JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.

ORG

117

Mapping Approach of ITIL Service Management Processes to ISO/IEC 27001 Controls

Razieh Sheikhpour, Nasser Modiri
Abstract Information security plays an important role in protecting the assets of an organization. A number of best practice frameworks exist to help organizations assess their security risks and implement appropriate security controls. Integration of security best practices like ISO/IEC 27001 into service management best practices processes like ITIL enables the organization to lower the overall cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk levels. ITIL provides a framework of best practice guidances for information technology service management. ISO/IEC 27001 i s a set of guidelines, which can be used by an or ganization to design, deploy and maintain information security management system. From an I TIL perspective, most of the security controls identified in ISO/IEC 27001 ar e already part of service management. This paper describes mapping of ITIL service management processes to controls of ISO/IEC 27001. Index TermsInformation, Security, Organization, ITIL, ISO/IEC 27001.

1 INTRODUCTION
HE rapid advances of the information and communication technologies, in particularly the internet, and its increase use, have promoted the speed and accessibility of operations, resulting in significant changes in the way organizations conduct their activities. Consequently organizations become increasingly dependent on the availability, reliability and integrity of their information systems to be competitive and create new business opportunities. However, the use of information technology brings significant risks to information systems and particularly to the critical resources, due to its own nature. An increased number of sophisticated attacks are expected to evolve as wireless and others technologies transcend. This fact enforces the need to ensure the security of the organizations information systems [1]. There are several security standards and best practice models available for information security. Standards can not only provide a framework for implementing effective information security practices, they can also make sure that information security and organizational objectives are properly aligned. Furthermore, organizations recognize that standards demonstrate to clients and customers their commitment to good information security practices. Two of the more widely used standards will be briefly discussed here, namely ITIL and ISO/IEC 27001 [2]. ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring,

reviewing, maintaining and improving a documented Information Security. The ITIL security management process describes the structured fitting of security in the management organization. ITIL security management is based on the ISO 27001 standard [3]. ISO 27001 and ITIL are very complementary. ITIL is focused on service management best practices. ISO/IEC 27001 is focused on information security best practices. From an ITIL perspective, most of the security controls identified in ISO/IEC 27001 are already part of service management. Both ITIL and ISO 27001 identify the requirement to build security into all aspects of the service in order to effectively manage risks in the infrastructure [4]. In this paper, we describe a mapping of ITIL service management processes to ISO/IEC 27001 controls. Rest of the paper is organized as follows: Section 2 describes ISO/IEC 27001 concepts. Section 3 presents an overview of ITIL service management concepts. In Section 4 which contains the main focus of the paper, we describe a mapping of ITIL processes to ISO/IEC 27001 controls. Finally, Section 5 concludes the paper.

2 ISO/IEC 27001:2005
ISO/IEC 27001:2005 is the international standard for entities to manage their Information Security. It sets out how a company should address the requirements of confidentiality, integrity and availability of its information assets and incorporate this into an Information Security Management System (ISMS) [3, 5]. It specifies the requirements for establishing,

Razieh Sheikhpour is with the Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran, Iran. Nasser Modiri is with the Department of Computer Engineering, Zanjan Branch, Islamic Azad University, Zanjan, Iran.

2011 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

118

implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within an organization. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. This standard is usually applicable to all types of organizations, including business enterprises, government agencies, and so on. The standard introduces a cyclic model known as the Plan-Do-Check-Act (PDCA) model that aims to establish, implement, monitor and improve the effectiveness of an organizations ISMS. The PDCA cycle has these four phases: [6, 7] a) Plan phase Establishing the ISMS: Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organizations overall policies and objectives. b) Do phase Implementing and operating the ISMS: Implement and operate the ISMS policy, controls, processes and procedures. c) Check phase Monitoring and reviewing the ISMS: Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. d) Act phase Maintaining and improving the ISMS: Take corrective and preventive actions, based on the results of the internal ISMS audit and management
Domain
A.5 Security policy A.6 Organization of information security

review or other relevant information, to achieve continual improvement of the ISMS [6]. Figure 1 shows PDCA model applied to ISMS processes.

Fig.1. PDCA model applied to ISMS processes [5].

2.1 ISO/IEC 27001 Control Objectives and Controls ISO/IEC 27001:2005 contains 39 control objectives and 133 specific controls, organized into 11 main sections. Table 1 shows the controls and control objectives of ISO/IEC 27001.

TABLE 1 CONTROL OBJECTIVES AND CONTROLS OF ISO/IEC 27001 [5]

Control Objective Control
A.5.1 Information security policy A.6.1 Internal organization A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling A.8.1.1 Roles and responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment A.8.2.1 Management responsibilities A.8.2.2 Information security awareness, education and training A.8.2.3 Disciplinary process A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls

A.6.2 External parties

A.7 Asset ment

manage-

A.7.1 Responsibility assets

for

A.8 Human security

resources

A.7.2 Information classification A.8.1 Prior to employment

A.8.2 During employment

A.8.3 Termination change of employment A.9 Physical and environmental security A.9.1 Secure areas

or

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

119

A.9.2 Equipment security

A.10 Communications and operations management

A.10.1 Operational procedures and responsibilities

A.10.2 Third party service delivery management A.10.3 System planning and acceptance A.10.4 Protection against malicious and mobile code A.10.5 Back-up A.10.6 Network security management A.10.7 Media handling

A.9.1.3 Securing offices, rooms and facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas A.9.2.1 Equipment sitting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.5 Security of equipment off premises A.9.2.6 Secure disposal or re-use of equipment A.9.2.7 Removal of property A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test and operational facilities A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third party services A.10.2.3 Managing changes to third party services A.10.3.1 Capacity management A.10.3.2 System acceptance A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code A.10.5.1 Information back-up A.10.6.1 Network controls A.10.6.2 Security of network services A.10.7.1 Management of removable media A.10.7.2 Disposal of media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systems A.10.9.1 Electronic commerce A.10.9.2 On-line transactions A.10.9.3 Publicly available information A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.5 Fault logging A.10.10.6 Clock synchronization A.11.1.1 Access control policy A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy A.11.4.1 Policy on use of network services A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote diagnostic and configuration port protection A.11.4.5 Segregation in networks A.11.4.6 Network connection control

A.10.8 Exchange information

of

A.10.9 Electronic commerce services A.10.10 Monitoring

A.11 Access control

A.11.1 Business requirement for access control A.11.2 User access management

A.11.3 User responsibilities

A.11.4 Network control

access

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

120

A.11.4.7 Network routing control A.11.5 Operating system access control A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.11.6.1 Information access restriction A.11.6.2 Sensitive system isolation A.11.7.1 Mobile computing and communications A.11.7.2 Teleworking A.12.1.1 Security requirements analysis and specification

A.11.6 Application and information access control A.11.7 Mobile computing and teleworking A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems A.12.2 Correct processing in applications

A.12.3 Cryptographic controls A.12.4 Security of system files A.12.5 Security in development and support processes

A.13 Information security incident management

A.14 Business management

continuity

A.12.6 Technical Vulnerability Management A.13.1 Reporting information security events and weaknesses A.13.2 Management of information security incidents and improvements A.14.1 Information security aspects of business continuity management

A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management A.12.4.1 Control of operational software A.12.4.2 Protection of system test data A.12.4.3 Access control to program source code A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operatingsystem changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software development A.12.6.1 Control of technical vulnerabilities A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence A.14.1.1 Including information security in the business continuity management process A.14.1.2 Business continuity and risk assessment A.14.1.3 Developing and implementing continuity plans including information security A.14.1.4 Business continuity planning framework A.14.1.5 Testing, maintaining and reassessing business continuity plans A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controls A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking

A.15 Compliance

A.15.1 Compliance legal requirements

with

A.15.2 Compliance with security policies and standards, and technical compliance A.15.3 Information systems audit considerations

A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

121

3 ITIL V3 FRAMEWORK
The Information Technology Infrastructure Library (ITIL) provides a framework of Best Practice guidances for information technology service management and since its creation, ITIL has grown to become the most widely accepted approach to IT service management in the world [8]. The primary objective of service management is to ensure that the IT services are aligned to the business needs and actively support them. If IT processes and IT services are implemented, managed and supported in the appropriate way, the business will be more successful, suffer less disruption and loss of productive hours, reduce costs, increase revenue, improve public relations and achieve its business objectives [8]. The ITIL v3 Core consists of five publications, each providing guidance on a specific phase in the service management lifecycle. The ITIL core publications are as follows: [4] Service Strategy Service Design Service Transition Service Operation Continual Service Improvement ITIL describes processes, functions and structures that support most areas of IT service management, mostly from the viewpoint of the service provider. One of the many processes it describes is Information Security Management (ISM) [9]. With the placement on Information Security Management within the Service Design core book the process is integrated with several other processes which enables the ISM process to be streamlined in the Service Lifecycle more easily[10].
ITIL processes Service Strategy
Demand management Financial management

The goal of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and service management activities. The ITIL security management process describes the structured fitting of security in the management organization. ITIL security management is based on the ISO 27001 standard [3]. The ISM process contains several sub processes in ITIL v3. They are design of security controls, security testing, management of security incidents and security review. The objective of the sub process of the security controls is to design the appropriate technical and organizational measures in order to ensure the confidentiality, integrity, security, availability of an organizations assets, information, data and services [11].

4 MAPPING OF ITIL V3 PROCESSES TO ISO/IEC 27001:2005 CONTROLS

Fox IT Ltd and QT&C Group Ltd have performed a mapping exercise that looked at each of the 11 information security control areas [7]. Integration of security best practices into service management best practices processes enables the organization to lower the overall cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk levels. ISO 27001 and ITIL v3 are very complementary. From an ITIL perspective, most of the security controls identified in ISO 27001 are already part of service management. Both ITIL and ISO 27001 identify the requirement to build security into all aspects of the service in order to effectively manage risks in the infrastructure [4]. Table 2 describes mapping of ITIL processes to controls of ISO/IEC 27001.

TABLE 2 MAPPING OF ITIL PROCESSES TO ISO/IEC 27001CONTROLS

ISO/IEC 27001 Controls

A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements A.10.2.1 Service delivery A.10.6.2 Security of network services A.10.8.2 Exchange agreements A.12.3.2 Key management A.10.3.1 Capacity management A.10.5.1 Information back-up A.10.8.4 Electronic messaging A.6.2.3 Addressing security in third party agreements A.9.2.2 Supporting utilities A.10.4.1 Controls against malicious code A.10.5.1 Information back-up A.14.1.1 Including information security in the business continuity management process A.14.1.2 Business continuity and risk assessment

Service Design
Service Catalog management Service Level management

Capacity management Availability management IT service continuity management

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

122

Information security management

Supplier Management

A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.2.1 Identification of risks related to external parties A.10.6.2 Security of network services A.11.1.1 Access control policy A.6.2.3 Addressing security in third party agreements A.6.2.1 Identification of risks related to external parties A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third party services A.10.8.2 Exchange agreements A.12.3.2 Key management A.6.1.4 Authorization process for information processing facilities A.6.2.3 Addressing security in third party agreements A.9.2.6 Secure disposal or re-use of equipment A.9.2.7 Removal of property A.10.1.2 Change management A.10.2.3 Managing changes to third party services A.11.2.4 Review of user access rights A.12.4.1 Control of operational software A.12.4.3 Access control to program source code A.12.5.1 Change control procedures A.13.2.1 Responsibilities and procedures A.7.1.1 Inventory of assets A.9.1.6 Public access, delivery and loading areas A.9.2.1 Equipment sitting and protection A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.7 Removal of property A.10.4.1 Controls against malicious code A.12.4.1 Control of operational software A.12.4.3 Access control to program source code A.12.6.1 Control of technical vulnerabilities A.14.1.1 Including information security in the business continuity management process A.10.3.2 System acceptance A.10.3.2 System acceptance A.12.4.1 Control of operational software A.12.5.2 Technical review of applications after operating system changes A.10.3.2 System acceptance A.12.5.2 Technical review of applications after operating system changes A.6.1.2 Information security coordination A.6.2.1 Identification of risks related to external parties A.7.2.1 Classification guidelines A.9.1.4 Protecting against external and environmental threats A.9.2.5 Security of equipment off premises A.9.2.6 Secure disposal or re-use of equipment A.10.6.1 Network controls A.14.1.2 Business continuity and risk assessment A.10.3.1 Capacity management A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs

Service Transition
Change management

Service asset management

&

configuration

Release & deployment management Service validation & testing

Evaluation Risk management

Knowledge management

Service Operation
Event management

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

123

Incident management

Request management Problem management Access management

A.6.1.2 Information security coordination A.9.2.4 Equipment maintenance A.10.3.1 Capacity management A.10.10.5 Fault logging A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.6.2.3 Addressing security in third party agreements A.13.2.2 Learning from information security incidents A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.8.3.3 Removal of access rights A.9.1.6 Public access, delivery and loading areas A.11.1.1 Access control policy A.11.2.1 User registration A.11.2.3 User password management A.11.2.4 Review of user access rights A.11.4.1 Policy on use of network services A.11.5.2 User identification and authentication A.11.6.1 Information access restriction A.12.4.3 Access control to program source code A.13.2.2 Learning from information security incidents A.6.2.3 Addressing security in third party agreements A.10.1.1 Documented operating procedures A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.6.1.3 Allocation of information security responsibilities A.6.1.5 Confidentiality agreements A.8.1.1 Roles and responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment A.8.2.1 Management responsibilities A.8.2.2 Information security awareness, education and training A.8.2.3 Disciplinary process A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy

Continual Service Improvement

CSI Process Service Reporting Document management

Human resource management

5 CONCLUSION
Information Security aspects are really important for company success and business stability. As no single formula can guarantee 100% security, there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained, resources are used efficiently, and the best security practices are adopted. By implementing ITIL and ISO/IEC 27001, organizations can better meet information security service expectations with internal and external customers. ISO/IEC 27001 helps an organization to develop a business continuity plan that will minimize the impact of security breaches. ITIL is a framework of best practices that promote quality computing services in IT sector. ISM process

within the Service Design core practice of ITIL v3 provides several ways that information security can be improved. The ISM process encourages organizations to incorporate security controls, and to test these controls regularly. This paper described a mapping of ITIL service management processes to ISO/IEC 27001 controls. ITIL and ISO 27001 identify the requirement to build security into all aspects of the service in order to effectively manage risks in the infrastructure.

REFERENCES
[1] [2] T. Pereira, H. Santos, A Security Audit Framework to Manage Information System Security, pp. 918, Springer-Verlag Berlin Heidelberg 2010. N. Zegers, A methodology for Improving information securi-

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

124

ty incident identification and response, Master Thesis Informatics & Economics, Erasmus University Rotterdam, 2006. [3] A. Rezakhani, A. Hajebi, N. Mohammadi, Standardization of all Information Security Management Systems, International Journal of Computer Applications (0975 8887) Volume 18 No.8, March 2011. [4] K V Warre, Security Controls in Service Management, SANS Institute, December 2010. [5] ISO/IEC 2005, Information technology- Security techniques Information security management systems- requirements, ISO copyright office, Published in Switzerland. [6] The Government of the Hong Kong Special Administrative Region, AN OVERVIEW OF INFORMATION SECURITY STANDARDS, February 2008. [7] M.Sykes, N.Landman, ITIL and ISO/IEC 27001- How ITIL can be used to support the delivery of compliant practices for Informaton Security Management Systems Fox IT Ltd and QT&C Group Ltd, 2010. [8] H. Liu, Y. Lin, P. Chen, L. Jin, F. Ding, Practical Availability practices Risk Assessment Framework in ITIL, proceeding of Fifth IEEE International Symposium on Service Oriented System Engineering, 2010. [9] J. Clinch, ITIL V3 and information security, White paper, May 2009. [10] G. Taylor, ITIL V3 Improves Information Security Management, East Carolina University. [11] E. R. Larrocha, J. M. Minguet, G. Diaz, M, Castro, A. Vara, Filling the gap of Information Security Management inside ITIL: proposals for postgraduate students, IEEE EGUCON Education Engineering,2010. Razieh Sheikhpour received the BS degree in software engineering from department of computer engineering, Islamic Azad University of Iran in 2007. She is currently working toward the MS degree in software engineering from Islamic Azad University of Iran. Her research interests include information security, IT Governance and Sensor networks. Nasser Modiri received the MS degree in MicroElectronics from university of Southampton, UK in 1986. He received PHD degree in Computer Networks from Sussex university of UK in 1989. He is a lecture at department of computer engineering at Islamic Azad University of Zanjan, Iran. His research interests include Network Operation Centres, Framework for Securing Networks, Virtual Organizations, RFID, Product Life Cycle Development and Framework For Securing Networks.