aligning IT security with ISO standards. cybersecurity and ITSM information security best practices ISO 20000 IT service management ISO 27000 compliance ISO standards for IT security IT compliance management IT governance framework IT risk management IT security management

IT Security Management: Aligning with ISO 27000 and ISO 20000

by Soumya Ghorpode

Introduction

In the current digital age we see that which which IT security management is of greater importance than it has ever been. As we face a growth in cyber threats organizations are constantly in search of methods to protect their sensitive information and infrastructure from attacks. To do this many firms have turned to the International Standards such as ISO 27000 and ISO 20000 that present a full suite of tools for managing info security and IT service delivery respectively.

In this paper we will look at the importance of IT security management, the benefits of ISO 27000 and ISO 20000 alignment, and also how to develop an IT Information Security Process Playbook.

The Importance of IT Security Management

IT security is a key element in the protection of an organization’s digital assets which include data, systems, and networks. A strong IT security management system does:.

  • Protect sensitive information: By putting in place robust security systems organizations are able to prevent against unauthorized access, theft, or misuse of confidential data.
  • Ensure business continuity: A sound IT security plan which in turn sees organizations through a cyber attack or system break down.
  • Comply with regulatory requirements: In many sectors there is strict regulation which organizations must follow to protect sensitive info in health care and finance which is a large issue.
  • Enhance customer trust: Through display of their commitment to information security, companies may gain trust from their customers and partners which is key to long term success.

Benefits of Aligning with ISO 27000 and ISO 20000

ISO 27000 which has developed into an international standard that which puts out a framework for information security. It presents best practices for putting in place, running, and constantly improving an organization’s information security management system (ISMS). In terms of what it brings to the table aligning with ISO 27000 includes:.

  • Improved security posture: By the ISO 27000 framework which is a guide for information security management organizations are able to have current and at large scale effective security measures which in turn protect against putative threats.
  •  Reduced risk of cyber attacks: The standard which is put in place for organizations to identify and mitigate information security risks which in turn reduces the chance of a successful cyber attack.
  •  Increased customer trust: Through ISO 20000 standard adoption organizations are able to show off their information security focus which in turn increases customer trust.
  • Competitive advantage: Organizations that live up to the ISO 27000 standard put themselves ahead of competitors who do not have a solid information security management system.

ISO 20000 in turn is an international standard which is put in place for IT service management. It presents a framework for the delivery of high quality IT services that we see to be what our customers and stakeholders want. The benefits of implementing the ISO 20000 are:.

  • Improved service quality: Through adoption of the ISO 20000 standard organizations may see their IT services delivered in a very consistent and efficient manner which in turn meets the needs of customers and stakeholders.
  • Enhanced customer satisfaction: Organizations can use the standard to determine what their customers want and require which in turn raises the bar for IT service satisfaction.
  • Reduced costs: By way of improved IT service management processes organizations have reported to lower costs related to delivery of IT services which include outages and support issues.
  • Increased agility: Organizations are able to adapt to change in business requirements which in turn allows IT services to better meet the needs of the organization.

Creating an IT Information Security Process Playbook

To implement ISO 27000 and ISO 20000 effectively what is recommended is that organizations put together an IT Information Security Process Playbook. This playbook must present the organization’s IT security management strategy which includes:.

  • Roles and responsibilities: Define what each person’s role is in IT security management and that we as a team understand which digital assets we are responsible for protecting.
  • Policies and procedures: Develop sound policies and procedures which run IT security, also see to it that they are in alignment with the requirements of ISO 27000 and ISO 20000.
  • Risk management: Develop a risk management structure which identifies outlying issues to the company’s IT security and puts in place solutions for those risks.
  • Incident response: Develop a security incident response plan which details actions to take in the case of a security breach or system failure which in turn will see the organization recover quickly and reduce damage.
  • Continual improvement: Develop a framework for the ongoing review and improvement of the organization’s IT security management which also includes measures to protect against putative threats.

IT Security Management: Your Playbook for ISO 27001 and ISO 20000 Alignment

The increase in use of digital systems and the ever changing world of cyber threats means that strong IT security management is a requirement. Businesses are under great pressure to protect private data and see to it that their operations run smoothly. In this article we will present a full plan of how to bring IT security management in accordance with ISO 27001 which is related to Information Security Management Systems and ISO 20000 which is related to IT Service Management.

ISO 27001 is on the framework which we put in place, run, maintain and improve upon Information Security Management System which we also continuous to make better. At the same time ISO 20000 puts out a standard for the management of IT services which is known as ITSM. Together they present a strong suite of tools. What they do is they see to it that security is not an add on but a basic element of how services are delivered. This playbook will take you through the main steps for achieving that which is very important alignment.

The Foundation: Understanding ISO 27001 and ISO 20000

What is ISO 27001?

ISO 27001 which is a framework for organizations to put in place an info security system. It is to make sure info is protected, intact, and available. Think of it as we are protecting your trade secrets, we see to it that data is accurate and you can access what you put in at any time. This standard also makes sure that only the allowed people have access to sensitive info and that it isn’t altered.

Key aspects of ISO 27001 include its Annex A controls. These are a set of security measures which you may put in place. Also the standard uses a Plan-Do-Check-Act cycle. That is you plan out your security, put it in to practice, check that it is working, and then improve on what does not. With ISO 27001 certification you see many benefits. You see improved protection of data, increased customer trust, and also help in meeting legal requirements.

What is ISO 20000?

ISO 20000 which is a framework for IT services that large and small organizations can use. It mainly puts in place effective IT service management practices. This includes the smooth delivery of IT services and customer satisfaction. The standard also puts great emphasis on the delivery of services itself, how we interact with our customers, and at improving upon our processes.

Core service management processes are included in this standard. We see in things like incident management, a process which handles IT issues as they come up. Problem management is that which identifies and resolves the root of those issues. Change management looks at what it takes to implement changes to IT systems in a safe way. Service level management sets out what we should expect in terms of service quality. Also included in ISO 20000 is support for and alignment of IT services with the business’ own goals.

The Synergistic Relationship

These in fact are the two which go very well together. They augment each other which in turn present a total picture of how to run IT in your business. Think of developing a strong house; ISO 27001 is the security system and ISO 20000 is the operating manual for how the house runs daily. Together they present a full solution for IT governance.

Security is present in all aspects of a service’s lifecycle. ISO 27001 which includes the management of access to systems is integrated into ISO 20000 processes. This means security is not an afterthought. Also both standards use risk based approach. They put forth what are the risks and how do we address them which in turn helps organizations to put their security resources in the best place.

Aligning IT Security Management with ISO 27001

Establishing the ISMS

Setting out an Information Security Management System in accordance with ISO 27001 is that a few basic steps. First you must clearly define the boundaries of what your ISMS includes. Which info, which systems, what areas are covered? By being very clear on that point the whole process will go more smoothly. Also you will need to put in place an Information Security Policy. This is the primary document which sets out how security is to be approached in your organization.

A large aspect of this is risk assessment and treatment. We have to identify what info security risks we are dealing with. How severe are they? What does it take to reduce their impact? That which is put forth is run regular vulnerability assessments. These are the tests we run to find out the weak points in our systems. Also we do pen testing which helps to find out the gaps that attackers may use.

Implementing Security Controls (Annex A)

ISO 27001 Annex A reports on a great deal of control objects and specific controls. These are put in place as action points to improve security. As for access control which is a key area  this includes the what and how of people’s access to info and systems. For example a company may use multi factor authentication (MFA) which beyond a password may include something you have or something you are which in turn reduces most illegal access attempts.

Cryptography is also a key component which puts in place the rules for the use of encryption to protect data. Also consider physical and environmental security. That is to protect IT infrastructure from issues like theft and fire. We also have operations security which is the day to day use of IT systems. This includes protection against malware and that backups are done properly. Experts like NIST put out great info on access control and proper encryption which in turn guides you towards better security.

Continual Improvement of the ISMS

An ISMS is a living entity which you must attend to, it does not live on a one time implementation. We should do periodic reviews and improvements to keep it relevant. Also do regular internal audits. These serve to report on the health of your ISMS, what is working well and what may need to be improved.

Top management has also to conduct a scheduled review of the ISMS. We term this “management review” which is to confirm the system still is in alignment with business requirements and which also addresses present threats. Should we identify any issues or what we call non-conformities, we must put in correct actions. That is to say we must put in place solutions to fix issues and improve security performance over time.

Integrating Security into IT Service Management (ISO 20000)

Service Strategy and Design with Security in Mind

Security must be a base element in service planning from the beginning. We do not see it as an after thought. As you are putting together new IT services think to include security requirements. What does this service do to keep itself safe? How will it protect user data?

This means that you design secure services from the start. Security elements should be included in the way your IT services are set up and configured. We have had success with the approach of security by design. For all new IT services and systems what you do is plan for security first. It also helps to avoid expensive fixes down the road.

Service Transition and Operation with Security Controls

Managing security issues as IT services go live and through to daily operation is a key issue. We see great value in change management in this area. Before we make any changes to IT services we do a security impact assessment. For instance we have a formal change process in place which requires a security review of all IT infrastructure changes. This is to make sure a new update doesn’t introduce a security risk.

Incident response is very much a part of security incidents. We see to it that there are definite steps in place for the detection, response to, and recovery from security issues. Also very important is configuration management which includes in its scope all IT assets and compliance with security baselines.

Service Improvement and Security Performance Monitoring

It is of great importance to pay attention to and improve upon how IT service management approaches security. SLAs may include elements of security. You may put in place and see through the fulfillment of security related promises. We measure performance by tracking key security metrics. This also helps us to identify which areas require improvement.

For instance poor security has great financial impact  that we see in the fact that the average cost of a data breach is many millions as reported by the like of IBM’s Cost of a Data Breach Report. Also to that point, we see that which companies do better  you may set up a Security Operations Center (SOC). That team will be on top of security issues at all times, which helps you to respond quicker and more efficiently.

Building a Comprehensive IT Security Process Playbook

Defining Key Security Processes

Your IT security playbook must detail out all required security actions. A large component is asset management which includes identification and classification of all IT assets. What info do you have, where does it reside, and how critical is it? Also put in place a robust risk management framework. This is to identify and handle risks in a structured way.

Vulnerability management is also a key element. We look at how to identify, assess, and remediate issues in your systems. Also you must implement security awareness training. These programs train your staff in good security practices. They are very much the first line of defense against attacks.

Documenting Procedures and Policies

Documentation for each security process should be clear and easy to read. We do that by creating Standard Operating Procedures (SOPs). These are step by step guides for routine security tasks which ensure that everyone performs tasks the same. Also you must have an Incident Response Plan. This detailed plan outlines what to do from the detection of a security incident through to recovery.

Don’t ignore business continuity and disaster recovery plans which are put in place for when large issues arise. Also make sure your security playbook is easy for all parties to access. Also see to it that you update it often so it remains relevant and useful.

Roles, Responsibilities, and Governance

Everyone has a role to play in the IT security management framework. We see that clearly defining security roles is a large step. Which means we have to put out what each member of security staff, other IT personnel, and also regular users does. Who is responsible for which aspect of security?

Also we have that which strong governance structure which does the overseeing of IT security. It is what puts in place for proper decision making and accountability. As one in the field of cyber security reported, “That which puts forth clear roles and responsibilities is not only good practice but also a very critical element of that defense against attacks. When roles are known security works at a much higher level.

Measuring and Improving IT Security Posture

Key Performance Indicators (KPIs) for Security

To have proof that your IT security is in hand you must measure it. We use Key Performance Indicators which are great for this. Mean Time to Detect (MTTD) and Response (MTTR) are key. These metrics report how well you do at identifying and correcting security issues. Quick response times greatly reduce data breach costs.

Also you will want to pay attention to the number of security incidents over time. Which way is that number trending? This gives you a picture of trends. Also of importance is how well we do with applying security patches which we will use as a KPI. This measures how fast we implement security updates. By paying attention to these metrics you are able to identify where we can better our security.

Auditing and Compliance

Both internal and external audits are important for us to adhere to standards and also to improve. We should put in place an internal audit program which includes a schedule and a process for weeding out issues within the company. Also it will help us to identify issues before they are brought to our attention by an external party.

Getting into and going through with external assessments for ISO 27001 and ISO 20000 certifications is a big step. These out side audits give an objective look at your security. From all audit results which you get out of it use what you can. integration of them into your continuous improvement cycle is key. Thus each audit is a step toward making your security better.

Leveraging Technology for Security Management

Smart application of tech can improve your info security greatly. Security Information and Event Management (SIEM) systems are great tools. They collect and analyze security logs from all over your network. This helps in early threat detection and quick response.

Governance, Risk and Compliance (GRC) tools also are a great resource. We see in this that companies use GRC software to put all of their GRC tasks in one place. For example a company will use a GRC platform to run automated risk assessments. Also it tracks how well they do with ISO 27001 compliance. This in turn makes security management much more efficient.

Conclusion

Aligning our IT security management with ISO 27001 and ISO 20000 we see great results. We have improved data protection and very reliable IT services. Also your customers will put more trust in you. These standards also provide that which is proven and clear path to better security.

Organizations must put in place a structured, standards based approach to IT security. Also they should develop and use full scale IT security process playbooks which is a key element of this. The field of cyber threats is ever changing which is why we see the need for dynamic and robust security practices out of which preparedness brings about safety.

IT security is a key element in the protection of an organization’s digital assets and in the preservation of business continuity. By conforming to international standards which include ISO 27000 and ISO 20000 organizations may put in place a robust and effective IT security management system which also is in line with best practices. We see value in the creation of an IT Information Security Process Playbook which helps organizations in the implementation and maintenance of these standards which in turn results in better security posture, greater customer trust, and a competitive edge in the market.

More from: aligning IT security with ISO standards. cybersecurity and ITSM information security best practices ISO 20000 IT service management ISO 27000 compliance ISO standards for IT security IT compliance management IT governance framework IT risk management IT security management
Back to IT Operations Playbook