Using ITIL 4 in Security Management

Derrick Berger Narasimha Shashidhar Cihan Varol

Department of Computer Science Department of Computer Science Department of Computer Science
Sam Houston State University Sam Houston State University Sam Houston State University
Huntsville, TX 77341 USA Huntsville, TX 77341, USA Huntsville, TX 77341, USA
[email protected] [email protected] [email protected]

Abstract—Organizations of any size are tasked with managing is the systematic approach to managing risks in an organization.
security and risks of varying degrees of impact and complexity. Ideally, ISMS is a comprehensive approach and exists in all
Managing security can be one of the most intricate yet pervasive organizational efforts to protect information resources.
aspects of Information Technology Management. The service
management philosophy that many organizations use is This paper is organized as follows: Section II will discuss the
Information Technology Service Management (ITSM). Within current state of research and literature regarding ITIL, ISMS,
ITSM, Information Technology Infrastructure Library (ITIL) is a and the lack of study on the integration of the two topics. This
set of best practices that can be used to manage security. The section will also discuss relevant NIST and ISO standards
unique aspect of security incidents can be their sensitive nature. concerning ITIL and ISMS. Section III will provide a more
This sensitivity can complicate the management of security but detailed review of ITIL, recent changes in ITIL 4, incident
does not preclude it from being managed in a way that is management, and a review of ISMS. Section IV will go into
appropriate and effective for the organization. Due to the novelty more depth about using ITIL 4 with security incidents. Section
of ITIL 4, there is a lack of research for effectively managing V will briefly review whether using ITIL to manage security is
security incidents within an ITIL 4 framework. ITIL 4 represents advantageous. Section VI will conclude the paper while looking
a change in some of the core components of ITIL. This paper will at future work.
examine how ITIL 4 can provide a framework for managing
security. II. CURRENT RESEARCH, RELATED WORKS, AND STANDARDS
Keywords—ITIL, security management, incident management Due to the popularity of ITIL, there is an abundance of
component, ITSM, information security management systems research on ITIL and ITSM separately. The majority of ITIL
work centers around implementation and adoption. The authors
I. INTRODUCTION of [5] identify critical success factors (CSFs) in the
Information Technology Service Management (ITSM) is a implementation of ITIL. Reference [15] reviewed multinational
service management philosophy that is process-oriented. ITSM ITIL adoption to research rates of the USA, Australia, UK,
is not a newer way of IT management but does represent a Germany, Austria, and Switzerland. This study was crucial in
different approach. Traditional IT work management involved determining the reasons for the respective adoption rates of these
managing individual components where ITSM manages end-to- countries. However, the work only focuses on the adoption rate
end services with a best-practices framework [1]. Information and the level of implementation of ITIL.
Technology Infrastructure Library (ITIL) is one of those best- A. Current Research State
practices guidelines. ITIL grew out of a need for greater
This lack of research is prevalent in academia, as well.
efficiency by the UK government in the 1980s and remains one
Using the Sam Houston State University (SHSU) Library
of the most popular frameworks for ITSM around the world
system to search for academic papers revealed this shortage of
[14]. ITIL v3 was introduced in 2007 and revised in 2011 [3].
works surrounding ITIL and security incident management.
ITIL 4 was launched in 2019 as a significant update to ITIL v3.
Since 2007, there were 106 academic papers published with the
The authors of [15] discuss that more than 50% of capital is term “ITIL” in the title of the work. When “implement*” is
spent on IT. This growth continues as the complexity and added as a term for a title search along with “ITIL,” the number
integration of IT in everything necessitates more efficient ITSM of works for research is 31. Adding the term “adopt*” for a title
methods. Achieving this efficiency requires the business and IT search reveals fifteen more works for a total of 49 out of 106.
to work together towards better management of IT resources. While this number still represents less than half of the works
ITIL helps facilitate this goal with its end-to-end service cited, the emphasis here is that the majority of research deals
management. with implementation and adoption. If the search terms are
“ITIL” and “security” in the title, there only are two articles for
Within ITSM, Information Security Management Systems the same period. Of note, 2007 is the year used in these searches
(ISMS) exists and likewise continues to grow even more since that is the year in which ITIL v3 was released. ITIL v3
integrated and complex as our reliance on secure systems grows
similarly. An Information Security Management System (ISMS)

978-1-7281-6939-2/20/$31.00 ©2020 IEEE

Authorized licensed use limited to: Universitas Indonesia. Downloaded on February 24,2022 at 04:00:13 UTC from IEEE Xplore. Restrictions apply.
was heavily promoted and significantly gaining traction in the of delivering value to customers by facilitating outcomes
ITSM space during and after 2007. customers want to achieve without the ownership of specific
costs and risks.” Essentially, ITIL is about service being the
B. Related Works means to deliver value to a customer. The customer can be
Research for using ITIL to manage security exists but is internal or external to the organization [14].
scarce for several reasons. For example, some researchers do
not consider ITIL as adequate to manage security. The author of B. ITIL Incident
[9] understands the limited role that ITIL can partake in An incident can be described in many different ways, but
managing security incidents. The work is not against managing ITIL has a more focused view of what an incident is in that
security incidents with ITIL. Instead, the article reviews exactly context. An incident is defined by ITIL as “an unplanned
where in ITIL security incidents should be managed. interruption to an IT service or a reduction in the Quality of an
IT service.” An incident can also be described as the failure of
The authors of [2] discuss how ITIL can manage security something that has not yet affected or impacted a service [14].
incidents, but this work also exists as a whitepaper rather than An example of this scenario would be a single server in a cluster
research work. The points are still valid, and the paper is very failing. The cluster is still operational, and the user is not
thorough in detailing some of the integration. More specifically, impacted, but the service is experiencing a failure of sorts.
there is a detailed mapping between ISO/IEC 27001 and ITIL as
the focus of this work. The value of this paper is still C. Service in ITIL
appreciated, but we hope to provide a more practical approach A service, as defined by ITIL, is the act of “delivering
rather than mapping specific topics between the two standards. something of value to a customer.” These service offerings are
C. Standards not physical or have any material value. An example of a service
could be a mail service or an email service. The service does
The National Institute of Standards and Technology (NIST) not have to be inherently technological [14].
provides standards of measures and guidance in a varying degree
of topics. One of the topics the NIST offers in a series of Special D. Service Value System and Service Value Chain in ITIL
Publications (SP) named the 800-Series. Here, the NIST 1) Service Value System: New in ITIL 4 is the ITIL Service
provides guidelines and recommendations in many areas of
Value System (SVS), which represents how the components
information security technology. While the NIST does provide
recommendations and technical specifications, the institute does and activities of an organization work together to create value
not give recommendations for brands or products to use. [14]. ITIL’s SVS is vital due to the need to always wanting to
create value in service offerings. This value creation is critical
Similarly, the International Standards Organization (ISO) is for security incidents, as well.
an independent organization that provides standards and 2) Service Value Chain: The core part of the SVS is the
guidelines for a multitude of topics, including information
security. The ISO has a 270xx series of specifically for Service Value Chain (SVC). The SVC “provides for the
information security and protecting information assets. Like creation, delivery, and continual improvement of services.”
NIST, these standards and guidelines making no The importance of the SVC is its ability to be flexible and adapt
recommendation for products or brands. This distinction is to different needs in ITSM, especially unique situations such as
important to note since the NIST and ISO will not directly security management [7]. The remaining SVS and SVC
recommend using a framework such as ITIL. The absence of a components will be reviewed and explained in more detail in
recommendation for ITIL or similar products has produced Section IV.
mappings between ITIL and NIST, such as the one mentioned The SVC contains six value chain activities that are required
above. ISO also has a series of service management related for value realization through the creation and management of
standards referred to as ISO/IEC 20000, with the most current products and services. The six value chain activities shown are
being ISO/IEC 20000-1:2018. This set of standards provides as follows: Plan, Improve, Engage, Design / Transition, Obtain
requirements for a service management system (SMS), which is / Build, and Deliver / Support [7].
similar to the framework of ITIL [4]. Of note, organizations
cannot become ITIL certified, but individuals can obtain ITIL E. ITIL’s Service Management Practices
certification. The inverse is true of ISO, where only Service Management Practices should be quickly
organizations can be ISO certified while individuals cannot be reviewed, as these will be discussed in more detail later. In
ISO certified. ITIL, these practices provide a framework for the services to
customers. There are seventeen Service Management Practices,
III. ITIL AND ISMS REVIEW
which include Availability management, Incident management,
There is a need to review some terminology to ensure the Problem management, and Monitoring / Event management. As
focus and context are consistent throughout the paper. ITIL is a an example, Incident management sets out to “minimize the
substantial framework, and although it is prevalent, there are negative impact of incidents by restoring service operation as
various terms and methods which need to be defined and quickly as possible” [7]. This management practice is essential
reviewed. to the service management of security incidents.
A. ITIL Core
At the core of ITIL is value creation. This value creation is
achieved by providing a service. A service is defined as “means

Authorized licensed use limited to: Universitas Indonesia. Downloaded on February 24,2022 at 04:00:13 UTC from IEEE Xplore. Restrictions apply.
F. ITIL’s Information Security Management reviewing how the SVS and SVC and their components can be
In ITIL 4, there are fourteen General Management Practices used to accomplish this.
with one of these being Information Security Management. A. Service Value System and ISM
Introduced in ITIL v3, ISM is concerned with confidentiality,
integrity, availability, authentication, and non-repudiation. The SVS contains five components: Guiding Principles,
ISM’s focus is to protect information resources. From this point Governance, SVC, Practices, and Continual Improvement.
on in the paper, ISM will refer to ITIL’s Information Security Some of these will be reviewed in more detail than others as
Management and not the more generic version of the acronym. appropriate for security management.
1) Guiding Principles: The guiding principles contain
Prevention, detection, and correction are at the forefront of seven principles used as recommendations to guide an
ISM in ITIL. There is a presumed difficulty in the balance of
organization under various circumstances or when introducing
protecting the organization and allowing it to function
appropriately. ISM will interact with all other of the fourteen a new service. While not all seven principles are critical in
practices and some more than others. However, for each every situation, these should be considered to determine
practice, ISM will provide controls that each of these practices appropriateness. Each of the seven will be reviewed in the
must consider when planning [7]. context of security management.
a) Focus on value: Value has to be at the forefront of
G. Security Incidents
every decision. This principle maps to security management
In ITIL, an incident can be several different occurrences, easily as security has to be part of the value that IT delivers in
such as a hard drive failure in a server or an application on a a service. Without secure information systems, value is hard to
desktop, not executing. The term “incident” is focused as far the realize.
meaning in ITIL, but the manifestation of an incident is
extensive. Likewise, in IT, there is a myriad of security incidents b) Start where you are: The current state of service
that could range from accidental deletion of a file on a server should be evaluated, so there is little redundancy. This principle
due to misaligned rights to something as severe as an attacker is a good one to review and ensure that security is part of your
disseminating confidential information. Either way, it is service and, if not, institute it.
essential to identify security incidents as such in incident c) Progress iteratively with feedback: Ensure the work is
management. not done all at once but done in parts where feedback is received
H. ISMS with each piece. Here security’s balance of protection versus
usability could be reviewed with a questionnaire or something
Information security must be driven from the top of the similar.
organization to the very bottom to create a nature of being
pervasive in organizational planning. The authors of [11] d) Collaborate and promote visibility: Collaboration is
identified one of the biggest hindrances of successful ISMS essential in realizing value by working with the right people.
programs is senior management's lackadaisical attitude towards Security must be a collaborative effort at all levels and must be
security. Similarly, the authors of [12] determined that in their widely seen, so all levels are aware of its importance.
research, the first step in implementing an ISMS program is to e) Think and work holistically: This guiding principle
define the structure that will be used and design the structure in discourages silos. Typically, a security department can quickly
such a way that it envelopes all entities in the organization. become a silo from an IT department if it is a separate entity or
too far removed from generalized IT.
IV. ITIL 4 AND SECURITY MANAGEMENT
f) Keep it simple and practical: Value must be useful
Managing security incidents in ITIL seems simple enough, and not stifle productivity. Again, security can be seen as a
given that the ISM practice is included in the ITIL framework. hindrance if it is not viewed as practical. Instilling security into
However, the practicality of it can be more difficult. IT security a service must be kept simple even though it can be overly
staff are not always housed in the IT department of an
complex and still maintain practicality.
organization. The IT security department can be a department
reporting up to a Chief Information Security Officer (CISO) who g) Optimize and Automate: Optimization is essential to
does not report to the Chief Information Officer (CIO). This any automation. Keeping security optimized and automated on
separation can cause problems from the beginning of the its own or in a service is essential [7].
lifecycle of managing security incidents. In general, ITIL is 2) Governance: This component ensures that a governing
known for helping to stop the silos of different departments body participates in implementing strategies and processes
operating separately and allowing a co-creation of value. More while being followed correctly. This one can be difficult for
specifically, the SVS and SVC in ITIL 4 can help to do this with security as it can be seen as having its own governing body
ISM to manage security more effectively.
outside of service management. The key here is to involve
To reiterate, the most significant change in ITIL 4 from ITIL security as part of the governing body [14].
v3 was the introduction of the SVS and SVC as core 3) Service Value Chain: The six value chain activities are
components. While this update affords more flexibility, there is essential when considering security management in ITIL. This
little research on using ITIL 4 to manage security due to the component will be discussed in more detail in the context of
newness of ITIL 4. This section will cover this in more detail,
ITIL’s ISM. There are inputs and outputs to each value chain

Authorized licensed use limited to: Universitas Indonesia. Downloaded on February 24,2022 at 04:00:13 UTC from IEEE Xplore. Restrictions apply.
activity but are out of the scope of this work, so they will not be problems that have been reviewed but not yet resolved.
reviewed. Security management is critical here as problems are
a) Plan: Having a shared understanding of the categorized by the risk they pose. This risk could be security-
objectives, current status, and improvement direction is related and require appropriate management of the risk.
necessary when beginning SVC activities. Thus, information Neglecting the ISM aspect in this practice would have adverse
security must be considered in all planning activities while effects on problem management.
being built into every practice and service. d) Monitoring / Event Management: An event is defined
b) Improve: Improvement is ensuring continual as a change of state. This management practice’s purpose is to
improvement across all value chain activities. Security is in monitor and report on events while prioritizing and responding
constant need of improvement and must be a part of all to these events. Security management is vital here to assist in
improvement activities, so vulnerabilities are not introduced prioritizing and creating response plans for any security-related
during improvements. events. Using a triage approach for these security incidents will
c) Engage: Engage allows for a good understanding of facilitate this process. Optimization and automation here are
crucial to being successful in ITIL security management.
stakeholder needs and continual engagement with all
stakeholders. Capturing information security requirements for 5) Continual Improvement: Using the General
new and changed services is critical for ISM to work correctly Management practice of continual improvement practice, ITIL
in ITIL. This engagement includes all levels of management to ensures the organization’s practices and services are improving
support ISM, and all stakeholders must contribute here. the quality of services on an ongoing basis [7]. With continual
d) Design and transition: This activity provides that improvement applying to all of the SVS, it will also be an
products and services meet stakeholder expectations for quality integral part of security management. Security management
and costs. The most critical part of security management here must be continually improved and a part of service and
is to make sure adequate controls are put into operation. component improvement.
e) Obtain/build: Service components need to be B. Risk Management Practice
available when and where they are required as well as meet
Risk is a part of any business, whether the business chooses
specifications. ISM will define controls here, and these
to recognize it or not. How a business handles risks is critical
controls apply to internally and externally sources for
to its continued success. Central to the SVS, risk management
components.
ensures the organization is effectively managing risks. The
f) Deliver and support: In this activity, services are author of [10] suggests that ITIL, in its entirety, is risk
delivered and supported according to agreed specifications and management. Risk assessment is defined as one of the
stakeholders’ expectations. Here, administration and significant components of risk management for the successful
maintenance happen. Detection and correction for security implementation of an ISMS, as researched by [13].
incidents occur here, as well. This practice is one of the most critical components of not
4) Practices: Of the seventeen Service Management only SVS but also the survivability of an organization. The
Practices, there are several which will interact and correlate authors of [6] found that the risk assessment process is standard
with ISM more than others [7]. not only in ITIL but in Control Objectives for Information
a) Availability Management: Availability management Related Technology (COBIT) and ISO 27000 Series as well.
practice ensure services are delivered at an agreed-to level to The same authors produced [8] to identify risk management as
meet service needs. A tenet of ISM is availability. One of the one of the most identifiable core processes for ISMS. Without
activities of this practice is designing infrastructure and managing risks properly, an organization will neglect so many
applications to deliver availability, and here, security is key to other areas of IT management. Due to this significance, we
maintaining that availability even when planning found it important to review the value chain activities for the
improvements. A security incident could be the reason a risk management practice.
service is not available. 1) Plan: Essential to security management and risk
b) Incident Management: Incident management is the management is planning. Critical inputs for planning are legal
management of the lifecycle of incidents. The objective of and regulatory changes, shifts in customer demands,
Incident Management is to return the IT service as operational technological changes, and dependencies on suppliers and
to customers. Management of security incidents can be difficult partners. Each of these could cause a catastrophe if not
due to the sensitive nature of security data. However, managing mitigated and assessed correctly.
security incidents is an effective way to communicate and 2) Improve: Each improvement should be assessed and
manage the lifecycle of a security incident. continually controlled by this practice.
c) Problem Management: According to ITIL, a problem 3) Engage: In this activity, key stakeholders are identified,
is an occurrence of one or more incidents and is distinct from while risk appetite and profiles are obtained. Acquiring these
an incident. Problem Management’s purpose is to reduce the are essential to understanding the risk analysis of a service as
impact of incidents by understanding incident cause and well as bringing others into the process.
providing workarounds to known errors. Known errors are

Authorized licensed use limited to: Universitas Indonesia. Downloaded on February 24,2022 at 04:00:13 UTC from IEEE Xplore. Restrictions apply.
 4) Design and transition: Using prioritized risks, products, This office size and type might not need to build an entire
and services should be designed to accept the associated risks. security system around their workflow. However, having
5) Obtain/build: Using risk management, informed security as an integral part of the system being built is essential
decisions can be made about obtaining and developing products to the business. The system built does not need to include all
and services. five components of the SVS or all seventeen of the Service
6) Deliver and support: In this activity, risk management Management Practices within the SVS. Reviewing the different
helps to make certain risks in the delivery of products and parts of ITIL and determining applicability is more important
services are appropriately managed [7]. than using all of ITIL in some way.

C. Small Business Applicability D. Enterprise Cloud Providers

In 2018, small businesses comprised over 99.9% of all Large cloud providers have some semblance of ITIL
businesses in the United States, with over 30 million individual implemented, whether intentional or not. To survive in that
businesses. Although the Small Business Administration (SBA) industry as a significant participant would require the provider
defines a small business based on the number of employees to be very aware of how their systems are maintained while
within a particular industry, it is commonly agreed that 500 focusing on security. Given the scope, size, and varied pieces
employees or less are considered a small business [16]. Firms in cloud providers, ITIL 4 could help manage their security
with three-hundred employees might have an easier time Any enterprise cloud provider would be required to ensure
implementing these ITIL practices than a firm with only fifteen security is the basis for almost every decision when building a
employees. Regardless of the size and industry, having a new system and asking customers to utilize it. Managing this
service management structure and using it to manage security level of security would be more comfortable with a system
is critical. devised to not only build and manage a system but continually
Small businesses of nominal size might see the ITIL improve as well.
implementation overall as daunting and even more so the For example, an enterprise cloud provider will have a wide
security to be too troublesome to add value. However, ITIL range of industries as customers who will require adjacent
implementation can make any size business more efficient and third-party vendors to build out their cloud solution further. The
increase profits if the time is dedicated to the process. In enterprise cloud provider will need to understand the mixed
addition to increased efficiency and profit, the security aspects range of inputs and outputs for each system. These inputs and
of ITIL 4 can be considered essential to a business’s outputs are not necessarily data points being input, but it is more
survivability. about the workflow and how the inputs and outputs affect this
For example, a solo or small group physician’s office can workflow. This workflow ultimately affects and is affected by
have numerous risks with high impact. Not only is keeping security, so having an ITIL 4 assisting the management of this
patient data a security concern in healthcare, but there are other could prove to be immensely beneficial.
security aspects in the smaller healthcare offices, which could V. REVIEW OF FINDINGS
severely impact their business. Like other industries, electronic
financial transactions are how they are paid. For the healthcare Based on our review, ITIL 4 is more than capable of
office, this method of payment is especially critical, given the managing security when security is integrated into each
large number of insurance companies and individual patients management practice. Also, security should be involved in all
paying. The physician’s office could have upwards of a hundred components of the SVS and respective subcomponents. This
different insurance companies and thousands of patients integration will provide for the most effective use of ITIL 4 to
submitting payments. manage security.
Here the SVS’ Guiding Principles and Continual There are inherent advantages and disadvantages to using
Improvement could help to build and maintain a system to ITIL, but ITIL 4 can be used to manage security effectively.
manage the massive number of payments an office receives. ITIL will also provide a guide to ensure that security is a part
Not only is the submission of payments critical, but creating a of everything in an organization. ITIL 4 will not work for every
system to efficiently input these payments into the system is situation and must be customized to be effective for any
imperative as well. With this particular type of transaction, the particular organization.
physician’s office needs to know how to resolve the payment Finally, ITIL can be considered holistic and potentially
and collect any additional payment from the patient or resubmit require rigorous implementation and adherence, but it does not
denied claims. Specifically, the SVS Guiding Principles could have to be an all or nothing proposition. ITIL is something to
help the office to build that system and keep security at the strive for, and parts of might are valid for one firm while not for
forefront of those decisions. The transaction might contain a different firm. The importance lies in having a system of
financial data and also confidential patient data. Those standards to follow when it is applicable for a business of any
principles would help to build that system while inserting a size and inherently adds value to the business. Regardless of
security aspect to ensure this is covered. Continual whether the business is a fifteen-employee physician’s office or
Improvement would help to continually improve this system an enterprise-level cloud provider, ITIL 4 is very capable of
while also ensuring security is the foundation of the system. assisting with security management.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on February 24,2022 at 04:00:13 UTC from IEEE Xplore. Restrictions apply.
 VI. CONCLUSION AND FUTURE WORK [12] R. C. Ionescu, I. Ceaușu, and C. Ilie, “Considerations on the
implementation steps for an information security management
ITIL is a complicated endeavor that requires a fair amount system,” Proceedings of the International Conference on Business
of support and resources to implement. ITIL is recognized Excellence, vol. 12, no. 1, pp. 476–485, Jan. 2018.
worldwide for its ability to achieve ITSM effectively. [13] G. Mirela and B. D. Maria, “INFORMATION SECURITY
Moreover, ITIL 4 is very flexible and adept at managing MANAGEMENT SYSTEM,” Annals of the University of Oradea,
security for an organization when used correctly. To that note, Economic Science Series, vol. 17, no. 4, pp. 1358–1363, 2008.
ITIL 4 will not solve all security management problems without [14] The official introduction to the ITIL service lifecycle. London: TSO, 2007.
the proper support from senior management and stakeholder [15] M. Marrone, F. Gacenga, A. Cater-Steel, and L. Kolbe, “IT Service
involvement at each step. Management: A Cross-national Study of ITIL
The potential of ITIL 4 to enrich security management has Adoption,” Communications of the Association for Information Systems,
only just begun. While this work is comprehensive, it only vol. 34, Feb. 2014.
touches on a few of the more critical aspects of security [16] United States Small Business Economic Profiles for 2018. US SBA, 2018.
management in ITIL 4. Although out of the scope of this paper,
reviewing detailed inputs and outputs for the SVC and
correlating ISM into each management practice could provide
for a beneficial future work. These inputs and outputs would
not only provide a framework for a new organization’s security
management but enhance an established one as well. By
gathering these inputs from other SVC activities, as well as
external sources, the outputs derived will enhance the entire
SVS. In turn, each Service Management Practice continues to
improve all the while ensuring security is at the core of the
services provided by an organization.
REFERENCES

[1] A. Ramakrishnan, “Benefits of Adopting Information Technology

Infrastructure Library (ITIL),” Journal Of Management Research, vol.
14, no. 3, pp. 159–168, Jul. 2014.
[2] J. Clinch, “ITIL v3 and Information Security,” Axelos Global Best
Practices, May 2009.
[3] J. Iden and T. R. Eikebrokk, “Implementing IT Service Management: A
systematic literature review,” International Journal of Information
Management, vol. 33, no. 3, pp. 512–523, Feb. 2013.
[4] “ISO/IEC 20000-1:2018,” ISO, 14-Sep-2018. [Online]. Available:
https://www.iso.org/standard/70636.html. [Accessed: 01-Nov-2019].
[5] M. M. Mohammadi, A. Z. Ravasan, and H. Hamidi, “Investigating
Critical Success Factors in Implementing ITIL
Framework,” International Journal of Standardization Research, vol. 13,
no. 1, pp. 74–91, 2015.
[6] K. Haufe, R. Colombo-Palacios, S. Dzombeta, K. Brandis, and V.
Stantchev, “Security Management Standards: A Mapping,” Procedia
Computer Science, vol. 100, pp. 755–761, 2016.K. Elissa, “Title of paper
if known,” unpublished.
[7] ITIL® Foundation, ITIL 4 edition. Norwich: TSO (The Stationery
Office), 2019.
[8] K. Haufe, R. Colombo-Palacios, S. Dzombeta, K. Brandis, and V.
Stantchev, “ISMS Core Processes: A Study,” Procedia Computer
Science, vol. 100, pp. 339-346, 2016.
[9] D. Forte, “Security standardization in incident management: the ITIL
approach,” Network Security, vol. 2007, no. 1, pp. 14–16, 2007.
[10] P. Demin, “Where is Risk Management in ITIL?,” Axelos Global Best
Practices, Mar. 2018.
[11] S. Dombora, “Parameters and Guidelines of Enforceable Information
Security Management Systems,” Interdisciplinary Description of
Complex Systems, vol. 17, no. 3, pp. 485–491, Aug. 2019.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on February 24,2022 at 04:00:13 UTC from IEEE Xplore. Restrictions apply.