SlideShare a Scribd company logo

Eurosec'2008 christophe feltus

L
Luxembourg Institute of Science and Technology

ISO/IEC 38500 provides a framework of principles for corporate governance of information technology, while ISO/IEC 27000 standards address information security management. ISO/IEC 38500 covers responsibilities, planning, acquisition, performance, conformity, and human factors of IT use. ISO/IEC 27000 overlaps with areas like risk management, legal compliance, performance, and management responsibility. A new IT governance standard should account for similarities to prevent inconsistencies, especially for combined auditing against governance and information security standards.

1 of 10
Download to read offline
ISO/IEC 38500 vs. ISO/IEC 27000 Christophe Feltus Member of the ISO Working Group on Identity Management Member of the ISO Study Group on ICT Governance Public Research Centre Henri Tudor, 29, Rue John F. Kennedy L-1855 Luxembourg christophe.feltus@tudor.lu
Outline Beyond ISO 38500 Scope Objectives 6 principles Model for Corporate Governance of ICT Review of elements of ICT governance in ISO/IEC 27000 standards Conclusions
Beyond ISO 38500 : scope The objective of this Standard is to provide a framework of principles for Directors to use when evaluating, directing and monitoring the use of information technology (IT) in their organizations. This standard provides a framework for effective governance of IT, to assist those at the highest level of organizations to understand and fulfil their legal, ethical and moral obligations in respect of their organizations’ use of IT. The framework comprises definitions, principles and a model.
Beyond ISO 38500 : scope Governance is distinct from management, and for the avoidance of confusion, the two concepts are clearly defined in the standard. …the members of the governing body may also occupy the key roles in management. It provides guidance to those advising, informing, or assisting directors. They include: • Senior managers. • Members of groups monitoring the resources within the organization. • External business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies. • Vendors of hardware, software, communications and other IT products. • Internal and external service providers (including consultants). • IT auditors. The standard is applicable for all organizations, from the smallest, to the largest, regardless of purpose, design and ownership structure.
Beyond ISO 38500 : objectives The purpose of this Standard is to promote effective, efficient, and acceptable use of IT in all organizations by: assuring stakeholders (including consumers, shareholders, and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT; informing and guiding directors in governing the use of IT in their organization; and providing a basis for objective evaluation of the corporate governance of IT.
Beyond ISO 38500 : 6 principles Principle 1: Establish clearly understood responsibilities for IT Principle 2: Plan IT to best support the organization Principle 3: Acquire IT validly Principle 4: Ensure that IT performs well, whenever required Principle 5: Ensure IT conforms with formal rules Principle 6: Ensure IT use respects human factors
Beyond ISO 38500 : Model for Corporate Governance of ICT Directors should govern ICT through three main tasks: (a) Evaluate the use of ICT. (b) Direct preparation and implementation of plans and policies. (c) Monitor conformance to policies, and performance against the plans.
Elements of ICT governance in existing ISO/IEC 27000 standards ISO/IEC 27000 family of standards
Elements of ICT governance in existing ISO/IEC 27000 standards The standard ISO/IEC 27000 overlaps with ICT governance in many areas. Most significant of these are : Risk Management 4.2 Establishing and managing the ISMS. Connections with legislation 4.2.1/ISMS policy, 7.3 Management review output, A.15.1 Compliance with legal requirements. Performance A.10.3.1 Capacity management Tight relationship with management is required Clause 5 Management responsibility Internal auditing Clause 6 Internal ISMS audits Ensuring business continuity A.14 Business continuity management
Conclusions This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many relationships with ICT governance. New ICT governance standard should be taken into account these similarities thoroughly so that inconsistent overlapping can be prevented. This is very important especially if it will be possible to certify against this new standard so that combined audits with both ISO/IEC 27001 and ICT governance standard can be conducted in a logical and cost-effective way. Source : ISO/IEC 38500 : Corporate governance of information technology ISO/IEC 27000 family Inspecta Certification report for ISO/IEC 38500

Recommended

Iso 27001 certification body in singapore
Iso 27001 certification body in singaporeIso 27001 certification body in singapore
Iso 27001 certification body in singapore
iassingapore
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
NQA
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NQA
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex A
NA Putra
 
Iso 27001 lead auditor training
Iso 27001 lead auditor trainingIso 27001 lead auditor training
Iso 27001 lead auditor training
Ãsħâr Ãâlâm
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
VISTA InfoSec
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
IndependentCertificationServices
 

Recommended

Iso 27001 certification body in singapore
Iso 27001 certification body in singaporeIso 27001 certification body in singapore
Iso 27001 certification body in singapore
iassingapore
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
NQA
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NQA
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex A
NA Putra
 
Iso 27001 lead auditor training
Iso 27001 lead auditor trainingIso 27001 lead auditor training
Iso 27001 lead auditor training
Ãsħâr Ãâlâm
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
VISTA InfoSec
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
IndependentCertificationServices
 
Hw1 itil kaganbozkurt_20160305
Hw1 itil kaganbozkurt_20160305Hw1 itil kaganbozkurt_20160305
Hw1 itil kaganbozkurt_20160305
Kagan Bozkurt
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
Navneet Singh
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006
Khawar Nehal khawar.nehal@atrc.net.pk
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
ISACA Riyadh
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCALead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
myTectra Learning Solutions Private Ltd
 
Standardization of IT Processes
Standardization of IT ProcessesStandardization of IT Processes
Standardization of IT Processes
Natarajan V
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist QuestionsISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
himalya sharma
 
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reillyTech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Events2018
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
NQA
 
NQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIMNQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIM
NA Putra
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
ketanaagja
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
A-lign
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
Fuangwith Sopharath
 
Auxiliares B O M B A R D 2011
Auxiliares B O M B A R D 2011Auxiliares B O M B A R D 2011
Auxiliares B O M B A R D 2011
Accastillage Diffusion Denia
 
2015 McKinney Information
2015 McKinney Information2015 McKinney Information
2015 McKinney Information
Steven Bailey
 

More Related Content

What's hot

Hw1 itil kaganbozkurt_20160305
Hw1 itil kaganbozkurt_20160305Hw1 itil kaganbozkurt_20160305
Hw1 itil kaganbozkurt_20160305
Kagan Bozkurt
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
Navneet Singh
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006
Khawar Nehal khawar.nehal@atrc.net.pk
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
ISACA Riyadh
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCALead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
myTectra Learning Solutions Private Ltd
 
Standardization of IT Processes
Standardization of IT ProcessesStandardization of IT Processes
Standardization of IT Processes
Natarajan V
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist QuestionsISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
himalya sharma
 
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reillyTech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Events2018
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
NQA
 
NQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIMNQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIM
NA Putra
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
ketanaagja
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
A-lign
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
Fuangwith Sopharath
 

What's hot (20)

Hw1 itil kaganbozkurt_20160305
Hw1 itil kaganbozkurt_20160305Hw1 itil kaganbozkurt_20160305
Hw1 itil kaganbozkurt_20160305
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
 
Iso 27001 10_apr_2006
Iso 27001 10_apr_2006Iso 27001 10_apr_2006
Iso 27001 10_apr_2006
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCALead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
 
Standardization of IT Processes
Standardization of IT ProcessesStandardization of IT Processes
Standardization of IT Processes
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist QuestionsISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
 
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reillyTech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
Tech Connect Live 30th May 2018 ,GDPR Summit Sharon o' reilly
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
 
NQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIMNQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIM
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 

Viewers also liked

Auxiliares B O M B A R D 2011
Auxiliares B O M B A R D 2011Auxiliares B O M B A R D 2011
Auxiliares B O M B A R D 2011
Accastillage Diffusion Denia
 
2015 McKinney Information
2015 McKinney Information2015 McKinney Information
2015 McKinney Information
Steven Bailey
 
Puntos de fe_id7
Puntos de fe_id7Puntos de fe_id7
Puntos de fe_id7
Daniel Duran
 
Javascript
JavascriptJavascript
Javascript
Alejandro Garces
 
Presentació del Voluntariat per la llengua (Agost 2014)
Presentació del Voluntariat per la llengua (Agost 2014)Presentació del Voluntariat per la llengua (Agost 2014)
Presentació del Voluntariat per la llengua (Agost 2014)
Consorci per a la Normalització Lingüística
 
Portfolio de artisca
Portfolio de artiscaPortfolio de artisca
Portfolio de artisca
Isaac Sabando
 
Indepth Information on the Post Foundation of Battle Creek
Indepth Information on the Post Foundation of Battle Creek Indepth Information on the Post Foundation of Battle Creek
Indepth Information on the Post Foundation of Battle Creek
GreenStreet Marketing
 
[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management
[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management
[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management
PROJECT CONSULT Unternehmensberatung Dr. Ulrich Kampffmeyer GmbH
 
Nonprofit newsletters new
Nonprofit newsletters newNonprofit newsletters new
Nonprofit newsletters new
StephanieMYoung
 
Julius baer 2014 pucón
Julius baer 2014 pucónJulius baer 2014 pucón
Julius baer 2014 pucón
Alvaro Uribe V.
 
Catalogo mjm Rieles electricos
Catalogo mjm Rieles electricosCatalogo mjm Rieles electricos
Catalogo mjm Rieles electricos
Alonso Cortez Lozano
 
Sobre Las Redes Sociales Y El Social Media
Sobre Las Redes Sociales Y El Social MediaSobre Las Redes Sociales Y El Social Media
Sobre Las Redes Sociales Y El Social Media
eliasvillagran
 
MS Visio 2003 Technical Edition - Scheda corso LEN
MS Visio 2003 Technical Edition - Scheda corso LENMS Visio 2003 Technical Edition - Scheda corso LEN
MS Visio 2003 Technical Edition - Scheda corso LEN
LEN Learning Education Network
 
Abre el Ojo Nº 13
Abre el Ojo Nº 13Abre el Ojo Nº 13
Abre el Ojo Nº 13
Ied Madrid
 
Enoturismo bio bio
Enoturismo bio bioEnoturismo bio bio
Enoturismo bio bio
Vanessa Diaz Rodriguez
 
PresentacióN Final Felisa De Blas
PresentacióN Final Felisa De BlasPresentacióN Final Felisa De Blas
PresentacióN Final Felisa De Blas
Felisa Gómez
 
Peces marinos
Peces marinosPeces marinos
Peces marinos
trjilloruben
 
RPS CV of Simon Hua
RPS CV of Simon HuaRPS CV of Simon Hua
RPS CV of Simon Hua
Simon Hua
 
Dean Letter shahid beheshti
Dean Letter shahid beheshtiDean Letter shahid beheshti
Dean Letter shahid beheshti
Dr. Faramarz Didar
 
New catalogue fima compressors
New catalogue fima compressorsNew catalogue fima compressors
New catalogue fima compressors
Luis Zubiate
 

Viewers also liked (20)

Auxiliares B O M B A R D 2011
Auxiliares B O M B A R D 2011Auxiliares B O M B A R D 2011
Auxiliares B O M B A R D 2011
 
2015 McKinney Information
2015 McKinney Information2015 McKinney Information
2015 McKinney Information
 
Puntos de fe_id7
Puntos de fe_id7Puntos de fe_id7
Puntos de fe_id7
 
Javascript
JavascriptJavascript
Javascript
 
Presentació del Voluntariat per la llengua (Agost 2014)
Presentació del Voluntariat per la llengua (Agost 2014)Presentació del Voluntariat per la llengua (Agost 2014)
Presentació del Voluntariat per la llengua (Agost 2014)
 
Portfolio de artisca
Portfolio de artiscaPortfolio de artisca
Portfolio de artisca
 
Indepth Information on the Post Foundation of Battle Creek
Indepth Information on the Post Foundation of Battle Creek Indepth Information on the Post Foundation of Battle Creek
Indepth Information on the Post Foundation of Battle Creek
 
[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management
[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management
[DE] MoReq2 Roadshow 2008 | Ulrich Kampffmeyer | Records Management
 
Nonprofit newsletters new
Nonprofit newsletters newNonprofit newsletters new
Nonprofit newsletters new
 
Julius baer 2014 pucón
Julius baer 2014 pucónJulius baer 2014 pucón
Julius baer 2014 pucón
 
Catalogo mjm Rieles electricos
Catalogo mjm Rieles electricosCatalogo mjm Rieles electricos
Catalogo mjm Rieles electricos
 
Sobre Las Redes Sociales Y El Social Media
Sobre Las Redes Sociales Y El Social MediaSobre Las Redes Sociales Y El Social Media
Sobre Las Redes Sociales Y El Social Media
 
MS Visio 2003 Technical Edition - Scheda corso LEN
MS Visio 2003 Technical Edition - Scheda corso LENMS Visio 2003 Technical Edition - Scheda corso LEN
MS Visio 2003 Technical Edition - Scheda corso LEN
 
Abre el Ojo Nº 13
Abre el Ojo Nº 13Abre el Ojo Nº 13
Abre el Ojo Nº 13
 
Enoturismo bio bio
Enoturismo bio bioEnoturismo bio bio
Enoturismo bio bio
 
PresentacióN Final Felisa De Blas
PresentacióN Final Felisa De BlasPresentacióN Final Felisa De Blas
PresentacióN Final Felisa De Blas
 
Peces marinos
Peces marinosPeces marinos
Peces marinos
 
RPS CV of Simon Hua
RPS CV of Simon HuaRPS CV of Simon Hua
RPS CV of Simon Hua
 
Dean Letter shahid beheshti
Dean Letter shahid beheshtiDean Letter shahid beheshti
Dean Letter shahid beheshti
 
New catalogue fima compressors
New catalogue fima compressorsNew catalogue fima compressors
New catalogue fima compressors
 

Similar to Eurosec'2008 christophe feltus

IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
Ramiro Cid
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1
Richard Willis
 
CobiT And ITIL Breakfast Seminar
CobiT And ITIL Breakfast SeminarCobiT And ITIL Breakfast Seminar
CobiT And ITIL Breakfast Seminar
Acend Corporate Learning
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
Prashant Singh
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic Approach
Mohammad Reda Katby
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
jojo82637
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
Sam Mandebvu
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
Christian F. Nissen
 
01 intro-cobit
01 intro-cobit01 intro-cobit
01 intro-cobit
yusrizalmukhtar
 
201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks
Francisco Calzado
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
COBIT
COBITCOBIT
COBIT
Ai Lun Wu
 
IT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not EnoughIT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not Enough
Ahmed Al-Hadidi
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
Yulias Sihombing, Ak, MAk, CIA
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
aqel aqel
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007
Humberto Bruno Pontes Silva
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
Emmacuet
 
Cobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktaviantiCobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktavianti
darminritonga amy
 

Similar to Eurosec'2008 christophe feltus (20)

IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1
 
CobiT And ITIL Breakfast Seminar
CobiT And ITIL Breakfast SeminarCobiT And ITIL Breakfast Seminar
CobiT And ITIL Breakfast Seminar
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic Approach
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
 
01 intro-cobit
01 intro-cobit01 intro-cobit
01 intro-cobit
 
201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
COBIT
COBITCOBIT
COBIT
 
IT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not EnoughIT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not Enough
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
 
Cobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktaviantiCobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktavianti
 

More from Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
Luxembourg Institute of Science and Technology
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
Luxembourg Institute of Science and Technology
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
Luxembourg Institute of Science and Technology
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
Luxembourg Institute of Science and Technology
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
Luxembourg Institute of Science and Technology
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Luxembourg Institute of Science and Technology
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
Luxembourg Institute of Science and Technology
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
Luxembourg Institute of Science and Technology
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
Luxembourg Institute of Science and Technology
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
Luxembourg Institute of Science and Technology
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
Luxembourg Institute of Science and Technology
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
Luxembourg Institute of Science and Technology
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
Luxembourg Institute of Science and Technology
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
Luxembourg Institute of Science and Technology
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
Luxembourg Institute of Science and Technology
 

More from Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 

Eurosec'2008 christophe feltus

  • 1. ISO/IEC 38500 vs. ISO/IEC 27000 Christophe Feltus Member of the ISO Working Group on Identity Management Member of the ISO Study Group on ICT Governance Public Research Centre Henri Tudor, 29, Rue John F. Kennedy L-1855 Luxembourg christophe.feltus@tudor.lu
  • 2. Outline Beyond ISO 38500 Scope Objectives 6 principles Model for Corporate Governance of ICT Review of elements of ICT governance in ISO/IEC 27000 standards Conclusions
  • 3. Beyond ISO 38500 : scope The objective of this Standard is to provide a framework of principles for Directors to use when evaluating, directing and monitoring the use of information technology (IT) in their organizations. This standard provides a framework for effective governance of IT, to assist those at the highest level of organizations to understand and fulfil their legal, ethical and moral obligations in respect of their organizations’ use of IT. The framework comprises definitions, principles and a model.
  • 4. Beyond ISO 38500 : scope Governance is distinct from management, and for the avoidance of confusion, the two concepts are clearly defined in the standard. …the members of the governing body may also occupy the key roles in management. It provides guidance to those advising, informing, or assisting directors. They include: • Senior managers. • Members of groups monitoring the resources within the organization. • External business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies. • Vendors of hardware, software, communications and other IT products. • Internal and external service providers (including consultants). • IT auditors. The standard is applicable for all organizations, from the smallest, to the largest, regardless of purpose, design and ownership structure.
  • 5. Beyond ISO 38500 : objectives The purpose of this Standard is to promote effective, efficient, and acceptable use of IT in all organizations by: assuring stakeholders (including consumers, shareholders, and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT; informing and guiding directors in governing the use of IT in their organization; and providing a basis for objective evaluation of the corporate governance of IT.
  • 6. Beyond ISO 38500 : 6 principles Principle 1: Establish clearly understood responsibilities for IT Principle 2: Plan IT to best support the organization Principle 3: Acquire IT validly Principle 4: Ensure that IT performs well, whenever required Principle 5: Ensure IT conforms with formal rules Principle 6: Ensure IT use respects human factors
  • 7. Beyond ISO 38500 : Model for Corporate Governance of ICT Directors should govern ICT through three main tasks: (a) Evaluate the use of ICT. (b) Direct preparation and implementation of plans and policies. (c) Monitor conformance to policies, and performance against the plans.
  • 8. Elements of ICT governance in existing ISO/IEC 27000 standards ISO/IEC 27000 family of standards
  • 9. Elements of ICT governance in existing ISO/IEC 27000 standards The standard ISO/IEC 27000 overlaps with ICT governance in many areas. Most significant of these are : Risk Management 4.2 Establishing and managing the ISMS. Connections with legislation 4.2.1/ISMS policy, 7.3 Management review output, A.15.1 Compliance with legal requirements. Performance A.10.3.1 Capacity management Tight relationship with management is required Clause 5 Management responsibility Internal auditing Clause 6 Internal ISMS audits Ensuring business continuity A.14 Business continuity management
  • 10. Conclusions This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many relationships with ICT governance. New ICT governance standard should be taken into account these similarities thoroughly so that inconsistent overlapping can be prevented. This is very important especially if it will be possible to certify against this new standard so that combined audits with both ISO/IEC 27001 and ICT governance standard can be conducted in a logical and cost-effective way. Source : ISO/IEC 38500 : Corporate governance of information technology ISO/IEC 27000 family Inspecta Certification report for ISO/IEC 38500