Escolar Documentos
Profissional Documentos
Cultura Documentos
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 117
Abstract Information security plays an important role in protecting the assets of an organization. A number of best practice
frameworks exist to help organizations assess their security risks and implement appropriate security controls. Integration of
security best practices like ISO/IEC 27001 into service management best practices processes like ITIL enables the organization
to lower the overall cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk levels. ITIL
provides a framework of best practice guidances for information technology service management. ISO/IEC 27001 i s a set of
guidelines, which can be used by an or ganization to design, deploy and maintain information security management system.
From an I TIL perspective, most of the security controls identified in ISO/IEC 27001 ar e already part of service management.
This paper describes mapping of ITIL service management processes to controls of ISO/IEC 27001.
1 INTRODUCTION
implementing, operating, monitoring, reviewing, review or other relevant information, to achieve continual
maintaining and improving a documented Information improvement of the ISMS [6].
Security Management System within an organization. It is Figure 1 shows PDCA model applied to ISMS
designed to ensure the selection of adequate and processes.
proportionate security controls to protect information
assets. This standard is usually applicable to all types of
organizations, including business enterprises,
government agencies, and so on. The standard introduces
a cyclic model known as the Plan-Do-Check-Act
(PDCA) model that aims to establish, implement, monitor
and improve the effectiveness of an organizations ISMS.
The PDCA cycle has these four phases: [6, 7]
a) Plan phase Establishing the ISMS: Establish
ISMS policy, objectives, processes and procedures
relevant to managing risk and improving information
security to deliver results in accordance with an
organizations overall policies and objectives.
b) Do phase Implementing and operating the
ISMS: Implement and operate the ISMS policy, controls, Fig.1. PDCA model applied to ISMS processes [5].
processes and procedures.
c) Check phase Monitoring and reviewing the
ISMS: Assess and, where applicable, measure process 2.1 ISO/IEC 27001 Control Objectives and Controls
performance against ISMS policy, objectives and practical ISO/IEC 27001:2005 contains 39 control objectives and
experience and report the results to management for 133 specific controls, organized into 11 main sections.
review. Table 1 shows the controls and control objectives of
d) Act phase Maintaining and improving the ISMS: ISO/IEC 27001.
Take corrective and preventive actions, based on the
results of the internal ISMS audit and management
A.12 Information systems A.12.1 Security require- A.12.1.1 Security requirements analysis and specification
acquisition, development ments of information sys-
and maintenance tems
A.12.2 Correct processing A.12.2.1 Input data validation
in applications A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.3 Cryptographic A.12.3.1 Policy on the use of cryptographic controls
controls A.12.3.2 Key management
A.12.4 Security of system A.12.4.1 Control of operational software
files A.12.4.2 Protection of system test data
A.12.4.3 Access control to program source code
A.12.5 Security in A.12.5.1 Change control procedures
development and support A.12.5.2 Technical review of applications after operatingsystem changes
processes A.12.5.3 Restrictions on changes to software packages
A.12.5.4 Information leakage
A.12.5.5 Outsourced software development
A.12.6 Technical A.12.6.1 Control of technical vulnerabilities
Vulnerability Management
A.13 Information security A.13.1 Reporting A.13.1.1 Reporting information security events
incident management information security events A.13.1.2 Reporting security weaknesses
and weaknesses
A.13.2 Management of A.13.2.1 Responsibilities and procedures
information security inci- A.13.2.2 Learning from information security incidents
dents and improvements A.13.2.3 Collection of evidence
A.14 Business continuity A.14.1 Information security A.14.1.1 Including information security in the business continuity man-
management aspects of business agement process
continuity management A.14.1.2 Business continuity and risk assessment
A.14.1.3 Developing and implementing continuity plans including in-
formation security
A.14.1.4 Business continuity planning framework
A.14.1.5 Testing, maintaining and reassessing business continuity plans
A.15.2 Compliance with A.15.2.1 Compliance with security policies and standards
security policies and A.15.2.2 Technical compliance checking
standards, and technical
compliance
A.15.3 Information systems A.15.3.1 Information systems audit controls
audit considerations A.15.3.2 Protection of information systems audit tools
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 121