Download (Member Only, 570K)
Purchase the Book
Provide feedback on this document
Visit the COBIT - Implementation Knowledge Center community
Visit the COBIT - Use it Effectively Knowledge Center community
This document contains a detailed mapping of ISO/IEC 17799:2005 with COBIT 4.0 and also contains the classification of the standards discussed in this paper as presented in the overview document COBIT Mapping: Overview of International IT Guidance, 2nd Edition.
A brief overview of the standards mapped against each other in this document is as follows:
- COBIT—Originally released as an IT process and control framework linking IT to business requirements, it was initially used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 1998, COBIT is now used more frequently as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework. In 2005, ITGI published COBIT 4.0.
- ISO/IEC 17799:2005—The Code of Practice for Information Security Management is an international standard based on BS 7799-1/ISO/IEC 17799:2000. It is presented as best practice for implementing information security management. The International Organization for Standardization (ISO) plans to include the standard in the ISO 2700x series, Information Security Management System, in April 2007. The new number of the standard will be 27002.
The following example depicts the process of the detailed mapping:
- ISO/IEC 17799:2005 requires in section 7.2.2 that information on different media be labelled and relevant handling procedures be defined for the information, according to the classification of the information.
- Amongst others, 7.2.2 of ISO 17799 was mapped to COBIT control objectives DS9.1 and DS9.2.
- Due to copyright and usability restriction, it is not possible to reproduce the whole original text of the mapped section of the international standard, so the relevant requirement of the standard is mentioned in the explanation of the mapping result.
This restructuring helps the target groups of this document. They can focus on auditing or implementing the controls and can check if the requirements of ISO/IEC 17799:2005 are covered.
The coverage of the mapped information requirements is noted in four levels:
- E—The requirements stated in ISO/IEC 17799:2005 exceed the requirement of COBIT. Therefore, ISO/IEC 17799:2005 should be seen as primary source for further information and guidance to improve the process or control objective.
- C—The requirements of the control objective are covered by the mapped requirements of the guidance.
- A—Some aspects of the control objectives are addressed by ISO/IEC 17799:2005, but the requirements of the control objective are not covered completely.
- N/A—There is no match between the requirements of COBIT and ISO/IEC 17799:2005.