Sunteți pe pagina 1din 2

Information Security

by Jose Fabio Segura

The information security has taken importance in IT governance, since then as a control to protect the primordial assets of the companies, because the management IT considers into their policies of measurement to ensure the correct protection to information. But for some organizations exist doubt about which standard apply in that aspect.

For this is important have clear what is the paper that has the implementation of standards as COBIT or ISO 17799:2005, because both have different focus to implement regard to the information security. First, as Lineman said we have to understand they are not mutually exclusive, but can be used together. So ISO 17799:2005 is only focused on information security, whereas COBIT is focused on more general information technology controls.

The scope of COBIT about information security, in especially the section DS5 Ensure Systems Security will focus on:

Information Security Management Processes associated with governance, policy, monitoring, incident management and management of the information security function

Information Security Operations Management Processes associated with the implementation of security configurations

Information Security Technology Management Processes associated with the selection and maintenance of security technologies

Instead, the standards ISO series offer a wide set of options specifics about information security, for example:

27000: Information Technology, Information Security Management, Fundamentals and Vocabulary.

27001: (BS7799-2:2002) Information Technology, Security Techniques, Information Security Management Systems, Requirements.

27002: (ISO 17799:2005) Information technology, Security techniques, Code of practice for information security management.

27003: ISMS Implementation Guidance, developing.

2004: Information Security Management Measurement, developing.

27005:

Information

Security

Risk

Management, developing.

27006: Information Technology, Security Techniques, Requirements for Bodies Providing Audit and Certification of Information Security Management Systems.

One principal criticism to COBIT according to Woodbury is that, it describes what needs to be done but only in broad generalities and it never describes how each of these control objects are to be accomplished or implemented to simplify la IT governance.

Thus, COBIT has a broader coverage of general information technology topics, but does not have as many detailed information security requirements as ISO 17799:2005.

In conclusion, depend of the focus and the specification that organization want to asign to the IT management toward security information could be deepen with a certification in ISO

17799:2005 to implement the best practice in this subject-matter.

Bibliography

Palomino, D.(2007). La evolución del estándar

ISO 27001.

Recuperado

el

viernes

06

de

agosto

del

2010

de

http://seguinfo.wordpress.com/2007/09/02/la

-evolucion-del-estandar-iso-27001/

Lineman, D.(2006). COBIT or ISO 17799?. Recuperado el viernes 06 de agosto del 2010 de

http://infosecuritypolicy.blogspot.com/2006/

03/cobit-or-iso17799.html

Woodbury, C. (2004). COBIT Security. Recuperado el viernes 06 de agosto del 2010 de http://www.skyviewpartners.com/pdf/COBIT _Security.pdf

ISACA

(2010).

Information

Security

Management

Audit/Assurance

Program.

Recuperado el viernes 06 de agosto del 2010 de http://www.isaca.org/Knowledge- Center/Research/ResearchDeliverables/Pages

/Information-Security-Management-Audit-

Assurance-Program.aspx