and control practices.

COBIT provides users with a set of generally accepted measures, indicators, processes, and best practices to maximize the benefits derived through the use of IT systems and through the development of appropriate IT governance and security controls.

COBIT covers more than 300 specific control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.

Note

For more details about the COBIT framework, refer to the following documentation URLs:

http://www.isaca.org/cobit

http://www.cobit.org/

http://www.controlit.org/

http://cobitcampus.isaca.org/


Comparing 17799/27002 and COBIT

These two frameworks complement each other.

In essence, COBIT covers a broader area in planning, operations, delivery, support, maintenance, and IT governance, whereas ISO/IEC 27002 mainly focuses on the area of information security management.

COBIT and ISO/IEC 27002 both allow the use of established best practices to simplify and unify both IT processes and internally defined controls.

Following are some of the distinct differences between ISO/IEC 27002 (ISO/IEC 17799) and COBIT:

Previous Page Next Page