ITIL® and ISO/IEC 27001
How ITIL® can be used to support the delivery of compliant practices for Information Security Management Systems in IEC/ISO 27001.
This article highlights the importance of service management in information governance, security and assurance.
Information security or, to be less formal, the protection of an organisations’ information assets, has seen a serious upsurge in activity, starting in 2007/08. The momentum continues with the majority of public sector organisations (mirrored to some extent within the commercial sector) now seriously conducting third party supplier audits and assessments.
What perhaps is less well understood is that work to protect the information asset should have been in the pipeline well before 2007/08. The upper echelons of an organisation have either failed to grasp the importance of the situation or have simply left this problem to those within the information technology (IT) domain. The example of the ever present USB memory stick, pre-2007/08, is a perfect example of reacting to a problem that was and regrettably continues to be the cause of misplaced data and information. What plans for change were implemented within the organisation to allow a USB memory stick to be used as a perfectly sound operational tool, pre-2007/08? Anecdotal evidence collected over the years suggests that the simple answer is, none.
The protection of the information asset is a corporate responsibility and yet that message has failed to arrive in one piece. How does an organisation go from a policy of implementing ad hoc reactive measures to protect information assets to one that is structured, balanced and in-tune with operational requirements? The tools have always been available via British and International codes of practice, guidelines and requirements (standards). Additional tools, within the UK, in the form of information assurance maturity models for the public sector (and perfectly valid for the commercial sector) have come on stream via the Communications Electronic Security Group (CESG). It therefore begs the question; why is there so much angst when highly skilled and experienced individuals attempt to put in place preventive measures to protect the information asset? Senior officers should always remember that implementing an IT solution is not always the first port of call.
This paper highlights procedural techniques that are utilised within the Service Management domain that could be used to roll-out positive and workable information governance, security and assurance. The notion, for example, of change and the procedures adopted within Change Management can and should be used to positive affect throughout the organisation. Perhaps the beginnings of a unified theory are beginning to form, the outcome of which can only be a positive step forward.
Indeed, this paper will help show that many of the existing Service Management processes and practices that may already exist within an organisation can be used to good effect for satisfying parts of the ISO/IEC 27001 international standard.
2. What is ISO/IEC 27001
The full name of the ISO/IEC 27001 standard is “ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements”. It is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS).
The standard is designed to ensure the selection of adequate and proportionate security controls; these controls help protect information assets and gives confidence to stakeholders such as customers. Individual controls are neither specified nor mandated; these are dependent on the size and type of organisation, and what is applicable to their business.
The standard itself adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving the ISMS. ISO/IEC 27001 is intended to be used in conjunction with ISO/IEC 27002, the “Code of Practice for Information Security Management”, which lists security control objectives and recommends a range of specific security controls. Organisations that implement an Information Security Management System in accordance with the advice provided in ISO/IEC 27002 are likely to meet the requirements of ISO/IEC 27001 for certification.
The ISO/IEC 27001 standard is one of the growing ‘family’ of ISO/IEC 27000 series of standards and was published in October 2005. These standards are derived from BS 7799 and provide generally accepted good practice guidance on Information Security Management Systems designed to protect the confidentiality, integrity and availability of the information content and information systems.
3. Control Objectives and Controls
One of the key aspects of ISO/IEC 27001 is “Annex A – Control objectives and controls”. This table lists the 11 control areas of the standard, their associated control objectives (39 in total) and the 133 controls themselves. Controls are required to be put in place so that an organisation can manage the risks to their information security, and are implemented relative to the greater business risks of the organisation as a whole.
The control objectives and their controls form the Code of Practice (ISO/IEC 27002) and it is here where ITIL can play an important part in supporting the delivery of many aspects of the listed controls.
It should be noted though, that ITIL won’t ‘do it all’ if you are seeking to obtain ISO/IEC 27001 certification, but it will certainly ease the path to achieving that objective. Indeed, for those organisations already operating a mature ITIL framework, they will find that many of their processes and activities that are already in place will make implementing the information security controls that much easier, and quite likely for less cost and much quicker than would otherwise be the case.
4. How can ITIL help?
Fox IT and QT&C Group Ltd have performed a mapping exercise that looked at each of the 11 information security control areas. The individual control objectives and controls were reviewed, the associated implementation recommendations for each control were assessed, and connections were built to the relevant ITIL v3 processes that would support delivery of each individual control – either fully or in part (see examples in Section 5).
The exercise produced the following number of relationships between ISO/IEC 27002 and ITIL:
|Area||Number of relationships|
|A.6||Organisation of Information Security||22|
|A.8||Human Resources Security||10|
|A.9||Physical and Environmental Security||13|
|A.10||Communications and Operations Management||32|
|A.12||Information Systems Acquisition, Development and Maintenance||12|
|A.13||Information Security Incident Management||7|
|A.14||Business Continuity Management||5|
As you can see from the above numbers, many of the controls and their associated implementation recommendations can be supported by processes and activities that form part of the ITIL framework; some of these are explored further in Section 5.
The extract below, taken from the relationship matrix, shows a number of the Service Transition processes within ITIL and their direct connection to the controls within ISO/IEC 27002.
In the following section, a number of specific examples will be reviewed, to show exactly where and how ITIL can be used to support the delivery of individual controls.
5. ITIL and ISO27002 Controls
5.1. Change Management
As can be seen in the extract of the relationship matrix above, six of the eleven control areas show direct relationships to Change Management. A.6.1 Internal Organisation, within A.6 Organisation of Information Security, has the following control: A6.1.4 – Authorisation process for information processing facilities.
The control here is for ‘Management authorisation process for new information processing facilities, to be defined and implemented’. Fox IT recommends that where authorisation is required, then a change request should be raised and the Change Management process followed.
Another relationship can be found in A.9 Physical and Environmental Security, more specifically A.9.2 Equipment Security. The control for A9.2.6 – Secure disposal or re-use of equipment states ‘All items of equipment incorporating storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal’. The recommendation for this control is that devices containing information need to be destroyed physically and/or erased with appropriate tools to prevent any reuse of the data; also re-used equipment needs careful erasure to ensure no data is readable.
To support this activity, and to ensure that the requirements are successfully fulfilled, it is recommended that a change request be raised and hence the Change Management process will be initiated – this will ensure that the Information Asset Owner (IAO) receives formal notification. The IAO will advise on what action needs to be performed – which may include performing an additional risk assessment.
Similarly, A9.2.7 – Removal of property states ‘Equipment, information or software should not be taken off-site without prior authorisation’. This is another clear example where a suitable authorisation procedure is required, together with the appropriate level of authorisation (i.e. via the Change Management process). A9.2.7 also has an interface to Service Asset & Configuration Management as the equipment should be recorded as being off-site, using the configuration management database (CMDB).
5.2. Access Control
Looking elsewhere away from Service Transition, A.11 Access Control is broken down into seven control objectives, the majority of which can be found to have relationships with aspects of ITIL. As with all of the controls, ITIL doesn’t necessarily provide an all-encompassing answer (or answers), but ITIL processes can support and deliver many of the individual controls, or parts of the controls, that are required by the ISO/IEC 27002 Code of Practice.
The ITIL Service Operation book has a process called Access Management, and it is relatively easy to relate this process to A.11 Access Control. One of the seven control objectives of this standard is A.11.2 User Access Management, which in turn is broken down into the following four segments:
- A11.2.1 User registration
- A11.2.2 Privilege management
- A11.2.3 User password management
- A11.2.4 Review of user access rights
When looking at the specific control statements for each of these, and their associated implementation recommendations, it is quite simple to see that the Access Management process within ITIL supports the delivery of the above – and, providing the appropriate Access Policy is in place, will go a long way to satisfying the controls that are required.
To further support the relationship between ITIL and the international standard, one of the implementation recommendations is that changes are logged for any amendments to user access rights. This provides a clear and distinct relationship to the Change Management process within ITIL – indeed, this aspect for many organisations will already be being performed.
5.3. Multiple relationships
Another good example of how the implementation of information security controls can be assisted by the existence of a mature ITIL framework is the control objective A.6.2 External Parties within A.6 Organisation of Information Security. The third control within this objective is A6.2.3 – Addressing security in third party agreements.
The implementation advice for this control covers many areas, but can be directly linked to the following ITIL processes:
- “Clear process for change management” – Change Management.
- “Service continuity process” – IT Service Continuity Management.
- “Problem resolution process” – Problem Management.
- “Product or service descriptions” – Service Catalogue Management.
- “Clear reporting process” – Service Reporting.
- “Service targets and other contractual responsibilities such as those found in contracts” and “Conditions of early termination/renegotiation of agreements” – Supplier Management.
Indeed, taking the whole of A.6.2 External Parties there are also links to Access Management, Risk Management and Service Level Management.
6. Other Standards
The mapping exercise that was performed highlighted relationships across all five ITIL books, and more specifically for the majority of processes within those books. Supplier Management is one of a number of processes that was not in the original core ITIL v2 books of Service Support and Service Delivery, but it is a distinct element of ISO/IEC 20000, the international standard for IT Service Management.
Although the process is now included within the Service Design book, many organisations will have implemented this process as part of their activities for achieving ISO/IEC 20000 certification.
If this is the case, then look at how your existing process and underlying activities can support the relevant information security controls as listed within ISO/IEC 27002; and not just for Supplier Management either, review all of your processes and see where there are synergies that can be maximised. The same can also be said for other standards such as “ISO 9001 – Quality management systems” and “BS 25999 – Business continuity management”, and no doubt many others.
As we have seen, there are many relationships between ITIL and ISO/IEC 27001 (including ISO/IEC 27002). Having a mature Service Management framework will assist greatly in achieving compliant controls that support an Information Security Management System.
It is important to remember that there are many aspects of ISO/IEC 27001 where ITIL will not provide the ‘answers’. But what ITIL will do is to assist you in many of the control aspects required by the international standard. So make a start by looking at your current Service Management framework and look for opportunities to utilise existing processes and practices as part of the security controls and ISMS that must be implemented.
As the saying goes, ‘no need to re-invent the wheel’. For example, if your existing Change Management process can support the information security controls, then use it. Okay, it may need adapting a little, but that will likely be a lot more effective (and certainly more efficient) than starting from scratch.
Want to speak to a Fox IT consultant today? Contact us now →