Scribd Logo
Importer

Bienvenue sur Scribd !

  • ISO 38500 Vs ISO 27000

    Transféré par

    Christophe Feltus
    1K vues10 pages
    ISO/IEC 38500 vs. ISO/IEC 27000 presentation at eurosec 2008, Paris - Christophe feltus

    Titre original

    ISO 38500 vs ISO 27000

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    ISO/IEC 38500 vs. ISO/IEC 27000 presentation at eurosec 2008, Paris - Christophe feltus

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    1K vues10 pages

    ISO 38500 Vs ISO 27000

    Transféré par

    Christophe Feltus
    ISO/IEC 38500 vs. ISO/IEC 27000 presentation at eurosec 2008, Paris - Christophe feltus

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 10

    ISO/IEC 38500 vs.

    ISO/IEC 27000
    Christophe Feltus

    Member of the ISO Working Group on Identity Management
    Member of the ISO Study Group on ICT Governance
    Public Research Centre Henri Tudor,
    29, Rue John F. Kennedy
    L-1855 Luxembourg

    christophe.feltus@tudor.lu



    Outline
    Beyond ISO 38500
    Scope
    Objectives
    6 principles
    Model for Corporate Governance of ICT

    Review of elements of ICT governance in ISO/IEC 27000 standards

    Conclusions



    The objective of this Standard is to provide a framework of principles for Directors to
    use when evaluating, directing and monitoring the use of information technology
    (IT) in their organizations.

    This standard provides a framework for effective governance of IT, to assist those at
    the highest level of organizations to understand and fulfil their legal, ethical and
    moral obligations in respect of their organizations use of IT. The framework
    comprises definitions, principles and a model.
    Beyond ISO 38500 : scope


    Governance is distinct from management, and for the avoidance of confusion, the two
    concepts are clearly defined in the standard.

    the members of the governing body may also occupy the key roles in management.

    It provides guidance to those advising, informing, or assisting directors. They include:
    Senior managers.
    Members of groups monitoring the resources within the organization.
    External business or technical specialists, such as legal or accounting
    specialists, retail associations, or professional bodies.
    Vendors of hardware, software, communications and other IT products.
    Internal and external service providers (including consultants).
    IT auditors.

    The standard is applicable for all organizations, from the smallest,
    to the largest, regardless of purpose, design and ownership structure.
    Beyond ISO 38500 : scope



    The purpose of this Standard is to promote effective, efficient, and acceptable use of IT
    in all organizations by:

    assuring stakeholders (including consumers, shareholders, and employees) that, if
    the standard is followed, they can have confidence in the organizations corporate
    governance of IT;

    informing and guiding directors in governing the use of IT in their organization; and

    providing a basis for objective evaluation of the corporate governance of IT.
    Beyond ISO 38500 : objectives



    Principle 1: Establish clearly understood responsibilities for IT

    Principle 2: Plan IT to best support the organization

    Principle 3: Acquire IT validly

    Principle 4: Ensure that IT performs well, whenever required

    Principle 5: Ensure IT conforms with formal rules

    Principle 6: Ensure IT use respects human factors

    Beyond ISO 38500 : 6 principles
    Beyond ISO 38500 : Model for Corporate
    Governance of ICT
    Directors should govern ICT through
    three main tasks:
    (a) Evaluate the use of ICT.
    (b) Direct preparation and implementation of plans and policies.
    (c) Monitor conformance to policies, and performance against the plans.
    Elements of ICT governance in existing
    ISO/IEC 27000 standards
    ISO/IEC 27000 family of standards
    Elements of ICT governance in existing
    ISO/IEC 27000 standards
    The standard ISO/IEC 27000 overlaps with ICT governance in many areas.
    Most significant of these are :

    Risk Management
    4.2 Establishing and managing the ISMS.
    Connections with legislation
    4.2.1/ISMS policy,
    7.3 Management review output,
    A.15.1 Compliance with legal requirements.
    Performance
    A.10.3.1 Capacity management
    Tight relationship with management is required
    Clause 5 Management responsibility
    Internal auditing
    Clause 6 Internal ISMS audits
    Ensuring business continuity
    A.14 Business continuity management


    This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many
    relationships with ICT governance.

    New ICT governance standard should be taken into account these similarities
    thoroughly so that inconsistent overlapping can be prevented.

    This is very important especially if it will be possible to certify against this new
    standard so that combined audits with both ISO/IEC 27001 and ICT governance
    standard can be conducted in a logical and cost-effective way.


    Source :
    ISO/IEC 38500 : Corporate governance of information technology
    ISO/IEC 27000 family
    Inspecta Certification report for ISO/IEC 38500


    Conclusions

    Vous aimerez peut-être aussi