EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

How do ISO 17799 and Cobit complement each other?

October 24th, 2006 · No Comments ·


COBIT 4.0 complements the guidance within ISO/IEC 17799:2005, and is proving to be a significant Sarbanes-Oxley Act compliance aid.

Whereas the ISO/IEC 17799:2005 standard covers the wider spectrum of information security requirements, the COBIT guidelines provide in-depth control objectives and supportive management guidelines focusing specifically on information technology issues. The COBIT guidelines (Control Objectives for Information and related Technology) are issued by the Institute for IT Governance (http://www.itgi.org) and the Information Systems Audit and Control Association (http://www.isaca.org), and are fast becoming a key SOX compliance tool, following the recognition that IT controls represent important components in ensuring financial reporting accuracy and disclosure.

The ISO/IEC 17799:2005 standard comprises the following:

Introductory Sections
1 Scope
2 Terms and definitions
3 Structure of the standard

Information Security Guidance Sections
4 Risk assessment and treatment
5 Security policy
6 Organizing information security
7 Asset management
8 Human resource security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development and maintenance
13 Information security incident management
14 Business continuity management
15 Compliance

COBIT, however, is organized into 4 domains containing 34 sections as follows:

Domain PO – Plan & Organize
PO1 Define a strategic plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organization and relationship
PO5 Manage the IT investment
PO6 Communicate management aims and relationships
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage Projects

Domain AI

TABLE 1. Mapping COBIT 4.0 (the latest version) to ISO/IEC 17799:2005

ISO 17799 Chapter No.

4

5

6

7

8

9

10

11

12

13

14

15

COBIT 4.0 DOMAINS

Plan and Organize (PO)

L

H

L

L

H

H

H

H

L

L

M

L

Acquire and implement (AI)

H

M

M

L

M

H

L

L

L

L

L

L

Deliver and support (DS)

L

H

M

H

H

L

H

M

M

M

H

M

Monitor and evaluate (ME)

L

M

L

M

L

L

L

L

L

L

L

L

<!– Key to level of matching between COBIT 4.0 and ISO 17799:2005
H = Reasonably good match
M = Some matching
L = Low level or no matching

The above matrix will hopefully prove to be useful for those also embracing COBIT within their ISO 17799 / ISO 27001 remit. Reference: http://www.controlit.org (The COBIT User Group).



|

→ No CommentsTags: 17799 · cobit · guidance · guidelines · itgi · manage · sections · standard