© Fox IT Ltd and QT&C Group Ltd 2010 Page 1 of 12

ITIL® and ISO/IEC 27001

How ITIL can be used to support the delivery of compliant practices for

Information Security Management Systems

Mark Sykes Principal Consultant

Fox IT Ltd

and

Nigel Landman Managing Director

QT&C Group Ltd

November 2010

ITIL ® is a Registered Trademark of the Office of Government Commerce in the United Kingdom and other countries.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 2 of 12

1. Introduction Information security or, to be less formal, the protection of an organisations’ information assets, has seen a serious upsurge in activity, starting in 2007/08. The momentum continues with the majority of public sector organisations (mirrored to some extent within the commercial sector) now seriously conducting third party supplier audits and assessments.

What perhaps is less well understood is that work to protect the information asset should have been in the pipeline well before 2007/08. The upper echelons of an organisation have either failed to grasp the importance of the situation or have simply left this problem to those within the information technology (IT) domain. The example of the ever present USB memory stick, pre-2007/08, is a perfect example of reacting to a problem that was and regrettably continues to be the cause of misplaced data and information. What plans for change were implemented within the organisation to allow a USB memory stick to be used as a perfectly sound operational tool, pre-2007/08? Anecdotal evidence collected over the years suggests that the simple answer is, none.

The protection of the information asset is a corporate responsibility and yet that message has failed to arrive in one piece. How does an organisation go from a policy of implementing ad hoc reactive measures to protect information assets to one that is structured, balanced and in-tune with operational requirements? The tools have always been available via British and International codes of practice, guidelines and requirements (standards). Additional tools, within the UK, in the form of information assurance maturity models for the public sector (and perfectly valid for the commercial sector) have come on stream via the Communications Electronic Security Group (CESG). It therefore begs the question; why is there so much angst when highly skilled and experienced individuals attempt to put in place preventive measures to protect the information asset? Senior officers should always remember that implementing an IT solution is not always the first port of call.

This paper highlights procedural techniques that are utilised within the Service Management domain that could be used to roll-out positive and workable information governance, security and assurance. The notion, for example, of change and the procedures adopted within Change Management can and should be used to positive affect throughout the organisation. Perhaps the beginnings of a unified theory are beginning to form, the outcome of which can only be a positive step forward.

Indeed, this paper will help show that many of the existing Service Management processes and practices that may already exist within an organisation can be used to good effect for satisfying parts of the ISO/IEC 27001 international standard.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 3 of 12

2. What is ISO/IEC 27001 The full name of the ISO/IEC 27001 standard is “ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems – Requirements”. It is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS).

The standard is designed to ensure the selection of adequate and proportionate security controls; these controls help protect information assets and gives confidence to stakeholders such as customers. Individual controls are neither specified nor mandated; these are dependent on the size and type of organisation, and what is applicable to their business.

The standard itself adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving the ISMS. ISO/IEC 27001 is intended to be used in conjunction with ISO/IEC 27002, the “Code of Practice for Information Security Management”, which lists security control objectives and recommends a range of specific security controls. Organisations that implement an Information Security Management System in accordance with the advice provided in ISO/IEC 27002 are likely to meet the requirements of ISO/IEC 27001 for certification.

The ISO/IEC 27001 standard is one of the growing ‘family’ of ISO/IEC 27000 series of standards and was published in October 2005. These standards are derived from BS 7799 and provide generally accepted good practice guidance on Information Security Management Systems designed to protect the confidentiality, integrity and availability of the information content and information systems.

3. Control Objectives and Controls One of the key aspects of ISO/IEC 27001 is “Annex A – Control objectives and controls”. This table lists the 11 control areas of the standard, their associated control objectives (39 in total) and the 133 controls themselves. Controls are required to be put in place so that an organisation can manage the risks to their information security, and are implemented relative to the greater business risks of the organisation as a whole.

The control objectives and their controls form the Code of Practice (ISO/IEC 27002) and it is here where ITIL can play an important part in supporting the delivery of many aspects of the listed controls.

It should be noted though, that ITIL won’t ‘do it all’ if you are seeking to obtain ISO/IEC 27001 certification, but it will certainly ease the path to achieving that objective. Indeed, for those organisations already operating a mature ITIL framework, they will find that many of their processes and activities that are already in place will make implementing the information security controls that much easier, and quite likely for less cost and much quicker than would otherwise be the case.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 4 of 12

4. How can ITIL help? Fox IT Ltd and QT&C Group Ltd have performed a mapping exercise that looked at each of the 11 information security control areas. The individual control objectives and controls were reviewed, the associated implementation recommendations for each control were assessed, and connections were built to the relevant ITIL v3 processes that would support delivery of each individual control – either fully or in part (see examples in Section 5).

The exercise produced the following number of relationships between ISO/IEC 27002 and ITIL:

Area Number of relationships

A.5 Security Policy 2

A.6 Organisation of Information Security 22

A.7 Asset Management 2

A.8 Human Resources Security 10

A.9 Physical and Environmental Security 13

A.10 Communications and Operations Management 32

A.11 Access Control 12

A.12 Information Systems Acquisition, Development and Maintenance

12

A.13 Information Security Incident Management 7

A.14 Business Continuity Management 5

A.15 Compliance nil

As you can see from the above numbers, many of the controls and their associated implementation recommendations can be supported by processes and activities that form part of the ITIL framework; some of these are explored further in Section 5.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 5 of 12

The extract below, taken from the relationship matrix, shows a number of the Service Transition processes within ITIL and their direct connection to the controls within ISO/IEC 27002.

In the following section, a number of specific examples will be reviewed, to show exactly where and how ITIL can be used to support the delivery of individual controls.

5. ITIL and ISO27002 Controls

5.1. Change Management

As can be seen in the extract of the relationship matrix above, six of the eleven control areas show direct relationships to Change Management. A.6.1 Internal Organisation, within A.6 Organisation of Information Security, has the following control: A6.1.4 - Authorisation process for information processing facilities.

The control here is for ‘Management authorisation process for new information processing facilities, to be defined and implemented’. Fox IT recommends that where authorisation is required, then a change request should be raised and the Change Management process followed.

Another relationship can be found in A.9 Physical and Environmental Security, more specifically A.9.2 Equipment Security. The control for A9.2.6 - Secure disposal or re-use of equipment states ‘All items of equipment incorporating storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal’. The recommendation for this control is that devices containing information need to be destroyed physically and/or erased with appropriate tools to prevent any reuse of the data; also re-used equipment needs careful erasure to ensure no data is readable.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 6 of 12

To support this activity, and to ensure that the requirements are successfully fulfilled, it is recommended that a change request be raised and hence the Change Management process will be initiated – this will ensure that the Information Asset Owner (IAO) receives formal notification. The IAO will advise on what action needs to be performed – which may include performing an additional risk assessment.

Similarly, A9.2.7 - Removal of property states ‘Equipment, information or software should not be taken off-site without prior authorisation’. This is another clear example where a suitable authorisation procedure is required, together with the appropriate level of authorisation (i.e. via the Change Management process). A9.2.7 also has an interface to Service Asset & Configuration Management as the equipment should be recorded as being off-site, using the configuration management database (CMDB).

5.2. Access Control

Looking elsewhere away from Service Transition, A.11 Access Control is broken down into seven control objectives, the majority of which can be found to have relationships with aspects of ITIL. As with all of the controls, ITIL doesn’t necessarily provide an all-encompassing answer (or answers), but ITIL processes can support and deliver many of the individual controls, or parts of the controls, that are required by the ISO/IEC 27002 Code of Practice.

The ITIL Service Operation book has a process called Access Management, and it is relatively easy to relate this process to A.11 Access Control. One of the seven control objectives of this standard is A.11.2 User Access Management, which in turn is broken down into the following four segments:

A11.2.1 User registration

A11.2.2 Privilege management

A11.2.3 User password management

A11.2.4 Review of user access rights

When looking at the specific control statements for each of these, and their associated implementation recommendations, it is quite simple to see that the Access Management process within ITIL supports the delivery of the above – and, providing the appropriate Access Policy is in place, will go a long way to satisfying the controls that are required.

To further support the relationship between ITIL and the international standard, one of the implementation recommendations is that changes are logged for any amendments to user access rights. This provides a clear and distinct relationship to the Change Management process within ITIL – indeed, this aspect for many organisations will already be being performed.

5.3. Multiple relationships

Another good example of how the implementation of information security controls can be assisted by the existence of a mature ITIL framework is the control objective A.6.2 External Parties within A.6 Organisation of Information Security. The third control within this objective is A6.2.3 - Addressing security in third party agreements.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 7 of 12

The implementation advice for this control covers many areas, but can be directly linked to the following ITIL processes:

“Clear process for change management” - Change Management.

“Service continuity process” - IT Service Continuity Management.

“Problem resolution process” - Problem Management.

“Product or service descriptions” - Service Catalogue Management.

“Clear reporting process” - Service Reporting.

“Service targets and other contractual responsibilities such as those found in contracts” and “Conditions of early termination/renegotiation of agreements” - Supplier Management.

Indeed, taking the whole of A.6.2 External Parties there are also links to Access Management, Risk Management and Service Level Management.

6. Other Standards The mapping exercise that was performed highlighted relationships across all five ITIL books, and more specifically for the majority of processes within those books. Supplier Management is one of a number of processes that was not in the original core ITIL v2 books of Service Support and Service Delivery, but it is a distinct element of ISO/IEC 20000, the international standard for IT Service Management.

Although the process is now included within the Service Design book, many organisations will have implemented this process as part of their activities for achieving ISO/IEC 20000 certification.

If this is the case, then look at how your existing process and underlying activities can support the relevant information security controls as listed within ISO/IEC 27002; and not just for Supplier Management either, review all of your processes and see where there are synergies that can be maximised. The same can also be said for other standards such as “ISO 9001 – Quality management systems” and “BS 25999 – Business continuity management”, and no doubt many others.

7. Summary As we have seen, there are many relationships between ITIL and ISO/IEC 27001 (including ISO/IEC 27002). Having a mature Service Management framework will assist greatly in achieving compliant controls that support an Information Security Management System.

It is important to remember that there are many aspects of ISO/IEC 27001 where ITIL will not provide the ‘answers’. But what ITIL will do is to assist you in many of the control aspects required by the international standard. So make a start by looking at your current Service Management framework and look for opportunities to utilise existing processes and practices as part of the security controls and ISMS that must be implemented.

As the saying goes, ‘no need to re-invent the wheel’. For example, if your existing Change Management process can support the information security controls, then use it. Okay, it may need adapting a little, but that will likely be a lot more effective (and certainly more efficient) than starting from scratch.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 8 of 12

8. ITIL and ISO/IEC 27001 Relationship Matrix

© Fox IT Ltd and QT&C Group Ltd 2010 Page 9 of 12

8.1. foxPRISM

The above matrix focuses on all of the processes contained within foxPRISM, Fox IT’s process implementation accelerator tool. This means that the matrix covers 30 processes in total, including not only those contained within ITIL but also other areas such as Security Patch Management, Document Management and Human Resource Management.

Fox IT recently re-launched foxPRISM, a tool that can bring significant benefits to any size and type of organisation. foxPRISM is now available in three editions that better cater to an organisation’s specific Service Management process needs.

The Premium edition typically caters for organisations that already have a mature Service Management framework, but are looking to expand into other process areas and perhaps seeking certification in standards such as ISO/IEC 20000 and/or ISO/IEC 27001. This edition also includes modules for BS 25999 (Business Continuity Management) and Project Management (based on PMBOK v4).

The 30 processes contained within foxPRISM Premium edition include all of those required by the ISO/IEC 20000 international standard such as Business Relationship Management, Supplier Management and Planning & Implementing New/Changed Services.

All 30 feature both high-level and detailed process flows, descriptive text that explains each activity step, and a RACI matrix that shows which roles are responsible and accountable for each activity, together with who needs to be consulted and/or informed when executing these activities. Additionally, those processes as required by ISO/IEC 20000 have further supporting text and guidance relevant to the mandatory requirements (i.e. Part 1) of the standard.

These processes are supported by the inclusion of 150 documents and templates. These resources (such as example SLAs, OLAs, job descriptions, Service Catalogue, CMDB data model, etc.) can be populated with organisation-specific information, of which all can become key accelerators on the process implementation path.

An add-on module covering ISO/IEC 27001 is also available for foxPRISM. As well as providing overview information on this information security standard (and the accompanying ISO/IEC 27002), additional detail and implementation guidance is provided for all of the controls listed in “Annex A – Control objectives and controls”. These are further supported by 96 templates providing example policies that support the security controls suggested in Annex A.

foxPRISM also provides a customisable framework onto which organisations can map and build their own process models.

Easy to Maintain

foxPRISM is designed so that it can be published on an Intranet so that all stakeholders (such as the business, users, support staff, project managers, etc.) have easy access to all of the information about the organisation’s Service Management processes and activities.

foxPRISM is easily customisable so that it becomes organisation specific, and requires only basic Microsoft Office experience to maintain it. The ‘look and feel’ can also be changed so that it matches corporate colour schemes, logos, etc.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 10 of 12

Business Benefits

Using foxPRISM as part of a Service Management project will provide the following benefits:

• Reduced cost – it saves on the use of internal resources and external consultancy.

• Reduced risk – although the content is based on best practice, it has evolved with practical implementation experience by Fox IT’s own consultants.

• Reduced timescales – not starting with a ‘blank sheet of paper’.

And having foxPRISM readily available enables organisations to typically reduce implementation activity timescales by up to 50%.

Further information can be found at http://www.foxit.net/foxprism

© Fox IT Ltd and QT&C Group Ltd 2010 Page 11 of 12

About Fox IT Ltd Fox IT Ltd is a global IT Service Management and Governance company, providing organisations with consultancy, education and technology that help them to align their IT operations with their business strategy to ensure good IT Governance and effective IT Service Delivery.

Fox IT can be contacted by telephone on +44 (0) 1483 221200 or by email to sales@foxit.net.

About the Author Mark Sykes is a highly experienced Service Management professional with over 20 years of experience, performing roles covering service, technical, project and line management duties. His experience includes undertaking a number of key roles covering Incident, Problem, Change and Capacity Management for one of the UK’s largest retail organisations, as well as implementing Change and Release Management in large companies both in the UK and US.

Whilst at Fox IT, Mark has fulfilled numerous other roles within the realms of Service Transition, Service Operation and Continual Service Improvement; including Problem Manager for a large leisure entertainment organisation and Service Manager for a large pharmaceutical company. As a Service Management consultant, Mark has also undertaken a number of other key assignments with leading organisations in the public and private sector, both in the UK and abroad. In September 2004 Mark delivered a presentation at the itSMF Conference in Los Angeles.

Mark is an accredited ITIL Trainer and has qualifications in ITIL, ISO/IEC 20000 and COBIT. His depth of knowledge has seen him involved in a number of important assignments which have required process re-engineering, and as a result is Fox IT’s primary consultant in developing the foxPRISM process knowledge base.

One of his recent assignments was spending a total of 6 months in Saudi Arabia helping an organisation on their path towards ISO/IEC 20000 certification. This project included performing an initial assessment to baseline the current operation; then developing all processes and policies that meet the requirements of ISO/IEC 20000; followed by implementing the processes not currently in operation and enhancing the existing ones.

His current engagement is with an oil company where he is involved in aligning their numerous service desk functions located around the world, as well as implementing an ITIL framework that will provide the scalability and consistency required by a rapidly expanding global organisation.

© Fox IT Ltd and QT&C Group Ltd 2010 Page 12 of 12

About QT&C Group Ltd QT&C Group Ltd provides data and information compliance training and consultancy services across the UK, Europe and the Americas. The company specialises in all aspects of information security management with emphasis upon the International standards and codes of practice. With tools developed in-house, the company also provides services to facilitate 3rd party compliance assessments.

QT&C can be contacted by telephone on 0307 04 27001 or by email to contact@qtandc.co.uk

About the Author Nigel Landman is the Chair and founder of QT&C Group Ltd. Nigel formed the companies in 2003 having retired after a full career in the UK Armed Forces working principally in the field of security research and development.

Nigel is the author of one book on information security management (to be published) and is currently writing a second, more advanced, book on the same subject.

As part of an on-going project, Nigel is currently working closely with EXIN to role out a unique training programme to information security that is designed to provide a continuous professional development path, from foundation level through and Expert level for those who aspire to be the next generation of Chief Information Security Officers.