Using IT Governance as a tool for measuring IT performance. COBIT 5 has provided generic metrics at strategic levels [Enterprise metrics], Tactical level [IT Goals metrics] and Operation Level [Process metrics]. We will highlight the benefits and objectives of the measurements, and then provide an approach along with suggestions on the time/frequency of measurement.
The webinar covers:
• The relation between ISO 27001 and ISO 20000
• How much does project management fit in with both of them
• Integration of information security and IT Services
Presenter:
Adnan Hafiz is an IT GRC, Security Consultant and Lead Auditor and a PECB Certified Trainer with over 10 years of significant, progressive experience in Information Technology field, focusing on Information Security, IT Governance, ISO Standards Implementation & Compliance, IT Service Management, Risk Management, Information Security & IT Service Management Audits, Software Project Management and Process Improvement.
Link of the recorded session published on YouTube: https://youtu.be/0se77tjLL4c
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Practical
1.
2. Hafiz Sheikh Adnan Ahmed
IT SECURITY & GRC CONSULTANT & INTERNAL AUDITOR
He is an IT GRC, Security Consultant and Lead Auditor and a PECB Certified Trainer with over 11
years of significant, progressive experience in Information Technology field, focusing on
Information Security, IT Governance, ISO Standards Implementation & Compliance, IT Service
Management, Risk Management, Information Security & IT Service Management Audits,
Software Project Management and Process Improvement. He has been awarded with ISACA
COBIT Certified Assessor by ISACA; only the 92nd worldwide and 8th in UAE. He has been
awarded with Security Advisor Middle East Awards 2016 in the category of “Personal
Contribution to IT Security”
Contact Information
+971-55-1862974
sh.adnan.ahmed@live.com
ae.linkedin.com/in/adnanahmed16/en
ShAdnanAhmed
3. AGENDA
• CIA – The Core of Information Security
• Myths about ISO 27001, ISO 20000, Project Management
• Understanding the Structure of New ISO Management System Requirements
• About COBIT 5
• High-Level Mapping of COBIT 5 to the new Management System’s Requirements
• Mapping of PMI Phases with COBIT 5
• Mapping of ISO 27001 and ISO 20000
• In Scope of ITIL, ISO 20000 and Project Management
4. PRE-REQUISITES
• Understanding of Information Security and ISO Frameworks
• Understanding of Project Management
• Knowledge of COBIT 5
5. MORNING NIGHTMARE - WHAT CAN GO
WRONG?
You're a new project manager, a bad week might go something like this:
• You open your email and see that one of your team member has inadvertently
forwarded a project business case to a competitor of your client.
• You’re planning for soft launch of new system before Going Live next week but
then you realize your inventory spreadsheet is corrupted.
• You’re about to walk into a meeting with your project sponsor and discover the
laptop where you’ve stored the presentation you’ve been working on for three
days has blue screened.
• Courier has misplaced confidential document sent by the Vendor which may
jeopardize the whole project schedule and current insurance policy does not
cover such loss
6. CIA – THE CORE OF INFORMATION SECURITY
• The job of Information Security is primarily to ensure CIA in place but there is a
common misconception that only IT is responsible for it. But they're not!! Then
who is responsible for Information Security in your organization or say for the
project you're managing, particularly for the project related to IT services being
provided to the end user
7.
8. • Confidentiality means only authorized persons are able to see actual
information and protect actual information from being visible to all others
• Integrity is focused to keep information intact as intended and not altered and
must not allow unauthorized modification
• Availability is to ensure all authorized persons are able to access information
when required
• While it's not part of CIA, but Non-Repudiation is very significant especially in
term of regulator and legal issues. It's the assurance mechanism that sender or
receiver can’t deny after transmission
9. Let's think of below :
• Who is the information owner in the organization for a project?
• Who is to understand and conduct impact assessment?
• How to secure information flow/process in your project?
• PM is the one who:
10. • Should understand what are information risk concerning his/her project
• Interpret impact to senior management and customer for security issues
• Need to be able to decide on appropriate mitigating action
• Minimize the risk associated with information security threats/breaches.
• Include security considerations is integrated in every phase and process of a project;
and
• Ensure adherence to policy and standard/compliance
• So need to include Information Security within the project process right from the
initiation
11. 5 GREATEST MYTHS ABOUT ISO 27001
• “The standard requires…”
• “We’ll let the IT department handle it”
• “We’ll implement it in a few months”
• “This standard is all about documentation”
• “The only benefit of the standard is for marketing purposes”
12. ISO/IEC 20000 – MYTHS AND TRUTHS
• Myth 1 – ISO/IEC 20000 is only for large commercial organizations
• Myth 2 – ISO/IEC 20000 is only applicable to IT infrastructure
• Myth 3 – ISO/IEC 20000 is of no value to internal service providers
• Myth 4 – Service providers must use ITIL® as the underlying framework
because ISO/IEC 20000 is based on ITIL
• Myth 5 – ISO/IEC 20000 will make my service management slow, more costly
and bureaucratic
13. TOP 5 MYTHS IN PROJECT MANAGEMENT
• Facts and figures are more important than feelings and perceptions
• Project managers need to be detail oriented and not strategic in nature
• Rely on the experts in everything that you do
• All the battles have to be fought and won so that we can succeed
• Project managers cannot be effective in their role unless they have specific
technical expertise in the given field that the project is within
15. ABOUT COBIT 5
• COBIT, developed by ISACA, is a comprehensive IT Governance and Management
Framework accepted globally that deals with every aspect of IT and is the only
framework that addresses the complete life cycle of IT Investment
• Often viewed as the umbrella framework as it integrates all of the main global IT
standards
• Enables companies to improve IT Governance and Management by ensuring that
appropriate process, governance and management enablers are used to build IT
capabilities to achieve stakeholder goals
• Provides end-to-end business view that integrates other standards, frameworks and
guidelines, such as ITIL, ISO 27001, ISO 20000, ISO 31000 and Project Management,
into an overall enterprise governance and management framework
16. • COBIT 5 doesn’t replace these other sources of reference. Instead, it is an
overarching umbrella framework that helps them all fit together.
17.
18. HIGH-LEVEL MAPPING OF COBIT 5 TO THE NEW
MANAGEMENT SYSTEM’S REQUIREMENTS
Clause No. Management System Requirements COBIT 5 Guidance
4
4. Context of the organization
4.1 Understanding the organization and its
context
4.2 Understanding the needs and expectations
of interested parties
4.3 Determining the scope of the information
security and service management systems
4.4 ISO 27001 and ISO 20000 management
systems
Pain points, trigger events, stakeholder drivers,
enterprise goals, IT-related goals and information
on related guidance
5
5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organization roles, responsibilities and
authorities
Responsible, Accountable, Consulted and
(RACI) chart from EDM 01-05 processes
RACI chart from APO 06, APO 08, APO 09, APO
APO 12, APO 13, BAI 04, BAI 06, BAI 07, BAI 09,
10, DSS 01, DSS 02, DSS 03, DSS 04, DSS 05
Framework Principle and Policies—Appendix G,
COBIT 5 Framework
6
6. Planning
6.1 Actions to address risk and opportunities
6.2 ISO 27001 and ISO 20000 objectives and
planning to achieve them
Management practices from APO 06, APO 08,
09, APO 10, APO 12, APO 13, BAI 04, BAI 06, BAI
BAI 09, BAI 10, DSS 01, DSS 02, DSS 03, DSS 04,
DSS 05
19. …. CONT’D
Clause No. Management System Requirements COBIT 5 Guidance
7
7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented
Enabler: People, Skills and Competencies
8
8. Operation
8.1 Operational planning and control
BAI 05
9
9. Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
9.2 Internal audit
9.3 Management review
Lag and lead indicators
EDM 05, MEA 01, MEA 02, MEA 03
10
10. Improvement
10.1 Nonconformity and corrective action
MEA 01, MEA 02, MEA 03, Process goals
and metrics
20. MAPPING OF PMI PHASES WITH COBIT 5.0 & ISO
PROCESSES
PMI Phases Stages COBIT Process with Process ID ISO Process
Initiation Project Preparation
APO05 – Manage Portfolio Business Relationship
Management
Governance of Process
EDM02 – Ensure Benefits Delivery
Planning
Project Planning
BAI01 – Manage Programmes and
Projects
BAI02 – Manage Requirements
Service Level
Management
Business Blueprint
BAI03 – Manage Solutions Identification
and Build
Design and Transition of
new or changed
Execution
Realization
BAI03 – Manage Solutions Identification
and Build
Design and Transition of
new or changed
Final Preparation
BAI07 – Manage Change Acceptance
Transitioning
Release and
Go Live and
BAI07 – Manage Change Acceptance
Transitioning
Release and
21. …. CONT’D
PMI Phases Stages COBIT Process with Process ID ISO Process
Monitoring and Control
Risk Management
BAI01 – Manage Programmes and
Projects
Issue Management BAI06 – Manage Changes Change Management
Change
Management
BAI06 – Manage Changes
Change Management
Reporting
MEA01 – Monitor, Evaluate and
Assess Performance and
Conformance
Service Reporting
Vendor
Management
APO10 – Manage Suppliers Supplier Management
DSS01 – Manage Operations
Capacity Management
Service Continuity and
Availability
Configuration
Management
Resource
Management
APO07 – Manage Human
Resources
Resource
APO06 – Manage Budget and
Costs
Budgeting and
Accounting
22. MAPPING OF ISO 27001 & ISO 20000
ISO 27001:2013 ISO 20000-1:2011
A.12.1.2 Change Management Change Management
A.12.1.3 Capacity Management Capacity Management
A.12.3 Information Backup Service Continuity and Availability
A.15 Supplier Relationships Supplier Management
A.16 Information security incident management Incident & Service Request Management
A.16.1.6 Learning from information security incidents Problem Management
23. UNIFIED DOCUMENTATION
ISO 20000-1:2011 ISO 27001:2013
--- 4.1 Understanding of the organization and its context
---
4.2 Understanding the needs and expectations of interested
parties
4.0 SMS General Requirements 4.4 ISMS Requirements
4.1.1 Management Commitment 5.1 Leadership Commitment
--- 6.1 Actions to address risks and opportunities
4.3 Documentation Management 7.5 Documented Information
4.4 Resource Management
7.1 Resources
7.2 Competence
7.3 Awareness
24. …. CONT’D
ISO 20000-1:2011 ISO 27001:2013
--- 8.1 Operational Planning and Control
---
8.2 Information security risk assessment
8.3 Information security risk treatment
--- 9.1 Monitoring, measurement, analysis and evaluation
4.5.4.2 Internal Audit 9.2 Internal Audit
4.5.4.3 Management Review 9.3 Management Review
4.5.5 Maintain and Improve the SMS (Act) 10 Improvement
25. IN SCOPE OF ITIL, ISO 20000 AND PROJECT
MANAGEMENT