Eurosec'2008 christophe feltus


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Eurosec'2008 christophe feltus

  1. 1. ISO/IEC 38500 vs. ISO/IEC 27000 Christophe Feltus Member of the ISO Working Group on Identity Management Member of the ISO Study Group on ICT Governance Public Research Centre Henri Tudor, 29, Rue John F. Kennedy L-1855 Luxembourg
  2. 2. Outline Beyond ISO 38500 Scope Objectives 6 principles Model for Corporate Governance of ICT Review of elements of ICT governance in ISO/IEC 27000 standards Conclusions
  3. 3. Beyond ISO 38500 : scope The objective of this Standard is to provide a framework of principles for Directors to use when evaluating, directing and monitoring the use of information technology (IT) in their organizations. This standard provides a framework for effective governance of IT, to assist those at the highest level of organizations to understand and fulfil their legal, ethical and moral obligations in respect of their organizations’ use of IT. The framework comprises definitions, principles and a model.
  4. 4. Beyond ISO 38500 : scope Governance is distinct from management, and for the avoidance of confusion, the two concepts are clearly defined in the standard. …the members of the governing body may also occupy the key roles in management. It provides guidance to those advising, informing, or assisting directors. They include: • Senior managers. • Members of groups monitoring the resources within the organization. • External business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies. • Vendors of hardware, software, communications and other IT products. • Internal and external service providers (including consultants). • IT auditors. The standard is applicable for all organizations, from the smallest, to the largest, regardless of purpose, design and ownership structure.
  5. 5. Beyond ISO 38500 : objectives The purpose of this Standard is to promote effective, efficient, and acceptable use of IT in all organizations by: assuring stakeholders (including consumers, shareholders, and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT; informing and guiding directors in governing the use of IT in their organization; and providing a basis for objective evaluation of the corporate governance of IT.
  6. 6. Beyond ISO 38500 : 6 principles Principle 1: Establish clearly understood responsibilities for IT Principle 2: Plan IT to best support the organization Principle 3: Acquire IT validly Principle 4: Ensure that IT performs well, whenever required Principle 5: Ensure IT conforms with formal rules Principle 6: Ensure IT use respects human factors
  7. 7. Beyond ISO 38500 : Model for Corporate Governance of ICT Directors should govern ICT through three main tasks: (a) Evaluate the use of ICT. (b) Direct preparation and implementation of plans and policies. (c) Monitor conformance to policies, and performance against the plans.
  8. 8. Elements of ICT governance in existing ISO/IEC 27000 standards ISO/IEC 27000 family of standards
  9. 9. Elements of ICT governance in existing ISO/IEC 27000 standards The standard ISO/IEC 27000 overlaps with ICT governance in many areas. Most significant of these are : Risk Management 4.2 Establishing and managing the ISMS. Connections with legislation 4.2.1/ISMS policy, 7.3 Management review output, A.15.1 Compliance with legal requirements. Performance A.10.3.1 Capacity management Tight relationship with management is required Clause 5 Management responsibility Internal auditing Clause 6 Internal ISMS audits Ensuring business continuity A.14 Business continuity management
  10. 10. Conclusions This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many relationships with ICT governance. New ICT governance standard should be taken into account these similarities thoroughly so that inconsistent overlapping can be prevented. This is very important especially if it will be possible to certify against this new standard so that combined audits with both ISO/IEC 27001 and ICT governance standard can be conducted in a logical and cost-effective way. Source : ISO/IEC 38500 : Corporate governance of information technology ISO/IEC 27000 family Inspecta Certification report for ISO/IEC 38500