Download as PDF, PPTX
MAPPING_ISO27001_TO_COBIT4.1
This document discusses mapping the ISO27001 information security standard to the COBIT 4.1 framework for enterprise governance and risk management. The mapping was used to generate a balanced scorecard for IT security governance. Current compliance levels for ISO27001 domains were measured at 64-88%. Future targets of 85-95% compliance were set. The balanced scorecard approach links IT security goals to business goals across financial, customer, internal process, and learning/growth perspectives. Individual staff can use the results for self-assessment and development.
![TyroneResume[1]](https://cdn.slidesharecdn.com/ss_thumbnails/0c54268c-02e9-435d-ab4a-0ed51af40560-150714152834-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D.O.W.N.L.O.A.D] Business Continuity Management System: A Complete Guide to ...](https://cdn.slidesharecdn.com/ss_thumbnails/business-continuity-management-system-a-complete-guide-to-implementing-iso-22301-191211234345-thumbnail.jpg?width=640&height=640&fit=bounds)
MAPPING_ISO27001_TO_COBIT4.1
- 1. CHRISTOPHER OPARAUGO (CISM, CRISC,CGEIT, MBA) ENTERPRISE SECURITY GOVERNANCE MAPPING ISO27001 TO COBIT 4.1 BASED ON SECURITY SELF ASSESSMENT
- 2. SECURITY/RISK MANAGEMENT We haverecognized that risks exists due to the confluence of Assets, Threats, and Vulnerabilities, and accordingly mitigating controls which reduce one or all of these factors will reduce the overall risk exposure of the organization.
- 3. Planned improvements based onfindings and security trends. Security Policy Security solution designed, Implemented and put into operation Monitor/Respond to Incidents during daily operations Plan, Improve Monitor, Respond Regular security assessment conducted by an external party. Assess Implement Employ PDCA cycle…. Plan, Do, Check, Act SEE SECURITY OVER TIME…. Adequate security level documented in Security Policy.
- 4.
- 5. 5 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% SecurityPolicy OrganizationofInformationSecurity AssetManagement Humanresourcessecurity PhysicalandEnviornmentalsecurity CommunicationandOperationsManagement AccessControl Informationsystemacquisition,development… Informationsecurityincidentmanagement BusinessContinuityManagement Compliance 88% 64% 59% 74% 58% 61% 67% 71% 70% 53% 59% Status Domain Compliance perDomain THE AIM The mapping of ISO27001 to COBIT 4.1 has enabled me to link IT goals to business goals that provided data used in generating an IT Security Governance balanced scorecard aligning the data results to - Financial perspective, customer perspective, Internal perspective; learning and growth perspective. The balanced scorecard (BSC) initially developed by Kaplan and Norton, is a performance management system that should allow enterprises to drive their strategies on measurement and follow- up. These results can be applied to individual KPIs for staff self assessment in HR staff development.
- 6. 6 88% 64% 59% 74% 58% 61% 67% 71% 70% 53% 59% 95% 85% 87% 90% 85% 85%83% 85% 87% 88% 83% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Security Policy Organization ofInformation Security Asset Management Human resources security Physical and Environmental security Communication and Operations Management Access Control Information system acquisition, development and maintenance Information security incident management Business Continuity Management Compliance ISO 27001 Domains Current State Future State
- 9. 9 55% 64% 55% 64% 88% 85% 85% 85% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Plan and Organise Acquireand Implement Deliver and Support Monitor and Evaluate COBIT Domanins OUR SCORE ISO RATING
- 10.
- 11.
- 12. Long-Term Shareholder Value Productivity Strategy Growth Strategy Financial Perspective Improve Cost Structure Increase Asset Utilisations Expand Revenue Opportunitie s Enhance Customer Value Customer Value Proposition Customer PerspectivePrice Quality Availability SelectionFunctionality Service Partnership Brand Product/ Service Attributes Relationship Image Operations Management Processes Customer Management Processes Innovation Processes Regulatory and Social Processes - Supply - Production - Distribution - Risk Management - Selection - Acquisition - Retention - Growth - Opportunity ID - R&D Portfolio - Design/Develop - Launch - Environment - Safety & Health - Employment - Community Internal Perspective Learning & Growth Perspective Human Capital Information Capital Organisation Capital Culture Leadership Alignment Teamwork Strategy Map
- 13. STRATEGIC FOCUS BELT &BRACES DAY DREAM FIGHTING FIT PANIC STATIONS Severe Threat Landscape Insignificant Threat Landscape 0-12 World-Class Security Posture Reactive Security Posture X C
- 14. An effective andcomprehensive information protection program involves participation from all functions of the organization. 1. Roadmap • Develop the shortfalls into task as a measure of working on the gaps • Strive for ISO 27001 compliance and continuous assessment. • The exercise has provided useful insight to staff understanding of Security framework and Controls and should be extended to all 2. Information Security Balanced Score • To improve on the Information Security balanced score systems using the gap analysis results from data and figures above. • To integrate the balanced scorecard into the enterprise governance balanced scorecard KPI measures. The mapping of ISO27001 to COBIT 4.1 has enabled me to link IT goals to business goals that provided data used in generating an IT Security Governance balanced scorecard aligning the data results to - Financial perspective, customer perspective, Internal perspective; learning and growth perspective. These results can be applied to individual KPIs for staff self CONCLUSION