Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to MAPPING_ISO27001_TO_COBIT4.1
Similar to MAPPING_ISO27001_TO_COBIT4.1 (20)
MAPPING_ISO27001_TO_COBIT4.1
- 1. CHRISTOPHER OPARAUGO (CISM, CRISC, CGEIT, MBA) ENTERPRISE SECURITY GOVERNANCE MAPPING ISO27001 TO COBIT 4.1 BASED ON SECURITY SELF ASSESSMENT
- 2. SECURITY/RISK MANAGEMENT We have recognized that risks exists due to the confluence of Assets, Threats, and Vulnerabilities, and accordingly mitigating controls which reduce one or all of these factors will reduce the overall risk exposure of the organization.
- 3. Planned improvements based on findings and security trends. Security Policy Security solution designed, Implemented and put into operation Monitor/Respond to Incidents during daily operations Plan, Improve Monitor, Respond Regular security assessment conducted by an external party. Assess Implement Employ PDCA cycle…. Plan, Do, Check, Act SEE SECURITY OVER TIME…. Adequate security level documented in Security Policy.
- 5. 5 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% SecurityPolicy OrganizationofInformationSecurity AssetManagement Humanresourcessecurity PhysicalandEnviornmentalsecurity CommunicationandOperationsManagement AccessControl Informationsystemacquisition,development… Informationsecurityincidentmanagement BusinessContinuityManagement Compliance 88% 64% 59% 74% 58% 61% 67% 71% 70% 53% 59% Status Domain Compliance per Domain THE AIM The mapping of ISO27001 to COBIT 4.1 has enabled me to link IT goals to business goals that provided data used in generating an IT Security Governance balanced scorecard aligning the data results to - Financial perspective, customer perspective, Internal perspective; learning and growth perspective. The balanced scorecard (BSC) initially developed by Kaplan and Norton, is a performance management system that should allow enterprises to drive their strategies on measurement and follow- up. These results can be applied to individual KPIs for staff self assessment in HR staff development.
- 6. 6 88% 64% 59% 74% 58% 61% 67% 71% 70% 53% 59% 95% 85% 87% 90% 85% 85%83% 85% 87% 88% 83% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Security Policy Organization of Information Security Asset Management Human resources security Physical and Environmental security Communication and Operations Management Access Control Information system acquisition, development and maintenance Information security incident management Business Continuity Management Compliance ISO 27001 Domains Current State Future State
- 9. 9 55% 64% 55% 64% 88% 85% 85% 85% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate COBIT Domanins OUR SCORE ISO RATING
- 10. 10
- 11. 11
- 12. Long-Term Shareholder Value Productivity Strategy Growth Strategy Financial Perspective Improve Cost Structure Increase Asset Utilisations Expand Revenue Opportunitie s Enhance Customer Value Customer Value Proposition Customer Perspective Price Quality Availability SelectionFunctionality Service Partnership Brand Product/ Service Attributes Relationship Image Operations Management Processes Customer Management Processes Innovation Processes Regulatory and Social Processes - Supply - Production - Distribution - Risk Management - Selection - Acquisition - Retention - Growth - Opportunity ID - R&D Portfolio - Design/Develop - Launch - Environment - Safety & Health - Employment - Community Internal Perspective Learning & Growth Perspective Human Capital Information Capital Organisation Capital Culture Leadership Alignment Teamwork Strategy Map
- 13. STRATEGIC FOCUS BELT & BRACES DAY DREAM FIGHTING FIT PANIC STATIONS Severe Threat Landscape Insignificant Threat Landscape 0-12 World-Class Security Posture Reactive Security Posture X C
- 14. An effective and comprehensive information protection program involves participation from all functions of the organization. 1. Roadmap • Develop the shortfalls into task as a measure of working on the gaps • Strive for ISO 27001 compliance and continuous assessment. • The exercise has provided useful insight to staff understanding of Security framework and Controls and should be extended to all 2. Information Security Balanced Score • To improve on the Information Security balanced score systems using the gap analysis results from data and figures above. • To integrate the balanced scorecard into the enterprise governance balanced scorecard KPI measures. The mapping of ISO27001 to COBIT 4.1 has enabled me to link IT goals to business goals that provided data used in generating an IT Security Governance balanced scorecard aligning the data results to - Financial perspective, customer perspective, Internal perspective; learning and growth perspective. These results can be applied to individual KPIs for staff self CONCLUSION