Documente Academic
Documente Profesional
Documente Cultură
net/publication/228444915
CITATIONS READS
82 5,926
3 authors:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Heru Susanto on 23 May 2014.
standard in implementing ISMS for organizations. These security management." The second part of BS7799 was first
overviews will help readers easily understand functions, published by BSI in 1999, known as BS 7799 Part 2, titled
behaviors and position of each on the big figure and whole "Information Security Management Systems - Specification with
ISMS’s strategies. guidance for use", BS 7799-2 focused on how to implement
ISMS, referring to the information security management
structure and controls identified in BS 7799-2, which later
II.1. ISO27001
became ISO 27001. The 2002 version of BS 7799-2 introduced
the Plan-Do-Check-Act (PDCA) (Deming quality assurance
ISO, founded on February 23, 1947, promulgates worldwide
model) [figure 3], aligning it with quality standards such as ISO
proprietary industrial and commercial standards, has
9000. BS 7799 Part 2 was adopted by ISO as ISO 27001 in
headquarters in Geneva, Switzerland [8]. It has 163 national
November 2005 [16].
members out of the 203 total countries in the world [figure 2].
The international standard of ISO 27001 specifies the
requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a
documented ISMS within an organization [25].
II.3. PCIDSS
II.2. BS 7799
assessed annually. Organizations handling large volumes of the IT Governance Institute (ITGI) in 1996 [9]. They believe
transactions must have their compliance assessed by an that it is a set of practices (framework) for IT management.
independent assessor called by Qualified Security Assessor COBIT is an IT governance framework and supporting toolset
(QSA) [21], while companies handling smaller volumes have that allows managers to bridge the gap between control
the option of demonstrating compliance via a Self-Assessment requirements, technical issues, business risks, and security
Questionnaire (SAQ). issues. COBIT has five IT Governance areas of concentration
[12], [23]:
II.4. ITIL
• Strategic alignment focuses on ensuring the linkage of
business and IT plans; defining, maintaining and validating
The Information Technology Infrastructure Library (ITIL)
the IT value proposition; and aligning IT operations with
concept emerged in the 1980s, when the British government
enterprise operations.
determined that the level of IT service quality provided to them
was not sufficient [19]. ITIL is a set of concepts and practices • Value delivery is about executing the value proposition
for Information Technology Services Management (ITSM), throughout the delivery cycle, ensuring that IT delivers the
Information Technology (IT) development and IT operations, promised benefits against the strategy, concentrating on
which has parts focus on security. optimizing costs and proving the intrinsic value of IT.
III. FEATURES
Figure 5. The ITIL components Alfantookh2009 [2], defined 11 essential control, called by
11EC, that should be implemented by an organization, as
The ITIL originated as a collection of books, each covering requirements and compliance of the information security
a specific practice within IT Service Management, was built criteria by the standard body of ISMS [2], [6] due to these
around a process-model based view of controlling and features as basis of parameters and benchmarks for fulfillment
managing operations often credited to W. Edwards Deming and of information security which is most comprehensively cover
his plan-do-check-act (PDCA) cycle [4], as IT Services all aspects must be owned, these 11EC are [8], [24]:
Management Standards and Best Practices [18] contains of 8
main components[figure 5], they are: Service Support, Service 1. Information Security Policy: how an institution expresses
Delivery, ICT Infrastructure Management, Security its intent with emphasized to information security, means
Management, Application Management, Software Asset by which an institution's governing body expresses its
Management, Planning to Implement Service Management, intent to secure information, gives direction to
Small-Scale Implementation. management and staff and informs the other stakeholders
of the primacy of efforts.
II.5. COBIT
2. Communications and Operations Management: defined
The Control Objectives for Information and related
policy on security in the organization, in reducing security
Technology (COBIT) is a certification created by ISACA and
Launched
February 23, 1947 1995 15 December 2004 1980s 1996
on
18,500 International 6 main components on 8 main components + 6 main components on
Standards & 27,000 active standards
Standards standard 5 components version 3 standard
Components [13],[16]
[8],[15],[17] [20],[21] [10],[18], [19] [10],[22],[23]
Certified Information
Systems Auditor™
(CISA®)
Certified Information
Security Manager®
Certificate Certificate of Certificate of Certificate of PCI-DSS Certificate of ITIL (CISM®)
Name ISO 27000 Series BS 7799: 1-2 Compliance Compliance Certified in the
Governance of Enterprise
IT® (CGEIT® )
Certified in Risk and
Information Systems
Control TM (CRISCTM)
163 national members out 110 national members out 125 countries out of the
Usability of the 203 total countries of the 203 total countries 203 total countries in the 50 international chapters 160 countries
in the world in the world world
V. CONCLUSION REMARKS [6] Heru Susanto & Fahad bin Muhaya. Multimedia Information Security
Architecture. @ IEEE. 2010.
Each standard playing its own role and position in [7] Heru Susanto, Mohammad Nabil Almunawar & Yong Chee Tuan.
I-SolFramework View on ISO 27001. Information Security Management
implementing ISMS, several standards such as ISO 27001 and System: Refinement Integrated Solution’s Six Domains. Journal of
BS 7799 focusing on information security management system Computer, Asian Transaction. July 2011.
as main domain and their focus on, while PCIDSS focus on [8] ISO History and Definition. www.iso.org
information security relating to business transactions and smart [9] IT Governance Institute. COBIT 4.1 Excerpts. 2007. Rolling Meadows,
IL 60008 USA
card, then ITIL and COBIT focuses on information security and [10] IT Governance Institute. Mapping of ITIL v3 with COBIT 4.1. 2008.
its relation with the Project management and IT Governance Rolling Meadows, IL 60008 USA
[figure 8]. Refers to the usability of standards in global, [11] The Government of the Hong Kong. An Overview of Information
indicated that ISO (27001) leading than four other standards Security Standards. 2008. Hongkong.
[12] Overview on COBIT.
especially on ISMS, therefore it described us the standard is http://www.benchmarklearning.com/COMMUNITIES/ITIL/cobit.aspx
more easily implemented and well recognized by stakeholders [13] Overview on British Standard. http://www.bsigroup.com/en/Standards-
(top management, staff, suppliers, customers/clients, and-Publications/About-BSI-British-Standards/
regulators). We can analogous ISO (27001) is like a global [14] http://www.isaca.org/KnowledgeCenter/COBIT/Pages/Overview.aspx
[15] http://www.iso.org/iso/about/discover-iso_isos-name.htm
language in standards and benchmarking on ISMS, such as [16] http://www.isms-guide.blogspot.com/2007/11/key-components-of-
English as an international language, with level of usability and standard-bs-7799-iso.html
trust reach more than 80% of the world [figure 2]. [17] http://www.iso.org/iso/about.htm
[18] http://www.itil.org/en/vomkennen/itil/ueberblick/index.php
[19] http://www.itil-
officialsite.com/faq.aspx?category=General+FAQs&btnSubmit=Open
VI. RECOMMENDATION AND FUTURE RESEARCH [20] https://www.pcisecuritystandards.org/security_standards/index.php
[21] http://www.retrievernpc.com/cms/pci-compliance/certificate-of-pci-dss-
As the international language of standards and recognized compliance/
globally, authors recommend further research in refinement of [22] http://technet.microsoft.com/en-us/library/ff758651.aspx
ISO (27001). Purposed of refinement is to make more easily [23] http://searchsecurity.techtarget.com/feature/Introduction-to-COBIT-for-
understood, implemented, and easily measured in an SOX-compliance
[24] https://wiki.internet2.edu/confluence/display/itsg2/
organization by stakeholders. Refinement expected translating Human+Resources+Security+(ISO+8)
and interpreting high level language of terms, technical nature [25] http:// wikipedia.org/wiki/ISO
and details on the subject of ISMS assessments to Heru Susanto is a researcher at The Indonesian Institute of Sciences,
understandable human being parlance. Information Security & IT Governance Research Group, also was working at
Prince Muqrin Chair for Information Security Technologies, Information Security
Research Group, King Saud University. He received BSc in Computer Science
from Bogor Agriculture University, in 1999 and MSc in Computer Science
VII. ACKNOWLEDGMENT from King Saud University, nowadays he as PhD Candidate in Information
System from the University of Brunei Darussalam. Heru has published many
This paper is one part of the big research which topic of papers in refereed journals as well as international conferences.
framework for refinement information security management Mohammad Nabil Almunawar is a senior lecturer at Faculty of Business,
system as tools of integrated solutions. This research is Economics and Policy Studies, University of Brunei Darussalam. He received
master Degree (MSc Computer Science) from the Department of Computer
supported by FBEPS University of Brunei Darussalam (UBD), Science, University of Western Ontario, Canada in 1991 and PhD from the
The Indonesian Institute of Sciences and Prince Muqrin Chair University of New South Wales (School of Computer Science and Engineering,
(PMC) for IT Security, King Saud University (KSU). UNSW) in 1997. Dr Nabil has published many papers in refereed journals as
well as international conferences. He has many years teaching experiences in
the area computer and information systems. He was a respected consultant in
VIII. REFERENCES developing information systems for United Nations (WHO) projects, Central
Bank of Indonesia and some private companies. His overall research interest is
[1] Alan Calder and Setve Watkins. IT Governance – A Manager’s Guide to application of IT in Management and Electronic Commerce. He is also
Data Security and ISO 27001 and ISO 27002 interested in object-oriented technology, databases and multimedia retrieval.
[2] Abdulkader Alfantookh. An Approach for the Assessment of The Yong Chee Tuan is a senior lecturer at Faculty of Business, Economics and
Application of ISO 27001 Essential Information Security Controls. Policy Studies, University of Brunei Darussalam, has more than 20 years of
Computer Sciences, King Saud University. 2009 experience in IT, HRD, e-gov, environmental management and project
[3] Basie von Solms. 2005. Information Security Governance: COBIT or management. He received PhD in Computer Science from University of Leeds,
ISO 17799 or both? Computer&Security Journal. Elsevier.Science Direct UK, in 1994. He was involved in the drafting of the two APEC SME Business
[4] Basie von Solms. 2005. Information Security Governance – Compliance Forums Recommendations held in Brunei and Shanghai. He sat in the E-gov
Management vs Operational Management. Computer & Security Journal. Strategic, Policy and Coordinating Group from 2003-2007. He is the vice-chair
Elsevier, Science Direct of the Asia Oceanic Software Park Alliance. He has been appointed as the
[5] Basie von Solms & Rossouw von Solms. 2004. The 10 deadly sins of regular judge of the APICTA since 2001. He is the country representative in the
Information Security Management. Computer & Security 23(2004) 371- UNDP Digital Review Publications.
376. Elsevier Science Ltd.