This is the html version of the file http://www.itsmf.org.za/Presentations/CobiT%20ITIL%20and%20BS7799.pdf.
G o o g l e automatically generates html versions of documents as we crawl the web.
To link to or bookmark this page, use the following url: http://www.google.com/search?q=cache:HjWkwdZuSBIJ:www.itsmf.org.za/Presentations/CobiT%2520ITIL%2520and%2520BS7799.pdf+cobit+itil+iso17799&hl=en&ct=clnk&cd=3

Google is neither affiliated with the authors of this page nor responsible for its content.
These search terms have been highlighted:  cobit  itil  iso17799 
Page 1
PwC
CobiT
CobiT
, ITIL and ISO17799
, ITIL and ISO17799
How to use them in conjunction
How to use them in conjunction
Angeli Hoekstra &
Angeli Hoekstra &
Angeli Hoekstra &
Angeli Hoekstra &
Angeli Hoekstra &
Angeli Hoekstra &
Angeli Hoekstra &
Angeli Hoekstra & Nicolette Conradie
Nicolette Conradie
Page 2
2
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
Content
Overview ISO 17799 - Nicolette
Overview CobiT
Overview ITIL
How to use them in conjunction
Conclusion
Page 3
PwC
Overview ISO 17799
Overview ISO 17799
Nicolette
Nicolette
Page 4
4
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
ISO 17799 Overview
BS7799
Provides guidelines and recommendations for security management.
Part 1 - Standard; and
Part 2 - Certification.
ISO 17799
Part 1 accepted as International Standard;
Part 2 to be accepted end of 2002.
BS7799
ISO 17799
SABS 17799
2000
2001
Page 5
5
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
ISO 17799 Modules
Personnel
Security
Security
Organisation
Asset
Classification
and Control
Physical and
Environmental
Security
Business
Continuity
Planning
System
Development
and
Maintenance
Comm / Ops
Management
Compliance
Access
Control
Security
Policy
Organisational Risks
Page 6
6
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
Security
Organisation
Allocation of roles & responsibilities
3rd-party access risks/controls
Outsourcing
Asset
Classification
and Control
Inventory of Assets
Classification based on sensitivity/business impact
ISO 17799 Controls
Security
Policy
Documented & communicate IS policy
Regularly reviewed
Page 7
7
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
ISO 17799 Controls
Recruitment screening
Awareness & training
Reporting of incidents
Personnel
Security
Physical security perimeters
Equipment siting
Clear desk & clear screen
Physical and
Environmental
Security
Incident procedures
Segregation of duties
System planning & acceptance
Malicious software protection
E-mail controls
Comm / Ops
Management
Page 8
8
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
ISO 17799 Controls
Managing Access
- Application Level
- Operating Level
- Network Level
Change control procedures
Segregation of environments
Security requirements
Business continuity plans
BCP framework and team roles & responsibilities
Testing continuity plans
Maintaining and updating continuity plans
Access
Control
System
Development
and
Maintenance
Business
Continuity
Planning
Page 9
9
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
ISO 17799 Controls
Copyright controls
Retention of records and information
Compliance with legislation - Data protection
Compliance with company policy
Compliance
Page 10
PwC
Overview
Overview
CobiT
CobiT
Page 11
11
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
CobiT Product Family
Implementation
Tool Set
EXECUTIVE SUMMARY
Framework
with High-Level Control Objectives
Management
Guidelines
Audit
Guidelines
Detailed Control
Objectives
Key Performance and Goal Indicators
Critical Success Factors
Maturity Model
Page 12
12
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
CobiT Principles
IT
R
E
S
O
U
R
C
E
S
•Data
•Applications
•Technology
•Facilities
•People
•Effectiveness
•Efficiency
•Confidentiality
•Integrity
•Availibility
•Compliance
•Reliability
I
N
F
O
R
M
A
T
I
O
N
B
U
S
I
N
E
S
S
What you get
What you need
Monitoring
Planning & Organisation
Acquisition & Implementation
Delivery & Support
Process
Domains
Page 13
13
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
CobiT
Domains
Processes
Per process:
•Control objectives
•KPI’s: measure of performance
•CSF’s: what do you need to do
•KGI’s: measure of outcome
•Maturity model
Acquisition & Implementation
AI 1: Identify automated solutions
AI 2: Acquire and maintain application software
AI 3: Acquire and maintain technology infrastructure
AI 4: Develop and maintain procedures
AI 5: Install and accredit systems
AI 6: Manage Changes
AI 6: Manage Changes: Control objectives
6.1: Change request initiation and control
6.2: Impact assessment
6.3: Control of changes
6.4: Emergency changes
6.5: Documentation and procedures
6.6: Authorised maintenance
6.7: Software release policy
6.8: Distribution of software
Page 14
14
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
CobiT
Key Goal Indicators: Manage Change
Reduced number# of errors introduced into systems due to changes
Reduced number# of disruptions (loss of availability) caused by poorly
managed change
Reduced impact of disruptions caused by change
Reduced level of resources and time required as a ratio to number# of changes
Number# of emergency fixes/time
….
Key Performance Indicators: Manage Change
Number# of different versions installed at the same time
Number# of software release/and distribution methods per platform
Number# of deviations from the standard configuration
Number# of emergency fixes for which the normal change management
process was not applied retro-actively
Time lag between availability of fix and implementation of it. .
ratio of accepted vs refused change implementation requests.
Critical Success Factors: Manage Change
Expedient and comprehensive acceptance test procedures are applied
prior to making the change.
There is a reliable hardware and software inventory.
There is segregation of duties between production and development
….
Page 15
PwC
Overview ITIL
Overview ITIL
Page 16
16
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
The ITIL jigsaw
what service the business requires of the provider
in order to provide adequate support to the business users
understanding and improving IT service provision, as an integral part
of an overall business requirement for high quality IS management
ensuring that the customer has access to the appropriate
services to support the business functions
Business Continuity Management
partnerships and outsourcing
surviving change
transformation of business practice through radical change.
Network Service Management
Operations Management
Management of Local Processors
Computer Installation and Acceptance
Systems Management
Page 17
17
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
ITIL service support & service
delivery processes
Service support:
Service desk
Incident management
Problem management
Configuration management
Change management
Release management
Service delivery
capacity management
availability management
financial management of IT services
service level management
IT service continuity management
Page 18
PwC
How can they be used in
How can they be used in
conjunction?
conjunction?
Page 19
19
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
What do we want to achieve with IT?
Stakeholder
Value
service cost
time
Cheaper
Cheaper
service qu
a
l
it
y
time
Better
Better
I
T
ri
sks
time
Controlled
Controlled
Secure
Secure
time
Faster
Faster
del
i
very
time
Suppo
rt
bu
s
i
ness
time
Aligned
Aligned
Page 20
20
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
13
How we can achieve these IT goals
The people that support
effective and efficient
IT service management
The assignment of controls to
IT processes to ensure that they
deliver efficiently and
effectively in line with clients
requirements
The assignment of
responsibility for performing
specified activities to specific
groups or individuals
The interrelated series of activities
that combine to produce products
or services for internal & external
clients
The technology that is
supporting the IT delivery
Metrics
People
Controls
Structure
&
Roles
Processes
Technology
The assignment of
measurements to people,
processes, technology and
controls to ensure they
comply to what they are
intended for
Page 21
21
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
13
How we can achieve these IT goals
?
CobiT
ISO 17799
ITIL
BS 7799 - limited
ITIL
CobiT - limited
ISO 17799 - limited
ITIL- limited
CobiT v3
Metrics
People
Controls
Structure
&
Roles
Processes
Technology
Page 22
22
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
How we can achieve these IT goals:
Where are the methods strong in?
ITIL
ITIL strong in IT processes, but limited in security and system
development
CobiT
CobiT strong in IT controls and IT metrics, but does not say how (i.e.
process flows) and not that strong in security
ISO 17799
ISO 17799 strong in security controls, but does not say how (i.e. process
flows)
Conclusion:
No contradictions or real overlaps
None identify people requirements
Not strong on organisational side (structure & roles)
Not strong on technology side
Page 23
23
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
How can we achieve these IT goals:
continuous IT improvement
Where do we
want to be?
Where are we
now?
How do we get
there?
How do we know
we have arrived?
Vision &
objectives
Assessments
IT design
Metrics
How well does IT support business?: Alignment
assessment
How controlled is IT?: CobiT compliance check
How secure is IT?: ISO 17799 Health Check
How cost effective is IT?: benchmarking
What does the user think of IT?: surveys
ITIL
ISO 17799
CobiT
CobiT v3 mngt guidelines
BS15000
ISO 17799
CobiT compliant etc.
Page 24
24
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
CobiT compliance check
Control Risk
C
o
n
t
r
o
l
E
v
a
l
u
a
t
i
o
n
E
f
f
e
c
t
i
v
e
n
e
s
s
E
f
f
i
c
i
c
i
e
n
c
y
C
o
n
f
i
d
e
n
t
i
a
l
i
t
y
I
n
t
e
g
r
i
t
y
A
v
a
i
l
i
b
i
l
i
t
y
C
o
m
p
l
i
a
n
c
e
R
e
l
i
a
b
i
l
i
t
y
Materiality
4
4
4
1.5
1.5
1.5
1.5
Planning and organisation
PO 1
Define a strategic IT plan
2
C
H
PO 2
Define the information architecture
1
E
C
C
O
PO 3
Determine the technological direction
2
C
H
PO 4
Define organisation and relationships
2
C
H
PO 5
Manage the investment
2
C
C
O
PO 6
Communicate management aims and direction
1
E
O
PO 7
Manage human resources
1
E
E
PO 8
Ensure compliance with external requirements
1
E
c
O
PO 9
Assess risk
1
C
C
E
c
c
O
O
PO 10
Manage projects
1
E
E
PO 11
Manage quality
1
E
E
c
O
Acquisition and implementation
AI 1
Identify automated solutions
1
E
C
AI 2
Acquire and maintain application software
1
E
E
O
O
O
AI 3
Acquire and maintain technology architecture
1
E
E
O
AI 4
Develop and maintain procedures
1
E
E
O
O
O
AI 5
Install and accredit systems
1
E
O
O
AI 6
Managing changes
2
C
C
c
c
O
Delivery and support
DS 1
Define service levels
1
E
E
C
O
O
O
O
DS 2
Manage third-party services
1
E
E
C
O
O
O
O
DS 3
Manage performance and capacity
1
E
E
O
DS 4
Ensure continuous service
2
C
H
c
DS 5
Ensure systems security
2
C
c
O
O
O
DS 6
Identify and allocate costs
1
E
c
DS 7
Educate and train users
1
E
C
DS 8
Assist and advice customers
1
E
DS 9
Manage the configuration
1
E
O
O
DS 10
Manage problems and incidents
1
E
E
O
DS 11
Manage data
2
c
DS 12
Manage facilities
2
c
c
DS 13
Manage operations
1
E
E
O
O
Monitoring
M 1
Monitor the process
1
E
C
C
O
O
O
O
M 2
Assess internal control adequacy
1
E
E
C
O
O
O
O
M 3
Obtain independent assurance
1
E
E
C
O
O
O
O
M 4
Provide for Independent Audit
1
E
E
C
O
O
O
O
Legend:
E
Exposure
H
Housekeeping
C
Concern
O
OK
c
concern +
Page 25
25
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
How can we achieve these IT goals:
continuous IT improvement
ISO 17799 Health Check
62.50%
29.03%
18.75%
15.84%
11.39%
9.43%
8.33%
4.88% 4.82%
0.00%
0%
10%
20%
30%
40%
50%
60%
70%
% N
on-compliance
1
2
3
4
5
6
7
8
9
10
ISO 17799 Modules
Graph depicting the level of non-compliance of company XYZ
Page 26
26
July 2002
PwC
Global Risk Management Solutions
C
o
bi
T
,
IT
I
L
a
n
d
IS
O
1
779
9
Conclusion
Use CobiT and ISO 17799 health check to determine current status
Identify weaknesses in processes and controls
Use ITIL to improve IT processes & controls, use ISO 17799 to improve
security processes & controls (although not strong on process side)
Use ITIL to determine technology, although not complete
Use CobiT to define metrics
Query ITIL on possible structures
?
CobiT
ISO 17799
ITIL
ISO 17799 -
limited
ITIL
CobiT - limited
ISO 17799 -
limited
ITIL-limited
CobiT v3
Metrics
People
Controls
Structure
&
Roles
Processes
Technology
Page 27
©2002 PricewaterhouseCoopers LLP. PricewaterhouseCoopers refers to the U.S. firm of
PricewaterhouseCoopers LLP and other members of the worldwide PricewaterhouseCoopers organization.
Your worlds
Our people
Nicolette Conradie:
Nicolette.Conradie@za.pwcglobal.com
082 891 8648
Angeli Hoekstra
Angeli.Hoekstra@za.pwcglobal.com
082 783 1371