ArticlePDF Available

EVALUATION AND COMPARISON OF COBIT, ITIL AND ISO27K1/2 STANDARDS WITHIN THE FRAMEWORK OF INFORMATION SECURITY

Authors:

Abstract and Figures

Information, like other economic assets, is a precious asset for an enterprise so it must be properly protected. The basic solution to protect is to provide "information security". To understand information technology security, it is fundamental to understand the importance of IT management and governance concepts. In this study, the most widely practised and popular information technology security, management and governance standards, ISO 27001 standard, COBIT (Control Objectives for Information Technology) and ITIL (Information Technologies Infrastructure Library), will be investigated and compared.
PDCA cycle used to revise the processes of ISO 20000 series ISO 27000 series security standards constitute a fundamental reference guide in raising the awareness of users, reducing the security risks and determining the measures to be taken when security gaps are encountered. ISO 27000 is a standard explaining the concepts related to the ISO 27000 family of standards and including basic information concerning information security management. While a majority of ISO 27000 standards are known, some of them are in the press. B. ITIL ITIL provides a detailed and structural series of best practice examples in managing information technologies services. ITIL allows for a sound communication between client, supplier, IT department and users owing to its process approach. ITIL is a process and method library where IT infrastructure and service processes are explained and standards are defined considering the available best practice examples. ITIL puts forward appropriate processes and methods in order to provide IT services as a whole at maximum quality, order and continuity, to ensure maximum harmonization between IT services and business targets of institutions and to meet customer expectations at the highest level possible. We can list the reasons for worldwide acceptance of ITIL as a standard as follows (OGC, 2001) [9, 10]:  It is available for public use  It consists of best practices  It is a de facto standard  It presents a quality approach Information security management is a process or function that raises awareness and takes into consideration the information security risks in the background for each step of a successful IT service management system within ITIL [10]. While ISO standards investigate the supporting guidelines, procedures, processes, improvements and requirements necessary for effective and successful ISMS in depth with all headings, ITIL does not address most of these headings in depth. C. COBIT COBIT is a framework for information technologies risk management created by the Information Systems Audit and Control Association & Foundation (ISACA) and the IT Governance Institute (ITGI). COBIT provides generally-
… 
Content may be subject to copyright.
International Journal of Technical Research and Applications e-ISSN: 2320-8163,
www.ijtra.com Special Issue 11 (Nov-Dec 2014), PP. 22-24
22 | P a g e
EVALUATION AND COMPARISON OF COBIT,
ITIL AND ISO27K1/2 STANDARDS WITHIN THE
FRAMEWORK OF INFORMATION SECURITY
Yavuz Ozdemir, Huseyin Basligil, Pelin Alcan, Bahadir Murat Kandemirli
Industrial Engineering Dept.,
Yildiz Technical University,
Istanbul, Turkey
ozdemiry@yildiz.edu.tr, basligil@yildiz.edu.tr, palcan@yildiz.edu.tr, muratkandemirli@gmail.com
Abstract Information, like other economic assets, is a
precious asset for an enterprise so it must be properly protected.
The basic solution to protect is to provide "information security".
To understand information technology security, it is fundamental
to understand the importance of IT management and governance
concepts. In this study, the most widely practised and popular
information technology security, management and governance
standards, ISO 27001 standard, COBIT (Control Objectives for
Information Technology) and ITIL (Information Technologies
Infrastructure Library), will be investigated and compared.
Index Terms Information Security Management System
(ISMS), Information Technologies Management Systems (ITMS),
ISO/IEC 27001, ISO/IEC 27002, CobIT, ITIL.
I. INTRODUCTION AND LITERATURE REVIEW
Although some computer security problems are caused
unintentionally by users, some of them are caused by malicious
people who wish to cause damage to the system. With the
spread of the internet, the number and variety of attacks on
computer communications have increased [1]. On the other
hand, these attacks drove the development of security solutions
such as authentication, authorization and antivirus programs.
In the internet environment, the first substantial damage to
information systems was caused by the internet worm
developed by Robert Morris. This computer worm emerged in
1988 and caused damage worth $2005300 to each computer
affected. As a result, it abused the trust placed on the internet
and had negative impacts on internet users and those
considering using it [1, 2, 3]. As a consequence of the
substantial damage caused by this computer worm, the
Computer Emergency Response Team (CERT) was established
in order to intercept such computer attacks and to raise user
awareness of attacks and their effects [4]. Despite such
mechanisms aimed at protection and prompt intervention,
attackers still cause serious damage to information systems.
Many research and development projects have been
developed and are still being developed by a great number of
institutions and countries in order to take proactive measures
against harmful software and attacks and to maintain security in
information systems. Antivirus software, firewalls, VPN
software/hardware, attack detection and protection systems,
content controllers and central management software have all
been developed in these projects. Besides these technical
solutions, researchers also strive to develop standards and
frameworks to ensure safe and secure design and management
of information systems [3, 5, 6]. The European Union has
allocated 32% of its total budget, amounting to 32,365 million
euro, to support research and development projects in the fields
of security and information and communication technologies
within 7th Framework programmes during 20072013 [7].
Management strategies of information technology systems
should be determined prior to information security concepts so
that an Information Security Management System (ISMS) can
be implemented. The objectives of such standards as COBIT
(Control Objectives for Information Technology), referred to as
Information Technologies Management Systems (ITMS), ISO
20000-1,2 / ITIL (Information Technologies Infrastructure
Library) and COSO (Committee of Sponsoring Organizations
of the Treadway Commission) include rendering the
information technology services accessible to customers at the
desired level and maintaining the surveillance, observability,
scalability, functionality, efficiency, reliability and continuity
of information technology systems. When all the concepts
which the standards concerning the information system refer to
are taken into consideration, seven basic concepts stand out.
These are efficacy, efficiency, confidentiality, integrity,
accessibility, compatibility and reliability. Standards provide
information about these concepts at different levels. Today,
managements generally assist their IT professionals in using
and managing the technology during IT processes. ITIL is the
most common process in service management applications.
The aforementioned COBIT, ITIL and ISO 27001 standards
are the most widely accepted and most frequently used
standards throughout the world. However, they may not always
be compatible with the structures of all organizations for a
variety of reasons. In this paper, ISO 27001, COBIT and ITIL
standards will be addressed in terms of their strong aspects,
basic focal points and compatibility with ISMS.
The remainder of the paper is organized as follows:
Information security and ISMS standards are introduced in
Section 2. Section 3 describes information security
management systems. Section 4 focuses on information
security criteria. Some concluding remarks are made in Section
5. II. INFORMATION SECURITY AND ISMS STANDARDS
Information security is defined as protecting the
confidentiality, integrity and accessibility of the information. It
is impossible to ensure information security during business
activities only through technological measures (virus
protection, firewall systems and encoding, etc.). Information
security should be integrated into processes, and thus it needs
to be addressed as a business matter as well as a management
and cultural problem.
III. INFORMATION SECURITY MANAGEMENT SYSTEMS
The objectives of this section are to provide general
information concerning ISO 27001, ITIL and COBIT,
including structural characteristics of these standards and
approaches and their application methodologies, and to explain
these concepts in the light of this information.
International Journal of Technical Research and Applications e-ISSN: 2320-8163,
www.ijtra.com Special Issue 11 (Nov-Dec 2014), PP. 22-24
23 | P a g e
A. ISO 27001
Figure 1 shows inputs and outputs of the ISO process and
the content of this process. This system, called a Plan-Do-
Check-Act (PDCA) cycle, also forms the basis of ISO 27001
ISMS standard [8].
Fig. 1. PDCA cycle used to revise the processes of ISO
20000 series
ISO 27000 series security standards constitute a
fundamental reference guide in raising the awareness of users,
reducing the security risks and determining the measures to be
taken when security gaps are encountered.
ISO 27000 is a standard explaining the concepts related to
the ISO 27000 family of standards and including basic
information concerning information security management.
While a majority of ISO 27000 standards are known, some of
them are in the press.
B. ITIL
ITIL provides a detailed and structural series of best
practice examples in managing information technologies
services. ITIL allows for a sound communication between
client, supplier, IT department and users owing to its process
approach. ITIL is a process and method library where IT
infrastructure and service processes are explained and standards
are defined considering the available best practice examples.
ITIL puts forward appropriate processes and methods in order
to provide IT services as a whole at maximum quality, order
and continuity, to ensure maximum harmonization between IT
services and business targets of institutions and to meet
customer expectations at the highest level possible. We can list
the reasons for worldwide acceptance of ITIL as a standard as
follows (OGC, 2001) [9, 10]:
It is available for public use
It consists of best practices
It is a de facto standard
It presents a quality approach
Information security management is a process or function
that raises awareness and takes into consideration the
information security risks in the background for each step of a
successful IT service management system within ITIL [10].
While ISO standards investigate the supporting guidelines,
procedures, processes, improvements and requirements
necessary for effective and successful ISMS in depth with all
headings, ITIL does not address most of these headings in
depth.
C. COBIT
COBIT is a framework for information technologies risk
management created by the Information Systems Audit and
Control Association & Foundation (ISACA) and the IT
Governance Institute (ITGI). COBIT provides generally-
accepted information technologies control target sets in order to
increase the benefits of using information technologies as well
as developing and controlling appropriate governance for
information technologies for information technologies
managers, auditors and users. COBIT is composed of four main
domains:
Planning and Organization
Acquisition and Implementation
Delivery and Support
Monitoring and Evaluation
COBIT associates with 34 information technologies
processes with the following information criteria and sources:
Information criteria: Efficacy, efficiency,
confidentiality, integrity, continuity, compatibility, and
reliability.
Information sources: Human resources,
implementation systems, technology, physical
environment, and data.
While the objective of ISO 20000 is to ensure the provision
of information technologies services at a certain service level,
continuity, quality, pace and cost, COBIT places the business
requirements and the nature of the business to the forefront and
prefers shaping the information technologies needs
accordingly. ISO 20000 standards are based on best
information technologies practices. However, COBIT
demonstrates how information technologies will be used for
business targets. COBIT is generally preferred by institutions
that have transferred all of their processes into an information
technologies environment and whose business lives are
dependent on the protection of their information.
IV. INFORMATION SECURITY CRITERIA
As stated in ISMS, information mass created within the
scope of confidentiality, integrity and accessibility, information
security criteria necessary for ensuring that information
security can be listed as security policy, organization security,
classification/audit of assets, personnel security,
physical/environmental security, communication management,
access control, system development, business continuity
management, information security event management and
compatibility [11].
Figure 2 displays the standard structuring of these domains.
Each domain includes information concerning the managerial,
technical and physical measures. In other words, they include
activities from managerial level to executive level [12].
Fig. 2. ISMS control schema (ISO/ISE 27K)
V. CONCLUSIONS
Within the scope of this study, COBIT, ITIL, 27001/2
standards and frameworks which guided the installation of
International Journal of Technical Research and Applications e-ISSN: 2320-8163,
www.ijtra.com Special Issue 11 (Nov-Dec 2014), PP. 22-24
24 | P a g e
ISMS as regards to COBIT, ISO 20000 and ITIL Information
Technologies Service Management Systems or supported
ISMS installation from various aspects (information security,
IT service continuity, IT governance, etc.) were examined from
the aspects of risk management and ISMS by addressing the
applications of ITMS.
ISO ISO27001 / ISO27002 standards are substantially
different from COBIT and ITIL standards. While ISO27001 /
ISO27002 standards address information security in-depth from
a narrow point of view, COBIT and ITIL standards address
many information technologies processes, including
information security, from a broad perspective but they are not
as comprehensive as the ISO 27001 standard in terms of
information security. Thus it is difficult to compare these
standards.
A question of this study is “Which one of the
abovementioned standards should be applied to ensure
information security?” This is a difficult question to answer and
it does not have an obvious answer. Its answer differs
according to the strategies, requirements and policies of the
company. Even though there are a lot of points distinguishing
these standards from one another, they have much in common,
especially in the field of information security.
Other factors affecting the selection are budget and
authorities. COBIT practices are usually implemented with
funds received from the auditing budget, while ITIL and
ISO27001 / ISO27002 practices generally use the IT budget.
Therefore, management policy will determine the standard to
be given priority.
Another question concerning these standards is in relation
to which standard can be implemented more easily than the
others. Implementation of ITIL practices is much easier than
COBIT and ISO ISO27001 / ISO27002 processes, as ITIL
practices can be easily implemented separately at different
times, while partial implementations of COBIT and ISO
standards are difficult.
This study is part of a more comprehensive thesis study of
information technologies management systems, information
security management systems and the importance of risk
management and its effects on information security, which also
contains a case study where an ISMS application is performed.
Based on the basic points emphasized in the study, three
important points need to be taken into consideration during the
implementation of an ISMS system.
Risk analysis must be as accurate as possible: a proper
risk analysis allows an understanding of the system and
its relationships with the surrounding assets. When a
complete list of assets is analyzed in accordance with
the risk analysis methodologies, risk and effect
estimates of possible problems will largely turn out to
be correct and risk measures will be sufficient to
overcome high risks.
System and business continuity must be ensured: an
organization develops together with its surroundings
and thus systems and processes need to be updated to
adapt to these changes. Skipping the continuous
improvement approach will result in old and ineffective
security control processes.
An ISMS can never provide constant and 100%
security: today, it is impossible to ensure 100%
security in computer systems. The complexity of these
systems and the high number of possibilities that ISMS
should handle make system security impossible in the
long term. The cost of such complete security will be
high; it can even exceed the cost of the system.
Despite these facts, information security is an appropriate
field to invest in. Information assets are of crucial importance
and measures are necessary for them. Information security can
be executed successfully in a balanced and well-organised
company if it is appropriate in terms of budget and planning.
In conclusion, it should be noted that information security is
not a technological problem but a matter of business
management. Organizations need to protect their information
assets, ensure and guarantee their business continuity and
spread these at the institutional level with a management
system approach to survive in today’s competitive global
economy. Thus they are obliged to adopt, establish, use and
spread an ISMS in line with their strategic decisions.
REFERENCES
[1] L. DeNardis, “A History of internet security,” in The History of
Information Security: A coprehensive handbook, Elsevier, 2007.
[2] B. P. Kehoe, “Zen and Art of the Internet”, CERT Advisory CA-
90:01, 1990.
[3] M. Kara, H. Basci, “Bilgi sistemleri güvenliği araştırmalarının
yönü,” TUBITAK UEKAE,
http://www.bilgiguvenligi.gov.tr/guvenlik-teknolojileri/bilisim-
sistemleri-guvenligi-arastirmalarinin-yonu.htm, 2010
[4] M. B. Salem, S. S. Hershkop, S. J. Stolfo, “A Survey of Insider
Attack Detection Research,” Advances in Information
Security, vol. 39, pp. 69-90, 2008.
[5] “ISO/IEC 27001, Information Technology - Security techniques
-Information security management systems Requirements,”
2005.
[6] “System Security Engineering Capability Maturity Model V
3.0,” http://www.sse-cmm.org/docs/ssecmmv3final.pdf, 2011.
[7] T. Skordas, “Next Generation Networks: Evolution and Policy
considerations,” OECD Foresight Forum, Budapest, 2006.
[8] B. Alpay, “Implementation of ITIL (Information Technology
Infrastructure Library) security management processes in
middle/big companies,” MSc Thesis, Halic University, Istanbul,
2008.
[9] “ISO/IEC 20000-1,” 2005.
[10] H. Esener, “Service Management System,” MSc Thesis, Yildiz
Technical University, Istanbul, 2005.
[11] TSE Information Technology, Practice Principles for
Information Security Management,” November, 2002.
[12] B. Jacquelin, R.Saint-Germain, “The BS 7799 / ISO 17799
Standard,” https://www.callio.com/files/wp_iso_en.pdf, 2006.
... The framework profiles represent outcomes of an organizational business requirements characterized by the various categories and based on the standards, guidelines, and practices aligned to the implementation scenario. The (NIST Cybersecurity Framework, 2018) has gained popularity and usage globally and with organizations as the implementation could be related to other standards such as ISO and COBIT, and ITIL to support systems development and cyber security controls (Chaphekar, 2019;Leal, 2016;Ozdemir;. However, the implementation ties, although useful, may not be usable in certain cybercrime incidents due to their generic profiles. ...
... 2016). The framework consists of four functions, including guiding principles for service definitions, governance, service values, and service value chains that allow compliance and collaboration between the user, client, and suppliers (Ozdemir et al., 2014). However, the model relies on other frameworks, such as (ISO 27002 2017;NIST Cybersecurity Framework, 2018), to provide security standards and principles as it is not subject to security certification. ...
Article
Full-text available
Purpose Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their Internet with small and medium scale enterprises (SMEs) and third-party vendors to improve business growth and increase global market share, including changing organizational requirements and business process collaborations. Benefits include a reduction in the cost of production, online services, online payments, product distribution channels and delivery in a supply chain environment. However, the integration has led to an exponential increase in cybercrimes, with adversaries using various attack methods to penetrate and exploit the organizational network. Thus, identifying the attack vectors in the event of cyberattacks is very important in mitigating cybercrimes effectively and has become inevitable. However, the invincibility nature of cybercrimes makes it challenging to detect and predict the threat probabilities and the cascading impact in an evolving organization landscape leading to malware, ransomware, data theft and denial of service attacks, among others. The paper explores the cybercrime threat landscape, considers the impact of the attacks and identifies mitigating circumstances to improve security controls in an evolving organizational landscape. Design/methodology/approach The approach follows two main cybercrime framework design principles that focus on existing attack detection phases and proposes a cybercrime mitigation framework (CCMF) that uses detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface. The methods and implementation processes were derived by identifying an organizational goal, attack vectors, threat landscape, identification of attacks and models and validation of framework standards to improve security. The novelty contribution of this paper is threefold: first, the authors explore the existing threat landscapes, various cybercrimes, models and the methods that adversaries are deploying on organizations. Second, the authors propose a threat model required for mitigating the risk factors. Finally, the authors recommend control mechanisms in line with security standards to improve security. Findings The results show that cybercrimes can be mitigated using a CCMF to detect, assess, analyze, evaluate and respond to cybercrimes to improve security in an evolving organizational threat landscape. Research limitations/implications The paper does not consider the organizational size between large organizations and SMEs. The challenges facing the evolving organizational threat landscape include vulnerabilities brought about by the integrations of various network nodes. Factor influencing these vulnerabilities includes inadequate threat intelligence gathering, a lack of third-party auditing and inadequate control mechanisms leading to various manipulations, exploitations, exfiltration and obfuscations. Practical implications Attack methods are applied to a case study for the implementation to evaluate the model based on the design principles. Inadequate cyber threat intelligence (CTI) gathering, inadequate attack modeling and security misconfigurations are some of the key factors leading to practical implications in mitigating cybercrimes. Social implications There are no social implications; however, cybercrimes have severe consequences for organizations and third-party vendors that integrate their network systems, leading to legal and reputational damage. Originality/value The paper’s originality considers mitigating cybercrimes in an evolving organization landscape that requires strategic, tactical and operational management imperative using the proposed framework phases, including detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface, which is currently inadequate.
... Also, it helps to establish security policies, elements, and procedures to have a possible minor impact in the case of a threat that is materialized [17]. Besides, a model of an ISMS can be aligned with best practices from one or more specifications such as ISO 27001, COBIT, or ITIL [21]. ...
... This kind of model serves as the basis for its implementation and subsequent certification in the NTC-ISO-IEC 27001:2013 standard [14], [15]. A model of an ISMS is a crucial element within the strategic plan of any organization because it allows obtaining a differential value within the operation of its services, fostering the positive perception of the company that contributes to improving processes and costs [15], [21]. The results and data obtained from the application of the model in this organization were successful. ...
Article
Full-text available
In an era of globalization, in which technology has allowed the development of companies to be promoted, data and information become essential assets in organizations, which are exposed to hackers, computer viruses, cyber espionage, and infrastructure failures are some of the problems organizations face daily. In this work, we aim to present an information security management system model aligned with the NTC-ISO/IEC 27001:2013 standard, which applies to any organization and allows them to know their current status regarding information security. Also, the proposed model will enable organizations to implement systemically and adequately controls, procedures, and policies required to preserve the integrity, confidentiality, and integrity of information assets. The model has been applied to an organization that provides technical information management and administration services in the hydrocarbon sector. Using the model in this organization allowed us to define its security structure, information security policies, and resources required to certify its management system and identify Information assets, technical vulnerabilities, and risks in all processes.
... The Information Technology Infrastructure Library (ITIL) is a set of globally adopted IT service management best practices. It is a globally recognized framework, adopted by thousands of organizations, and presents 34 management practices, 7 guiding principles, and 3 key activities (evaluate, direct, monitor) [34] [37]. ...
Article
In recent years, IT governance has been a subject of discussion among academics and practitioners. The concern has been on the need to implement governance mechanisms and ensure the right balance of these mechanisms. However, the audit of IT governance mechanisms has received very little attention. This paper aims to analyse the overall impact of IT governance audits on the maturity and coherence of governance mechanisms. Guided by the configurational theory, the researchers argue that when governance mechanisms operate coherently and are regularly audited, there will be improvement in IT governance and the performance of financial institutions. In this study, seven financial services companies in Ghana were reviewed, and their IT governance maturity was assessed after seven months of auditing with a COBIT 5‐driven IT audit framework. Two surveys were conducted, one before and one after the auditing. The findings of the study confirm the claim that regular auditing improves IT governance maturity and coherence. Several governance mechanisms within the case organizations improved to one higher level of maturity on the Capability Maturity Model. This improvement was after seven months of auditing. Regular auditing also improved IT roles and responsibilities, empowered IT personnel and improved the IT budgetary control and architecture of the entities. This study has implications for practice. It emphasizes the importance of independent regular IT auditing and the need to ensure coherence among IT governance mechanisms if effective IT governance is to be achieved in financial institutions.
Article
Full-text available
The authors propose a resource management process for information security management systems to more transparently plan and assign costs of controls. The process relies on and is compliant with international standards of the ISO/IEC 27000 family and can be implemented by all organizations regardless of type, size, or nature.
Chapter
Full-text available
This paper surveys proposed solutions for the problem of insider attack detection appearing in the computer security research literature. We distinguish between masqueraders and traitors as two distinct cases of insider attack. After describing the challenges of this problem and highlighting current approaches and techniques pursued by the research community for insider attack detection, we suggest directions for future research.
Article
This chapter discusses the history of Internet vulnerabilities and solutions within the social milieu in which question whether the Internet will ever be secure was raised. The Internet and its predecessor networks evolved in an era devoid of home Internet access or personal computers and in a closed and trusted user environment predominantly in academic, research, and military contexts in the United States. Network security was important but did not have the same complexity it later assumed when the network expanded into business environments, across the globe, into homes, and over the open airwaves of wireless. A watershed event occurred in the fall of 1988 when a self-propagating computer program disrupted or crashed thousands of Internet-connected computers. Since this attack, security incidents and challenges-such as worms, viruses, wireless vulnerabilities, denial of service attacks, spam, identity theft, and spyware-have increased annually even while national economies and national security operations have become increasingly dependent on the Internet.
Zen and Art of the Internet
  • B P Kehoe
B. P. Kehoe, "Zen and Art of the Internet", CERT Advisory CA-90:01, 1990.
Bilgi sistemleri güvenliği araştırmalarının yönü
  • M Kara
  • H Basci
M. Kara, H. Basci, "Bilgi sistemleri güvenliği araştırmalarının yönü," TUBITAK UEKAE, http://www.bilgiguvenligi.gov.tr/guvenlik-teknolojileri/bilisimsistemleri-guvenligi-arastirmalarinin-yonu.htm, 2010
Next Generation Networks: Evolution and Policy considerations
  • T Skordas
T. Skordas, "Next Generation Networks: Evolution and Policy considerations," OECD Foresight Forum, Budapest, 2006.
Implementation of ITIL (Information Technology Infrastructure Library) security management processes in middle/big companies
  • B Alpay
B. Alpay, "Implementation of ITIL (Information Technology Infrastructure Library) security management processes in middle/big companies," MSc Thesis, Halic University, Istanbul, 2008.
Service Management System
  • H Esener
H. Esener, "Service Management System," MSc Thesis, Yildiz Technical University, Istanbul, 2005.