Governance of Information Security

Six years ago, I got my first certification about best practices for IT service management (ITSM), which was my first steps into processes, procedures and tasks to know how to align my daily tasks into the business needs. Next, the company where I work, Ariadnex, decided to get the ISO 20000 and the ISO 27001 to implement service quality and information security, which was a hard time because we were developing and writing many policies and procedures to define, measure and improve services, and at the same time, protecting the systems and information. After that, I got CISA and CISM certifications where I learnt about Information Systems Auditing and Information Security Management as well as about strategies, policies and procedures.

Today, after 8 years of working in IT, I've come across with many Security Frameworks, and IT Service Management Frameworks as well. Everybody knows about ISO 27001 and ISO 20000 but when we speak about COSO for Corporate Governance; COBIT, Val IT or ISO 38500 for IT Governance and Management; or ISO 27014 for Information Security Governance, it's difficult to understand well enough the differences. However, there are many other frameworks like SABSA, TOGAF, etc.

Topology of IT-related standards

Nevertheless, most of these frameworks are created for big companies where there is a department for compliance, monitoring and control, but Spain is different because most companies are medium and small companies where there is no department about compliance, monitoring and control nor security department either. I’m wondering how many companies there are in Extremadura with more than five people in the security department? One? Two?

I think the most known security standard is the ISO 27001 but, maybe, there should be a light ISO 27001 for medium and small companies as well because 14 security domains and 114 controls is too much for companies with less than 25 employees. On the other hand, if we speak about Governance of Information Security or the ISO 27014, most medium and small companies don’t know what I’m talking about because their needs are not to establish organization-wide information security, adopt a risk-based approach, set the direction of investment decisions, ensure conformance with internal and external requirements, foster a security-positive environment or review performance in relation to business outcomes, but they don’t have time to think about it and they are working without any alignment to the business needs.

ISO/IEC 27014

This last week, I read about a governance framework I didn’t know which is called Val IT. I came across to Val IT when I was reading about ISO 38500 and ISO 27014, and it’s a framework to create business value from IT investments which has three domains (Value Governance, Portfolio Management and Investment Management). This is an old framework developed by ISACA in 2008 that along with Risk IT and COBIT 4.1 was released the new COBIT 5.

Governance of Enterprise IT

I’m finishing of writing this post and I’ve just realised that I wrote about Information Security Governance two years ago when I was studying for CISA and CISM certifications thus this is a new thinking about Governance of Information Security.

Regards my friends and keep studying!