Scribd
Upload
29 views15 pages

Unit 1E

Uploaded by

amrithkala shetty
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
29 views15 pages

Unit 1E

Uploaded by

amrithkala shetty
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 15

Compliance with Standards,

Regulations, and Laws


Introduction
● All persons concerned with information security, from the board of directors, to
the chief executives, to information technology and information security
professionals, and employees of the organization must be concerned with
information security governance.
● Attempts to prevent abuse and fraud have led to increased regulations,
standards, and guidelines, causing organizations to pay greater attention to
governance, which has changed the dynamics of information security
management.
Introduction
An understanding of the laws, regulations, and standards that apply to the field of
information security is essential.
Information Security Standards
● Information security standards as the name suggests are standard digital security
measures to prevent or mitigate cyber security attacks.

● These standards provide general guidelines as well as specific techniques for


implementing cyber security.
Information Security Standards
Also known as voluntary standards, or perhaps frameworks, these sets of “best
practices” have been developed and published by internationally recognized
organizations, and accepted by the information security profession in general. The
most well-known of these are
• Control Objectives for Information and related Technology (COBIT)
• International Organization for Standardization (ISO) 27001 and 27002
• National Institute of Standards and Technology (NIST) standards
Control Objectives for Information and related Technology (COBIT)

● COBIT stands for Control Objectives for Information and Related Technology.
● It is a framework created by the ISACA (
Information Systems Audit and Control Association).
● It was designed to be a supportive tool for managers—and allows bridging the
crucial gap between technical issues, business risks, and control requirements.
● COBIT is a thoroughly recognized guideline that can be applied to any organization
in any industry.
● Overall, COBIT ensures quality, control, and reliability of information systems in an
organization, which is also the most important aspect of every modern business.
Control Objectives for Information and related Technology (COBIT)

● ISACA periodically updates the COBIT processes and releases new versions.

● COBIT 4.1 is organized around four conceptual areas, referred to as domains.


Plan, Do, Check, Adjust (PDCA) growth cycle commonly used to build and
continuously improve services. COBIT 5 expands on these four domains and
adds a fifth domain for Governance. The domains in versions 4 and 5 are as
follows.
ISO 27000 Series
● It’s broken up into several parts in order to be manageable—each part
prescribes a set of activities that belong to phases comparable to those in the
Plan-Do-Check-Act (or more accurately, Plan-Do-Check-Adjust) (PDCA)
cycle, similar to what COBIT does.
ISO 27001
● ISO 27001 is the leading international standard focused on information
security.
● It was published by the International Organization for Standardization (ISO),
in partnership with the International Electrotechnical Commission (IEC).
● ISO 27001 is part of a set of standards developed to handle information
security: the ISO/IEC 27000 series.
● Its full name is “ISO/IEC 27001 – Information security, cybersecurity and
privacy protection — Information security management systems —
Requirements.”
● This is somewhat similar to COBIT’s Plan and Organize concept
ISO 27002
● ISO 27002 is a detailed set of information security controls that would ideally be
driven by the output of the risk assessment performed as part of ISO 27001.

● This standard forms a complete reference to all the things an organization might want to do.

● It can be viewed as a set of best practices, and it’s up to each organization to determine
which of them apply to their business environment.

● This can be viewed as somewhat similar to COBIT’s “Acquire and Implement” concept
● ISO 27003 is intended to provide recommendations and best practices to
implementthe ISMS management controls defined by ISO 27001—in other
words, how to deliver the security program. This can be compared to the
“Deliver and Support” concept of COBIT.

● ISO 27004 covers measurement of the effectiveness of the ISMS implemented


by the first three ISO 27000 standards, using metrics and key performance
indicators to describe how well the information security controls are operating.
This can be thought of in the context of COBIT’s “Monitor and Evaluate”
concept.
● ISO 27005 defines a risk management framework for information security that
can be used to inform the decisions within ISO 27001 that lead to selection of
controls for ISO 27002.

● ISO 27006 is a standard that provides guidelines for professional


organizations that provide certification to be properly accredited.

You might also like