Frank Cassano

Your Information Security Program: It’s All About The Bones

Welcome once again to the risk rack. This time on the risk rack I will be discussing the bones of an information security program namely the fundamental framework and standards around which you choose to build your program. As with any living and breathing creature the creature’s bone structure is what gives it shape and support.

To create an information security program or to update an existing one you need to understand its bones.  In this article we will focus on the (International Standards Organization (ISO) / International Electrotechnical Commission (IEC) standards 27001 and 27002) which I commonly use as a starting point for building the bones of the information security/ IT risk management program.

The first thing you must do prior to creating the bones of your program is to determine if your Information Technology (IT) organization already has a control framework in place.  Two of the most common IT control frameworks in use today are Control Objectives for Information and related Technologies (COBIT) and The Information Technology Infrastructure Library (ITIL). Both of these frameworks are tried and tested and work effectively in many organizations.

COBIT is actually a subset of a broader corporate governance framework called Committee Of Sponsoring Organizations of the Treadway commission’s or COSO.  The objective of COBIT is to use a business focus to align IT objectives, use a process oriented approach for ease of use and repeatability, use generally accepted practices that are technology neutral, establish consistent terminology and align with COSO to ensure compliance with corporate, and regulatory authorities.

The core of COBIT consists of four domains:

  1. Plan and organize
  2. Acquire and implement
  3. Deliver and support
  4. Monitor and evaluate

For more detailed information on COBIT please visit .

ITIL is linked to the broader ISO/IEC 20000 standard. The objective of ITIL is to establish a business management approach and discipline to IT service management.  ITIL is an international IT service management framework and consists of 5 volumes

  1. Service Strategy
  2. Service Design
  3. Service Transition
  4. Service Operation
  5. Continual Service Improvement

For more detailed information on ITIL please visit

As you may have noted both COBIT and ITIL attempt to migrate IT management away from an operational approach and steer it to a more service management approach. Once again both these frameworks are time tested and are used by many organizations once you have determined which framework is in place at your organization I suggest you learn more about it.  You can start by visiting the sites I have noted above but, I also suggest you speak with your peers to understand how the framework was implemented in your organization as they are seldom deployed exactly as noted in the source documentation.

Once you have established which framework your IT organization has put in place whether it is COBIT, ITIL or some other control framework and you have become sufficiently familiar with how your organization has implemented it you are ready to establish the bones of your organization.

As I noted in the opening of this article the best way I have found to create the bones of an information security / IT risk management program is to leverage the ISO/IEC Information Security management standards known respectively as:

ISO/IEC 27001:2005 – Information Technology – Security techniques – Information Security systems – Requirements 

ISO/IEC 27002:2005 – Information Technology – Security techniques – Code of practice for information security management 

The standards are updates to the older BS 17799 and ISO/IEC 17799 standards.  The standards are a very good guide in establishing an information security framework in your organization.  The standards set down key requirements for an information security /IT risk management program. The key requirements include the definition and establishment of:

ISO/IEC 27001:2005

  • An Information Security Management System (ISMS)
  • Management Responsibilities
  • An Internal Audit Process for ISMS
  • A Management Review Process for ISMS
  • Continual Improvement Processes to support ISMS

ISO/IEC 27002:2005

  • Corporate security management
  • Organizational Asset management
  • Human Resource Security Management
  • Physical and Environmental Security Management
  • Communication and Operations Management
  • Information Access Control Management
  • Systems Development and Maintenance
  • Information Security Incident Management
  • Business Continuity management
  • Compliance Management

Using these requirements while leveraging other internal and external sources you should be able to construct/ or update your organizations framework being careful to do so in alignment with the overall IT framework already in place.  Having a strong framework anticipates control needs and positions an organization to respond to new needs as they arise in a much more effective, less intrusive and cost efficient manner.  The ISO/IEC standards can be purchased at the official ISO website Good luck in creating or updating the bones of your programs and hope to see you next time at “the risk rack”.

Post a Comment

Your email is never published nor shared. Required fields are marked *