COBIT Mapping to ISO/IEC 17799:2000 With COBIT 


COBIT Mapping: Mapping ISO/IEC 17799 :2000 With COBIT, 2nd Edition  Download (Member Only, 851K)

  Provide feedback on this document
Knowledge Center  Visit the COBIT - Implementation Knowledge Center community
Knowledge Center  Visit the COBIT - Use it Effectively Knowledge Center community

The 2nd edition of COBIT Mapping:  Mapping ISO/IEC 17799 :2000 With COBIT updates the publication with references to COBIT 4.0, which was published in December 2005.

There are two notable international standards that are used today:  COBIT and ISO/IEC 17799:2000. When approaching management to implement these standards, IT security and assurance professionals are asked:

  • Can we use COBIT instead of ISO/IEC 17799:2000?
  • Why do we need to follow two standards?
  • What are the differences between these two standards?
  • How do we use these two standards?
  • Can we use these two standards together to meet regulatory compliance?

Originally COBIT was released and used primarily by the IT assurance community. After the addition of Management Guidelines in 1998, COBIT has become the internationally accepted framework for IT governance and control, providing management tools such as metrics and maturity models to complement the control framework.

ISO/IEC 17799:2000-The Code of Practice for Information Security Management is an international standard, based on BS 7799-1. It is presented as best practice for implementing information security management.

As COBIT is an internationally recognized standard for control of governance of IT and ISO 17799 is equally recognized and established in the field of information security management, these two standards do not compete against each other, in fact they are mutually complementary. COBIT by its nature is broader and ISO/IEC 17799 tends to be deeper in the area of security.

A high-level mapping, COBIT Mapping:  Overview of International IT Guidance, 2nd Edition, was published by ITGI in 2006. In this publication, a broad overview is presented of several standards for IT governance, including ISO/IEC 17799:2000, in relation to COBIT. Objectives of ISO/IEC 17799 were mapped on a high level with control objectives of COBIT.

For the detailed mapping, ISO/IEC 17799 was split to small pieces of information (information requirements). These information requirements of ISO/IEC 17799 were mapped in detail to the COBIT control objectives. Almost 1,000 information requirements were mapped to 316 COBIT control objectives. The detailed mapping document describes how these two standards are inter-related and how all detailed requirements of ISO/IEC 17799:2000 can be integrated with COBIT.

  COBIT Domain

 1  2  3  4  5  6  7  8  9 10 11 12  13
 Plan and Organize  -  +  -  +  +  +  -  o    
 Acquire and Implement  +  o  o  o  +              
 Deliver and Support  -  +   o  +  +  -  +  o  o  +  +  +
 Monitor and Evaluate -  o  -                  

(+) Good match (more than two ISO/IEC 17799:2000 objectives were mapped to a COBIT process)
(o) Partly match (one or two ISO/IEC 17799:2000 objectives were mapped to a COBIT process)
(-)  No or minor match (no ISO/IEC 17799:2000 objective was mapped to a COBITT process)
(Shaded box) Does not exist

The mapping document provides a very good overview of both standards, COBIT as well as ISO/IEC 17799:2000. The paper is a profound source of information for all stakeholders responsible for, and interested in, IT governance, information security management and their respective controls. It provides clear insights as to how COBIT and ISO/IEC 17799 interrelate and fit together.

It is especially useful for IT and information security managers with the responsibility to address these issues, especially when implementing COBIT, ISO/IEC 17799 or both. This paper is a valuable source and useful guideline for implementation of these standards in organizations, independent of their size, geography or industry. It will help to improve completeness and quality and reduce cost of such implementations.