Professional Documents
Culture Documents
Author:
Wouter Wyns
4me, Inc.
Author:
Geert Antheunis
Three Headed Giant
With the growing need for enterprises to comply with data protection legislation and
security standards comes the need to set up a system to support and monitor the data
protection and security procedures. This article investigates if it is a good idea to use the
existing IT service management (ITSM) system or enterprise service management (ESM)
system for this purpose and identifies the functionality an ITSM system should have to be
successful in this domain.
Introduction
IT is not an island. Nor is IT security. As any good management To successfully bring the management frameworks on one
framework will tell you, Governance, Risk and Compliancy (GRC) management system, a first important question to be answered
lies at the heart of what we do in IT. We want to make sure to do is whether there is any common ground to all these frameworks.
the right things, and to do them right. That may sound simple, but And if indeed these frameworks share some common principles,
it is easy to get lost in the myriad of frameworks, best practices, does this mean that it is a good idea to use one common system
guidelines, standards and general good advice out there. And to support and monitor these frameworks? And secondly, what are
when you have finally identified the management frameworks your the requirements for this integrated management system and does
organization wants to adhere to, you need to decide on the system your current ITSM system comply with these requirements?
or systems to manage the frameworks. Or as is so often the case,
organizations just end up with a separate management system for This white paper will answer both questions.
each of these frameworks.
An Overview of Common ISO Standards There is no denying that the COVID-19 pandemic was very
disruptive and changed the way we work for a lot of people. We
ISO 27001 expect this standard to attract more attention over the coming years
The best-known standard for information security is ISO 27001. This because it always takes some defining moment, like the introduction
standard explains how to establish, implement, operate, monitor, of GDPR or COVID-19, to create enough traction to change things.
review, maintain and improve an Information Security Management Coincidentally, business continuity was originally part of the 27001
System. In addition, it specifies 35 control objectives and 115 standard as well, but it was deemed important enough to merit
controls that an organization can implement to improve its its own standard. There is still a little business continuity left in the
information security. controls of ISO 27001, but the bulk has shifted to ISO 22301.
ISO 9001
The one standard that we probably all know is the ISO 9001
standard that sets requirements for a Quality Management System.
It makes a lot of sense to apply quality principles to all activities
we perform as businesses. Organizations are probably applying
many best practices in this field already. Therefore, it might not be
a bad idea to look at this standard and assess where you stand as a
company in the field of quality.
The first three clauses are: 1. The Scope, 2. The Normative Raising Risk Awareness
References and 3. Terms and Definitions. They provide information Raising risk awareness is a substantial factor to achieve results,
that is specific to each framework and offer no common ground. whether you are introducing the concept of a Change Advisory
So let us have a closer look at clauses 4 to 10, which contain the Board, or teaching staff what to do in case of a data breach. Training
mandatory requirements. These clauses are: people in what to do and changing their attitude and behavior is
a challenge for management, but one that is vital because we are
4. Context of the organization tackling the people factor here, and implementing a management
5. Leadership system is above all a people project.
6. Planning
7. Support An integrated management system will not tackle this challenge.
8. Operation When awareness is an obstacle, it is a good idea to consider what
9. Performance evaluation ‘no awareness’ means in terms of ‘lack of …’: ‘lack of interest’ and
10. Improvement ‘lack of leadership’, but also ‘lack of knowledge sharing among
organizational boundaries’ and ‘lack of coordination’. While
an integrated management system will not resolve the lack of
awareness, it can certainly help to remove some of the obstacles.
Conclusion
There are many benefits in adopting an integrated approach and
blending the IT service management system and IT security system
together. Not only will organizations be making more efficient use
of their resources, but they will also reduce complexity instead of
increasing it. And by defining a common language and approach
towards risk management, there will be a clearer understanding of
the context of the organization and the needs and expectations of
interested parties.
But make sure the service management system fits with the
requirements for an Integrated Management System. An
organization will need solid data segregation to protect the sensitive
information that is typically stored in security incidents.
About 4me
4me® combines ITSM with ESM and SIAM capabilities making it possible for all internal departments, such as IT, HR and
Facilities, to work seamlessly with each other, as well as with external managed service providers.