ebook img

Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit PDF

130 Pages·2010·0.82 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit

Aligning C T® 4.1, obi ITIL® V3 and ISO/IEC 27002 for Business Benefit A Management Briefing From ITGI and OGC ® Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi IT Governance Institute® The IT Governance Institute (ITGITM) (www.itgi.org) is a non-profit, independent research entity that provides guidance for the global business community on issues related to the governance of IT assets. ITGI was established by the non-profit membership association ISACA® in 1998 to help ensure that IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly managed, and IT performance is measured. ITGI developed Control Objectives for Information and related Technology (CobiT®) and Val ITTM, and offers original research and case studies to help enterprise leaders and boards of directors fulfil their IT governance responsibilities and help IT professionals deliver value-adding services. The Office of Government Commerce The mission of the Office of Government Commerce (OGC) (www.ogc.gov.uk) is to work with public sector organisations to help them achieve efficiency, value for money in commercial activities and improved success from programmes and projects. OGC supports the achievement of its targets through concentrating its efforts in a wide-ranging programme supporting improvement through three significant activities in public sector organisations: efficiency, programme and project management, and procurement. The Stationery Office (TSO) commissioned support for this work of behalf of OGC. Disclaimer ITGI and OGC have designed and created Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit (the ‘Work’), primarily as an educational resource for chief information officers, senior management and IT management. ITGI and OGC make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the chief information officers, senior management and IT management should apply their own professional judgement to the specific circumstances presented by the particular systems or information technology environment. Reservation of Rights © 2008 ITGI. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ITGI. Reproduction and use of all or portions of this publication are solely permitted for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. © Crown Copyright material 2008, published in conjunction with the Office of Government Commerce, is reproduced with the permission of the controller of HMSO and Queen’s Printer for Scotland. ISACA and ITGI are registered trademarks of ISACA. CobiT® is a registered trademark of ISACA and ITGI. ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. IT Infrastructure Library® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. Copies of ISO/IEC 27002:2005 and all ISO standards can be purchased from the American National Standards Institute (ANSI) at http://webstore.ansi.org, phone: +1.212.642.4980; BSI in the UK (www.bsi-global.com/shop.html); and ISO (www.iso.org/iso/store.htm). IT Governance Institute Office of Government Commerce The Stationery Office 3701 Algonquin Road, Suite 1010 Rosebery Court, St. Andrews Business Park St. Crispins, Duke Street Rolling Meadows, IL 60008 USA Norwich, Norfolk NR7 0HS, UK Norwich NR3 1PD, UK Phone: +1.847.660.5700 Phone: +44.845.000.4999 Phone: +44.(0).1603.622211 Fax: +1.847.253.1443 Fax: +44.160.370.4817 Fax: +44.(0).870.600.5533 E-mail: [email protected] E-mail: [email protected] E-mail: [email protected] Web site: www.itgi.org Web site: www.ogc.gov.uk Web site: www.itil.co.uk Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit Printed in the United States of America and published simultaneously on ITGI, ISACA, OGC and TSO web sites in England and the United States of America 2 © 2008 IT Governance InsTITuTe. all rIGhTs reserved. Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi Acknowledgements The IT Governance Institute wishes to recognise: The Development Team IT Governance Institute Gary Hardy, CGEIT, IT Winners, South Africa Jimmy Heschl, CISA, CISM, CGEIT, KPMG, Austria The Stationery Office Jim Clinch, Clinch Consulting, ITIL Refresh Chief Editor, formerly with OGC, UK Expert Reviewers John W. Lainhart IV, CISA, CISM, CGEIT, IBM, USA Lucio Molina Focazzio, CISA, Colombia Robert E. Stroud, CA Inc., USA Sharon Taylor, Aspect Group Inc., Canada Wim Van Grembergen, Ph.D., University of Antwerp Management School and IT Alignment and Governance (ITAG) Research Institute, Belgium The ITGI Board of Trustees Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, PIIA, KPMG LLP, UK, International President George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control sa-nv, Belgium, Vice President Yonosuke Harada, CISA, CISM, CAIS, InfoCom Research Inc., Japan, Vice President Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice President Jose Angel Pena Ibarra, CGEIT, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President Robert E. Stroud, CA Inc., USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Frank Yam, CISA, FHKCS, FHKIoD, CCP, CFE, CFSA, CIA, FFA, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President Everett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA, Past International President IT Governance Committee Tony Hayes, FCPA, Queensland Government, Australia, Chair Sushil Chatterji, Edutech, Singapore Kyung-Tae Hwang, CISA, Dongguk University, Korea John W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USA Hugh Penri-Williams, CISA, CISM, CCSA, CIA, Glaniad 1865 EURL, France Eddy Schuermans, CISA, PricewaterhouseCoopers, Belgium Gustavo Adolfo Solis Montes, CISA, CISM, Gruop Cynthus, Mexico Robert E. Stroud, CA Inc., USA, Chair John Thorp, CMC, ISP, The Thorp Network Inc., Canada Wim Van Grembergen, Ph.D., University of Antwerp, University of Antwerp Management School, and IT Alignment and Governance (ITAG) Research Institute, Belgium © 2008 IT Governance InsTITuTe. all rIGhTs reserved. 3 Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi CobiT Steering Committee Robert E. Stroud, CA Inc., USA, Chair Gary S. Baker, CA, Deloitte & Touche, Canada Rafael Eduardo Fabius, CISA, Republica AFAP SA, Uruguay Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium Jimmy Heschl, CISM, CISA, CGEIT, KPMG, Austria Debbie A. Lew, CISA, Ernst & Young LLP, USA Greta Volders, Voquals, Belgium ITGI Affiliates and Sponsors ISACA chapters American Institute of Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association for Corporate Governance Inc. FIDA Inform Information Security Forum Information Systems Security Association Institut de la Gouvernance des Systemes d’Information Institute of Management Accountants Inc. ISACA ITGI Japan Norwich University Socitm Performance Management Group Solvay Business School University of Antwerp Management School Aldion Consulting Pte. Ltd. Analytix Holdings Pty. Ltd. Bwise B.V. CA Inc. Consult2Comply Hewlett-Packard IBM ITpreneurs Nederlands B.V. LogLogic Inc. Phoenix Business and Systems Process Inc. Project Rx Inc. Symantec Corp. TruArx Inc. Wolcott Group LLC World Pass IT Solutions 4 © 2008 IT Governance InsTITuTe. all rIGhTs reserved. Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi Table of Contents 1. Executive Summary ............................................................................................................................6 2. Background ........................................................................................................................................8 Business Drivers for the Use of IT Best Practices ............................................................................8 Today’s Challenges ..........................................................................................................................8 3. Why Senior Management Needs to Know About Best Practices .......................................................9 4. Why Best Practices Are Important to the Enterprise ........................................................................10 Best Practices and Standards Help Enable Effective Governance of IT Activities .........................10 An IT Management Framework Is Required to Support the Enterprise .......................................11 The Business Benefits ....................................................................................................................12 5. CobiT, ITIL and ISO/IEC 27002—What These Practices Provide and Address ...........................13 CobiT ............................................................................................................................................13 ITIL ...............................................................................................................................................14 ISO/IEC 27002 ............................................................................................................................17 6. How Best to Implement CobiT, ITIL and ISO/IEC 27002 ...........................................................19 Tailoring ........................................................................................................................................19 Prioritising .....................................................................................................................................20 Planning ........................................................................................................................................20 Avoiding Pitfalls ............................................................................................................................21 Aligning Best Practices ..................................................................................................................22 Appendix I—Mapping ITIL V3 and ISO/IEC 27002 With CobiT 4.1 Control Objectives.................23 Appendix II—Mapping CobiT 4.1 Control Objectives With ITIL V3 .................................................60 Appendix III—Mapping CobiT 4.1 Control Objectives and ITIL V3 With ISO/IEC 27002 ..............90 Appendix IV—CobiT and Related Products ........................................................................................129 © 2008 IT Governance InsTITuTe. all rIGhTs reserved. 5 Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi 1. Executive Summary Every enterprise needs to tailor the use of standards and practices to suit its individual requirements. All three standards/practices covered in this guide can play a very useful part—CobiT and ISO/IEC 27002 helping to define what should be done and ITIL providing the how for service management aspects. The growing adoption of IT best practices has been driven by a requirement for the IT industry to better manage the quality and reliability of IT in business and respond to a growing number of regulatory and contractual requirements. There is a danger, however, that implementation of these potentially helpful best practices can be costly and unfocused if they are treated as purely technical guidance. To be most effective, best practices should be applied within the business context, focusing on where their use would provide the most benefit to the organisation. Top management, business management, auditors, compliance officers and IT managers should work together to make sure IT best practices lead to cost-effective and well-controlled IT delivery. IT best practices enable and support: • Better management of IT, which is critical to the success of enterprise strategy • Effective governance of IT activities • An effective management framework of policies, internal controls and defined practices, which is needed so everyone knows what to do • Many other business benefits, including efficiency gains, less reliance on experts, fewer errors, increased trust from business partners and respect from regulators The briefing applies generally to all IT best practices but focuses on three specific practices and standards that are becoming widely adopted around the world. It has been updated to reflect the latest versions: • ITIL V3—Published by the UK government to provide a best practice framework for IT service management • CobiT 4.1—Published by ITGI and positioned as a high-level governance and control framework • ISO/IEC 27002:2005—Published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) and derived from the UK government’s BS 7799, renamed ISO/IEC 17799:2005, to provide a framework of a standard for information security management Descriptions of each of these can be found in the main body of the briefing. Implementation of best practices should be consistent with the enterprise’s risk management and control framework, appropriate for the enterprise, and integrated with other methods and practices that are being used. Standards and best practices are not a panacea; their effectiveness depends on how they have been implemented and kept up to date. They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming ‘shelfware’, management and staff must understand what to do, how to do it and why it is important. Implementation should be tailored, prioritised and planned to achieve effective use. This briefing describes some pitfalls that should be avoided. 6 © 2008 IT Governance InsTITuTe. all rIGhTs reserved. Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi To achieve alignment of best practice to business requirements, formal processes in support of good IT governance should be used. The OGC provides management guidance in its Successful Delivery Toolkit (www.ogc.gov.uk/ sdtoolkit/) and best practice frameworks for project management (PRINCE2), Managing Successful Programmes (MSP) and Management of Risk (M_o_R ®): Guidance for Practitioners; see www.best-management-practice.com/. ITGI provides the IT Governance Implementation Guide Using CobiT and Val IT, 2nd Edition. CobiT can be used at the highest level of IT governance, providing an overall control framework based on an IT process model that is intended by ITGI to generically suit every enterprise. There is also a need for detailed, standardised practitioner processes. Specific practices and standards, such as ITIL and ISO/IEC 27002, cover specific areas and can be mapped to the CobiT framework, thus providing a hierarchy of guidance materials. To better understand mapping amongst ITIL, ISO/IEC 27002 and CobiT, refer to appendix I, where each of the CobiT 34 IT processes and control objectives has been mapped to specific sections of ITIL and ISO/IEC 27002; appendix II, where a reverse mapping shows how ITIL V3 key topics map to CobiT 4.1; and appendix III, where a reverse mapping shows how ISO/IEC 27002 classifications map to CobiT. ITGI and OGC will continue to update their guidance documents, to further align the terminology and content with other guidance to facilitate easier integration, and to reflect the latest best practice. © 2008 IT Governance InsTITuTe. all rIGhTs reserved. 7 Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi 2. Background This management briefing is the result of a joint study initiated by the UK’s Office of Government Commerce and the IT Governance Institute in response to the growing significance of best practices to the IT industry and the need for senior business and IT managers to better understand the value of IT best practices and how to implement them. It was first published in November 2005, and was updated in August 2008 to reflect changes in CobiT 4.1 and ITIL V3. The IT Service Management Forum (itSMF) also supported the original study. The intention of this briefing is to explain to business users and senior management the value of IT best practices and how harmonisation, implementation and integration of best practices may be made easier. Business Drivers for the Use of IT Best Practices IT best practices have become significant due to a number of factors: • Business managers and boards demanding better returns from IT investments, i.e., IT delivers what the business needs to enhance stakeholder value • Concern over the generally increasing level of IT expenditure • The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting, e.g., the US Sarbanes-Oxley Act, and in specific sectors such as finance, pharmaceutical and healthcare • The selection of service providers and the management of service outsourcing and acquisition • Increasingly complex IT-related risks, such as network security • IT governance initiatives that include adoption of control frameworks and best practices to help monitor and improve critical IT activities to increase business value and reduce business risk • The need to optimise costs by following, where possible, standardised—rather than specially developed—approaches • The growing maturity and consequent acceptance of well-regarded frameworks, such as the Information Technology Infrastructure Library (ITIL), Control Objectives for Information and related Technology (CobiT), ISO/IEC 27002, ISO 9002, Capability Maturity Model (CMM®), Projects in Controlled Environments (PRINCE2), Managing Successful Programmes (MSP), Management of Risk (M_o_R): Guidance for Practitioners and Project Management Body of Knowledge (PMBOK®) • The need for organisations to assess how they are performing against generally accepted standards and against their peers (benchmarking) • Statements by analysts recommending the adoption of best practices, for example: Strong framework tools are essential for ensuring IT resources are aligned with an enterprise’s business objectives, and that services and information meet quality, fiduciary and security needs.... CobiT and ITIL are not mutually exclusive and can be combined to provide a powerful IT governance, control and best-practice framework in IT service management. Enterprises that want to put their ITIL program into the context of a wider control and governance framework should use CobiT.1 Today’s Challenges The growth in the use of standards and best practices creates new challenges and demands for implementation guidance: • Creating awareness of the business purpose and the business benefits of these practices • Supporting decision making on which practices to use and how to integrate them with internal policies and procedures • Tailoring standards and best practices to suit specific organisations’ requirements 1 This Gartner research note was issued in June 2002, and is still very relevant. 8 © 2008 IT Governance InsTITuTe. all rIGhTs reserved. Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi 3. Why Senior Management Needs to Know About Best Practices Due to their technical nature, IT standards and best practices are known mostly to the experts—IT professionals, managers and advisors—who may adopt and use them with good intent but potentially without a business focus or the customer’s involvement and support. Even in organisations where practices such as CobiT and ITIL have been implemented, some business managers understand little about their real purpose and are unable to influence their use. To realise the full business value of best practices, the customers of IT services need to be involved, as the effective use of IT should be a collaborative experience between the customer and service providers (internal and external), with the customer setting the requirements. Other interested stakeholders, such as the board, senior executives, auditors and regulators, also have a vested interest in either receiving or providing assurance that the IT investment is protected properly and delivering value. Figure 1 summarises who has an interest in how IT standards and best practices can help address IT management issues. Figure 1—Stakeholders in IT Management Issues Who Has a Primary Interest? Board/ Business IT Audit/ Top Management Issues Based on the CobiT Framework Executive Management Management Compliance Plan and Organise Are IT and the business strategy in alignment? √ √ √ Is the enterprise achieving optimum use of its internal and external resources? √ √ √ √ Does everyone in the enterprise understand the IT objectives? √ √ √ √ Is IT’s impact on enterprise risk understood and is the responsibility for IT risk √ management established? Are IT risks understood and being managed? √ √ √ Is the quality of IT systems appropriate for business needs? √ √ Acquire and Implement Are new projects likely to deliver solutions that meet business needs? √ √ Are new projects likely to deliver on time and within budget? √ √ √ Will the new systems work properly when implemented? √ √ √ Will changes be made without upsetting the current business operation? √ √ Deliver and Support Are IT services being delivered in line with business requirements and priorities? √ √ Are IT costs optimised? √ √ √ Is the workforce able to use the IT systems productively and safely? √ √ Are adequate confidentiality, integrity and availability in place? √ √ √ Monitor and Evaluate Can IT’s performance be measured and can problems be detected before it is too late? √ √ √ Are internal controls operating effectively? √ √ Is the enterprise in compliance with regulatory requirements? √ √ √ √ Is IT governance effective? √ √ √ √ © 2008 IT Governance InsTITuTe. all rIGhTs reserved. 9 Aligning C T® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit obi 4. Why Best Practices Are Important to the Enterprise The effective use of IT is critical to the success of enterprise strategy, as illustrated by the following quote: The use of IT has the potential to be the major driver of economic wealth in the 21st century. While IT is already critical to enterprise success, provides opportunities to obtain a competitive advantage and offers a means for increasing productivity, it will do all this even more so in the future. IT also carries risks. It is clear that in these days of doing business on a global scale around the clock, system and network downtime has become far too costly for any enterprise to afford. In some industries, IT is a necessary competitive resource to differentiate and provide a competitive advantage, while in many others it determines survival, not just prosperity.2 Best Practices and Standards Help Enable Effective Governance of IT Activities Increasingly, the use of standards and best practices, such as ITIL, CobiT and ISO/IEC 27002, is being driven by business requirements for improved performance, value transparency and increased control over IT activities. The UK government recognised very early on the significance of IT best practices to government and, for many years, has developed best practices to guide the use of IT in government departments. These practices have now become de facto standards around the world in private and public sectors. ITIL was developed more than 15 years ago to document best practice for IT service management, with that best practice being determined through the involvement of industry experts, consultants and practitioners. ISO/IEC 20000, which is aligned with ITIL, superseded BS 15000 in 2005 as a new global service management standard. The IT Security Code of Practice, developed initially with support from industry, became BS 7799 and then became ISO/IEC 17799 and now ISO/IEC 27002, the first international security management standard. PRINCE, and now PRINCE2, was created by the Central Computer and Telecommunications Agency (CCTA, which is now OGC) to provide a best practice for project management. PRINCE2 is currently being refreshed, for publication in 2009. ISACA recognised in the early 1990s that auditors, who had their own checklists for assessing IT controls and effectiveness, were speaking a different language to business managers and IT practitioners. In response to this communication gap, CobiT was created as an IT control framework for business managers, IT managers and auditors based on a generic set of IT processes meaningful to IT people and, increasingly, business managers. The best practices in CobiT are a common approach to good IT control—implemented by business and IT managers, and assessed on the same basis by auditors. Over the years, CobiT has been developed as an open standard3 and is now increasingly being adopted globally as the control model for implementing and demonstrating effective IT governance. In 1998, ISACA created an affiliated body, the IT Governance Institute, to oversee further development of CobiT and to better communicate IT governance-related messages to business managers and, in particular, the boardroom. Today, as every organisation tries to deliver value from IT while managing an increasingly complex range of IT-related risks, the effective use of best practices can help to avoid reinventing their own policies and procedures, optimise the use of scarce IT resources and reduce the occurrence of major IT risks, such as: • Project failures 2 ITGI, Board Briefing on IT Governance, 2nd Edition, USA, 2003 3 CobiT is not an official standard but is often referred to as such, as it has become the de facto framework for IT governance and control. 10 © 2008 IT Governance InsTITuTe. all rIGhTs reserved.

Description:
ITGI and OGC have designed and created Aligning CobiT® 4.1, ITIL® V3 OGC and ITGI will continue to update ITIL and COBIT including further
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.