Documente Academic
Documente Profesional
Documente Cultură
net/publication/318702197
CITATIONS READS
2 1,988
2 authors, including:
Razieh Sheikhpour
Ardakan University
24 PUBLICATIONS 248 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Razieh Sheikhpour on 26 July 2017.
Abstract— Information security plays an important role in protecting the assets of an organization. A number of best practice
frameworks exist to help organizations assess their security risks and implement appropriate security controls. Integration of
security best practices like ISO/IEC 27001 into service management best practices processes like ITIL enables the organization
to lower the overall cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk levels. ITIL
provides a framework of best practice guidances for information technology service management. ISO/IEC 27001 i s a set of
guidelines, which can be used by an or ganization to design, deploy and maintain information security management system.
From an I TIL perspective, most of the security controls identified in ISO/IEC 27001 ar e already part of service management.
This paper describes mapping of ITIL service management processes to controls of ISO/IEC 27001.
—————————— ——————————
1 INTRODUCTION
implementing, operating, monitoring, reviewing, review or other relevant information, to achieve continual
maintaining and improving a documented Information improvement of the ISMS [6].
Security Management System within an organization. It is Figure 1 shows PDCA model applied to ISMS
designed to ensure the selection of adequate and processes.
proportionate security controls to protect information
assets. This standard is usually applicable to all types of
organizations, including business enterprises,
government agencies, and so on. The standard introduces
a cyclic model known as the “Plan-Do-Check-Act”
(PDCA) model that aims to establish, implement, monitor
and improve the effectiveness of an organization’s ISMS.
The PDCA cycle has these four phases: [6, 7]
a) “Plan” phase – Establishing the ISMS: Establish
ISMS policy, objectives, processes and procedures
relevant to managing risk and improving information
security to deliver results in accordance with an
organization’s overall policies and objectives.
b) “Do” phase – Implementing and operating the
ISMS: Implement and operate the ISMS policy, controls, Fig.1. PDCA model applied to ISMS processes [5].
processes and procedures.
c) “Check” phase – Monitoring and reviewing the
ISMS: Assess and, where applicable, measure process 2.1 ISO/IEC 27001 Control Objectives and Controls
performance against ISMS policy, objectives and practical ISO/IEC 27001:2005 contains 39 control objectives and
experience and report the results to management for 133 specific controls, organized into 11 main sections.
review. Table 1 shows the controls and control objectives of
d) “Act” phase – Maintaining and improving the ISMS: ISO/IEC 27001.
Take corrective and preventive actions, based on the
results of the internal ISMS audit and management
A.12 Information systems A.12.1 Security require- A.12.1.1 Security requirements analysis and specification
acquisition, development ments of information sys-
and maintenance tems
A.12.2 Correct processing A.12.2.1 Input data validation
in applications A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.3 Cryptographic A.12.3.1 Policy on the use of cryptographic controls
controls A.12.3.2 Key management
A.12.4 Security of system A.12.4.1 Control of operational software
files A.12.4.2 Protection of system test data
A.12.4.3 Access control to program source code
A.12.5 Security in A.12.5.1 Change control procedures
development and support A.12.5.2 Technical review of applications after operatingsystem changes
processes A.12.5.3 Restrictions on changes to software packages
A.12.5.4 Information leakage
A.12.5.5 Outsourced software development
A.12.6 Technical A.12.6.1 Control of technical vulnerabilities
Vulnerability Management
A.13 Information security A.13.1 Reporting A.13.1.1 Reporting information security events
incident management information security events A.13.1.2 Reporting security weaknesses
and weaknesses
A.13.2 Management of A.13.2.1 Responsibilities and procedures
information security inci- A.13.2.2 Learning from information security incidents
dents and improvements A.13.2.3 Collection of evidence
A.14 Business continuity A.14.1 Information security A.14.1.1 Including information security in the business continuity man-
management aspects of business agement process
continuity management A.14.1.2 Business continuity and risk assessment
A.14.1.3 Developing and implementing continuity plans including in-
formation security
A.14.1.4 Business continuity planning framework
A.14.1.5 Testing, maintaining and reassessing business continuity plans
A.15.2 Compliance with A.15.2.1 Compliance with security policies and standards
security policies and A.15.2.2 Technical compliance checking
standards, and technical
compliance
A.15.3 Information systems A.15.3.1 Information systems audit controls
audit considerations A.15.3.2 Protection of information systems audit tools
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 121