The international focus on IT governance has created a proliferation of local and international standards for IT management in general and IT security in particular. This article helps clarify which of these standards adds value to IT, how to decide which standards to implement and the pitfalls encountered during implementation.
A recent publication by the American Institute of Certified Public Accountants (AICPA)1 shows that, for the third consecutive year, information security—defined as “the hardware, software, processes and procedures in place to protect an organization’s information systems from internal and external threats”—is the number one technology concern within the US. Due to the dynamics of today’s business processes, there is no time to reinvent the wheel; the use of best practice, including standards, must prevail.
Standards for IT management and security are drafted by consensus or compromise from best practices discussed by a large group of individuals from various organisations. In most countries, standards are de facto—regarded as the obligatory best way to act—instead of de jure, where a standard is more or less mandatory. IT management and IT security standards are best practices and, as such, are not based on scientific facts. The term ‘folk art’ 2 describes this phenomenon best.
At the start of the 20th century, when practical uses for electricity were invented, it was internationally recognised that safety and international trade called for international standards for electrical appliances. This led to the foundation of the International Electronic Committee (IEC). Much later, with the need for international standards in other fields of interest—quality systems amongst many others—the International Organisation for Standardisation (ISO)3 was founded. Since computer and telecommunication systems require attention for electrical issues as well as, for instance, quality, IEC and ISO work together on the Joint Technical Committee 1 on standards for this subject.4
Apart from recognised international standards, many national standards exist for IT management and IT security. For instance, whilst Control Objectives for Information and related Technology (COBIT) is more frequently used for IT management in the US and other countries, the IT Infrastructure Library (ITIL) is more frequently used in the UK, The Netherlands and Australia.
Most countries have local organisations that, for various reasons, publish standards. This may be because best practice is only available or applicable locally. For instance, the Dutch standard for the Dutch national flag will not be of much interest to a Mexican factory (unless it decides to step into the flag manufacturing business). However, this is not always the case. The need for project management best practice led to PRINCE25 in Europe and PMBOK6 in the US. This is in spite of the fact that project management is not done much differently on both continents.
Issues With Standards
Since standards come about through discussions among individuals, wilfulness and cultural, political and (inter)national differences have led and will always lead to a proliferation of standards; the ‘not invented here’ syndrome is prevalent.
It should be understood that folk art and the wilfulness of individuals lead to an abundance of good practices. It has been said before that the good thing about standards is that there are so many of them. This is indeed good, because when there are many standards, it is likely that one of the many standards on a particular subject can be made to fit in a certain situation. This is particularly useful when a de facto standard—an international best practice from the set of good practices—has not yet been recognised. Since standards are sometimes regarded as straitjackets, it is nice to have a choice. If COBIT will not fit, one can go for an ITIL implementation; if the NIST Handbook on security is too overwhelming, one can try ISO 17799. Professionals should use the better parts of these standards as building blocks and be prepared to deconstruct standards. As Pablo Picasso said, ‘Every act of creation is first of all an act of destruction’.
Value to IT
The value of using standards lies in not having to reinvent the wheel, which saves resources, but the biggest value lies in using the best practice of others to one’s own benefit. It would be difficult for an individual organisation to come up with a better IT management framework than COBIT or ITIL. Also, most governance regulations (such as the Sarbanes-Oxley Act in the US and Tabaksblat in The Netherlands) mention that the organisations to which such regulations apply must implement best practices. If the organisation then chooses a de facto standard, it will be compliant (i.e., the risks of using an internally developed standard with omissions or errors are reduced by using de facto standards). Larger organisations have learned that drafting their own policies for security is often much more costly and less successful than basing their polices on ISO 17799.
Another benefit of using standards for IT management and IT security becomes obvious the moment an organisation decides to outsource part of its business; using a publicly available standard as the basis for service level agreements between the organisation and its business partners will lead to less misunderstanding and lower associated costs.
Benefit to Auditors
Auditors benefit substantially from using de facto standards. Whilst auditors in the past have created their own set of standards, audit programmes and checklists to audit against, the use of publicly available international standards (such as COBIT, ISO 17799 and ISO 9001) leads to lower costs to both auditor and auditee and helps the auditee to understand the auditor better. It also enables the auditee to use the same standard for internal auditing as that used by the external auditor—a basis for integrated auditing. Even the auditing process itself has been internationally standardised through standards such as ISO 19011 and EA 7/03.7
The need for more attention to governance has also given rise to the need for certification. Judging quickly—without a costly external auditing or review process—whether doing business with an organisation is advisable is easier when this organisation can show compliance by handing over its certificate from an external, independent party that has previously assessed the quality of security of that organisation. There are currently more than 1,000 organisations8 certified against BS 7799,9 the de facto standard for information security management systems. Other standards for which a certification scheme exists are BS 15000, ISO 9001, the European Foundation for Quality Management (EFQM) and TickIT.
Summary of International Tactical Standards
Within the scope of IT auditing (i.e., IT management, security, business continuity planning and the auditing process itself), the following tactical de facto standards are of particular interest:
- IT management—COBIT, BS 15000,10 Microsoft Operations Framework and ITIL
- Project management—PRINCE2 and the PMBOK
- Security management—ISO 13335, ISO 13569 (banking and financial services), ISO 17799/BS 7799-2 (both translated in local versions in a number of countries), IT Baseline Protection Manual (Germany), ACSI-3311 (Australia), numerous National Institute of Standards and Technology12 standards from the NIST Handbook (SP800-12, USA), COBIT® Security Baseline™, ENV12924 (Medical Informatics) and the Information Security Forum Standard of Good Practice13
- Quality management—ISO 9001, EFQM and Baldrige National Quality Plan
- Software development—TickIT, Capability Maturity Model Integration (Software Engineering Institute)
- IT governance—COBIT, IT Governance Implementation Guide, COSO Internal Control—Integrated Framework and COSO Enterprise Risk Management— Integrated Framework, and the recent Australian standard AS 8015-2005 (corporate governance of information and communication technology)
- Risk management—Australian standard AS/NZS 436014
- BCP—British Standards Institution PAS-56 and Australian standard HB 221-2004
- Auditing—COBIT and ISO 19011
Figure 1 structures these standards into international, national and organisational standards.
|Figure 1—Structure Amongst Standards|
||Organisational Standard or Guidelines|
- ISO 13335
- ISO 13569
- ISO 17799
- Baseline Protection Manual
- COBIT Security Baseline
- ISF Standard of Good Practice
|Software Development/Acquisition Process Improvement
- BaldrigeNationalQuality Plan
- COSO Internal Control— Integrated Framework
- Australian standard AS 8015
- IT Governance Implementation Guide
- AS/NZS 4360
- COSO Enterprise Risk Management
- AS/NZS 4360 and HB 221-2004
Next to this considerable number of tactical standards (i.e., standards describing processes and procedures), an even larger number of operational, technical standards exist. The ISO, European Telecommunications Standards Institute, and National Institute of Standards and Technology (NIST) have published standards on issues including encryption (FIPS 197), (technical) evaluation criteria for IT security (ISO 15408), contingency planning (FIPS 87) and password usage (FIPS 112). More information can be found at www.iso.ch,www.nist.gov and http://csrc.nist.gov/publications/fips/.
It is not by accident that Figure 1 mentions two recent standards for business continuity management: Publicly Available Specification 56 from the British Standards Institution and Handbook 221, Business Continuity Management, by Standards Australia. Both standards describe the strategic and operational framework to implement resilience to disruption, interruption or loss in supplying products and services. The processes described in these standards go beyond IT disaster recovery planning. A recent Deloitte survey15 showed that ‘...only about a third of the respondents felt they had a comprehensive BCM governance structure in place, and only half of these include executive involvement in setting and driving their programs’. Two-thirds of those surveyed indicated that they still do not have a process to ensure that an appropriate BCM programme is maintained. There is an apparent need for best practice guidance. This is where these standards can be of much use.
Implementation of any standard that is unfit for purpose can lead to projects running out of budget due to omissions in the standard or its lack of clarity. Successful standards leave room for interpretation but, at times, this interpretation leads to problems. A standard such as ISO 17799 describes the what of security but not the how. Especially during a certification process, this can lead to discussions with the external auditor on the question of when compliance has been reached.
Families of Standards
Some of the standards mentioned previously are part of a family of standards. For instance, BS 15000, the British Standard for IT Service Management, consists of two parts. Part one is the specification for service management, and part 2, the Code of Practice for Service Management, is one step lower in the hierarchy. Further down the hierarchy, ITIL gives best practice for the processes described in BS 15000, and the organisation’s in-house procedures are found below that.
A similar hierarchy is found within BS 7799-2, the specification for security management; ISO 17799, the set of best practices; and ITIL Security Management, describing the IT security processes.
Because so many good standards exist and professionals need to have several standards within their toolkits, the need to map those standards onto each other has arisen. This calls for a metastandard—a standard for standards. A metastandard enables semiscientific comparison amongst standards.
Unfortunately, such a metastandard does not exist. Any comparison or mapping tends to compare apples and oranges. As the IT Governance Institute has experienced during its elaborate mapping of COBIT and ISO 17799,16 ‘mapping cannot always be one-on-one, because the COBIT control objectives operate at a higher level and the detail of ISO/IEC 17799:2000 is much closer to the level of detail of the COBIT control practices’.
Most of the standards mentioned previously describe process properties. Technical standards, such as ISO 15408, Evaluation Criteria for IT Security (previously called Common Criteria), describe systems’ properties in more detail. An example of a standard on process properties is ISO 9001, which describes the plan-do-check-act (PDCA) Deming Cycle for quality management.
Standards and IT Governance
Ryan Peterson17 stresses that IT management deals with internal business orientation and short-term operational problems, whilst IT governance also focuses on external business orientation and has a longer-term perspective.
ITGI’s IT Governance Implementation Guide, available from the ISACA Bookstore, describes in great detail the steps to implementing IT governance. A number of these steps point the reader toward understanding ‘... existing preferred IT models, standards and best practices...’. The book explicitly mentions BS 7799 and ITIL for IT security and IT management. It also says (for IT governance implementation projects) to ‘...use available best practices and standards to further refine detailed improvement requirements’, clearly pointing to PRINCE2 and the PMBOK.
There clearly appears to be a need for standards when implementing IT governance.
Mapping a number of the aforementioned standards on Peterson’s model leads to Figure 2.
ITGI’s Board Briefing on IT Governance, 2nd Edition,18 proposes a framework (see Figure 3) on which some of the standards mentioned can be mapped (see Figure 4), indicating the focus area of IT governance for which they are pivotal.
Good standards are revised regularly, whilst bad standards fade away. In this context, ‘good’ means that the standard is used by a large number of organisations. The best standard will be the most successful. Betamax was the better video recorder standard, but VHS gained the market. The next paragraph describes the revision status of a number of important security process standards.
In December 2000, part one of British Standard 7799 became ISO 17799. This standard contains more than a thousand best practice security controls grouped into 127 paragraphs. A number of countries were not positive on ISO 17799, which was understood by ISO and led to an immediate revision project. As a result, this year will see an improved update of this standard.
Part two of BS 7799 was never released as an ISO standard. Part two describes the same 127 paragraphs but in normative form (i.e., all verbs ‘should’ are changed into ‘shall’, turning guidance into specification). More important, it explains the plan-do-check-act cycle for information security management. With the 2002 revision of this standard, it is now fully in line with ISO quality standards. A project to turn part two of BS 7799 into a worldwide ISO standard for security management has been started.
The five-part technical report ISO 13335— Guidelines for the Management of IT Security (GMITS)—is currently in a major revision process. It will be made more compact and more in line with ISO 17799. The result will be a two-part ISO standard (as opposed to a technical report containing ‘data of a different kind from that which is normally published as an International Standard’) on the management of information and communications technology security.
ISO Technical Report 13569, Banking and Related Financial Services—Information Security Guidelines, is also under revision. It provides guidelines on the development of an information security programme for the financial services industry. It includes discussion of the policies; the organisation; and the structural, legal and regulatory components of such a programme.
An overview of the revision status of all ISO SC27 standards is contained in the catalogue of SC27 projects and standards on the JTC1 web site.
ITGI’s Mapping Project
Recognising the importance of well-recognized standards other than COBIT, the IT Governance Institute has defined a framework for comparing standards and collections of best practices. It has also used this framework to map at a high level a number of standards for IT management, security and quality onto COBIT. Recently the more detailed mapping of the control practices of COBIT to the controls of ISO 17799 has been published.
Other organisations have also mapped various standards. The German Federal Office for Information Security19 has mapped its IT Baseline Protection Manual to ISO 17799, and the itSMF web site contains an Excel spreadsheet mapping COBIT, ISO 17799 and ITIL.
Annex C of part two of BS 7799 also maps BS 7799 to ISO 9001 and ISO 14001.
No standard covers every subject in detail. The advice here is to pick and choose. Any professional in any subject should be familiar with the standards in his/her profession. The contents or philosophies behind them should be in his/her tool kit ready to be used where appropriate. For instance, ISO 17799 mentions the importance of security audits and reviews but contains no information on how to perform them. Here the COBIT audit guidelines can be used, especially now that the COBIT controls have been extensively mapped to ISO 17799. The strategic security management process itself is described in BS 7799, and the operational IT part of security management is described in ITIL’s Security Management. Security professionals should be able to build a security management system for their employers using the best of these standards.
An organisation deciding to adopt a set of standards faces a number of challenges. First, it will take time to convince everyone to work according to these standards. This investment, as well as the cost of transferring from the old way of working to the new way, is often forgotten. A standard will not always fit; adaptation, if possible, will create costs. Implementing standards, due to their formal nature, will make processes more rigid and more static. In some organisations, this can lead to problems. The dynamics of today’s business processes sometimes calls for more flexibility; standards do not always provide this.
The use of standards raises the value of IT, but there is no standard that covers all aspects of IT management, security and quality. COBIT covers a large subset of all possible aspects but may need to be complemented. This is also acknowledged by ITGI. To decide where extra standards are required, the recent publication of the ITGI mapping project can be of much benefit.
1 American Institute of Certified Public Accountants (AICPA); “2005 Top Technologies Survey,” USA, January 2005
2 This term was first used by Donn B. Parker in Fighting Computer Crime, John Wiley & Sons, USA, 1998.
4 Joint Technical Committee, www.jtc1.org
5 OGC; “Managing Successful Projects with PRINCE2,” The Stationery Office, London, revised edition 2002
6 Project Management Institute, www.pmi.org
7 European Cooperation for Accreditation, www.european-accreditation.org
8 See www.xisec.com for the unofficial international certificate register.
9 See www.bsi-global.com.
10 The two-part British Standard 15000 gives guidance and a specification for IT Service Management, www.bsi-global.com.
11 Australian Communications-Electronic Security Instruction 33, www.dsd.gov.au/infosec/publications/acsi33.html
14 Standards Australia, www.standards.com.au
15 CPM Global Assurance and Deloitte & Touche LLP, 2004 Benchmark Survey on Business Continuity Management
16 IT Governance Institute, COBIT Mapping—Mapping of ISO/IEC 17799:2000 With COBIT, www.isaca.org/cobit
17 Peterson, Ryan R.; “Information Strategies and Tactics for Information Technology Governance,” Strategies for Information Technology Governance, edited by W. Van Grembergen, Idea Group Publishing, 2003
19 www.bsi.bund.de (German and English versions of the web site and documents are available).
Ernst Jan Oud, CISA
is senior manager with Deloitte Enterprise Risk Services. His areas of expertise are information security and business continuity management. Oud is a member of the standards committee responsible for BS 7799 in The Netherlands as well as the committee that developed and maintains the certification scheme. As a certified BS 7799 lead auditor, he is familiar with internal auditing against this standard.
Oud teaches BS 7799 at NEN, the Dutch standards institute, and business continuity at TIAS Business School. In November 2002, he published a practical guide on BS 7799 implementation. He has published a number of articles and has spoken at ISACA’s EuroCACS and Network Security Conference, and served as expert reviewer for the ITGI publication COBIT Mapping—Overview of International IT Guidance. He is writing a practical guide on business continuity management.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2005