ch25lev1sec3.html

Best Practices Framework

Managing security risks and fulfilling audit requirements for regulatory compliance require an end-to-end integrated, collaborative, and adaptive approach. This allows for better manageability and ensures systemwide coverage touching every aspect of the operations and infrastructure.

Global organizations require a standard framework that not only complies with the regulations of the countries in which they operate but adheres to international regulations. This encompasses everything from privacy to security and to accountability.

With the complexity and intricate requirements laid out by various regulatory and legislations, requirements often contain overlaps, inconsistencies, and on some occasions contradictory laws and regulations. Therefore, organizations need to turn to common grounds and best practice frameworks and standards that address all the requirements of the security audit, risk management, IT governance, security controls, and meet the regulatory compliances.

There are two widely recognized and commonly deployed open standard frameworks that aim to address all individual IT governance, security controls and compliance requirements:

ISO/IEC 17799
COBIT

The following sections provide an overview of these two frameworks.

ISO/IEC 17799 (Now ISO/IEC 27002)

ISO/IEC 17799, titled "Code of Practice for Information Security Management," is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 17799 is essentially a comprehensive set of controls composing best practices in information security.

ISO/IEC 17799 was subsequently renumbered as ISO/IEC 27002 in July 2007, bringing it inline with the other ISO/IEC 27000 series standards. ISO initiated this renaming to align the information security standards under a common naming structure—the "ISO 27000 series."

In summary, ISO/IEC 27002 provides best-practice recommendations on information security management.

To date, ISO 17799 is often used as a generic term to describe what is actually a set of two different documents:

ISO/IEC 27001 (formerly BS7799-2, the original British Standard): This is the certification standard against which organizations' Information Security Management System (ISMS) may be certified. ISO 27001 represents the capability to measure, monitor, and control security management from a top-down perspective. ISO 27001 is the actual certification that can be achieved by organizations by applying the best practices outlined in ISO/IEC 27002.
ISO/IEC 27002 (previously ISO 17799): This is essentially the set of security controls, measures, and safeguards for potential implementation, as well as a code of practice.

ISO/IEC 27002 has national equivalent standards in several other countries, such as

Australia and New Zealand (AS/NZS ISO/IEC 17799:2006)
Netherlands (NEN-ISO/IEC 17799:2002)
Denmark (DS484:2005)
Sweden (SS 627799)
Japan (JIS Q 27002)
Spain (UNE 71501)
United Kingdom (BS ISO/IEC 27002:2005)
Uruguay (UNIT/ISO 17799:2005)
Estonia (EVS-ISO/IEC 17799:2003)

Note

For more details about the ISO/IEC 27002 (ISO/IEC 17799) framework, refer to the following documentation URLs:

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=39612

http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50297

http://www.standardsdirect.org/iso17799.htm

http://www.iso-17799.com/

COBIT

COBIT, which stands for Control Objectives for Information and Related Technology, is a recognized set of best practices framework and an open standard for IT controls and security developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992.

COBIT was developed and used primarily by the IT community and has now become the internationally accepted framework for IT governance, IT security, and control practices.

COBIT provides users with a set of generally accepted measures, indicators, processes, and best practices to maximize the benefits derived through the use of IT systems and through the development of appropriate IT governance and security controls.

COBIT covers more than 300 specific control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.

Note

For more details about the COBIT framework, refer to the following documentation URLs:

http://www.isaca.org/cobit

http://www.cobit.org/

http://www.controlit.org/

http://cobitcampus.isaca.org/

Comparing 17799/27002 and COBIT

These two frameworks complement each other.

In essence, COBIT covers a broader area in planning, operations, delivery, support, maintenance, and IT governance, whereas ISO/IEC 27002 mainly focuses on the area of information security management.

COBIT and ISO/IEC 27002 both allow the use of established best practices to simplify and unify both IT processes and internally defined controls.

Following are some of the distinct differences between ISO/IEC 27002 (ISO/IEC 17799) and COBIT:

ISO/IEC 27002 is an internationally recognized and accepted standard for implementing IT security and best practices for information security management, whereas COBIT is used mainly by the IT audit community to demonstrate risk mitigation and avoidance mechanisms.
COBIT focuses on information system processes, whereas ISO/IEC 27002 focuses on the security of the information systems.
ISO/IEC 27002 addresses control objectives, whereas COBIT addresses information security management process requirements.