I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5

The Value to IT of Using International Standards

By Ernst Jan Oud, CISA
T
he international focus on IT governance has created a proliferation of local and international standards for IT management
in general and IT security in particular. This article helps clarify which of these standards adds value to IT, how to decide
which standards to implement and the pitfalls encountered during implementation.
A recent publication by the American Institute of Certified
Public Accountants (AICPA)
1
shows that, for the third
consecutive year, information securitydefined as the
hardware, software, processes and procedures in place to
protect an organizations information systems from internal and
external threatsis the number one technology concern
within the US. Due to the dynamics of todays business
processes, there is no time to reinvent the wheel; the use of
best practice, including standards, must prevail.
Standards for IT management and security are drafted by
consensus or compromise from best practices discussed by a
large group of individuals from various organisations. In most
countries, standards are de factoregarded as the obligatory
best way to actinstead of de jure, where a standard is more
or less mandatory. IT management and IT security standards
are best practices and, as such, are not based on scientific facts.
The term folk art
2
describes this phenomenon best.
At the start of the 20
th
century, when practical uses for
electricity were invented, it was internationally recognised that
safety and international trade called for international standards
for electrical appliances. This led to the foundation of the
International Electronic Committee (IEC). Much later, with the
need for international standards in other fields of interest
quality systems amongst many othersthe International
Organisation for Standardisation (ISO)
3
was founded. Since
computer and telecommunication systems require attention for
electrical issues as well as, for instance, quality, IEC and ISO
work together on the Joint Technical Committee 1 on standards
for this subject.
4
Apart from recognised international standards, many
national standards exist for IT management and IT security.
For instance, whilst Control Objectives for Information and
related Technology (COBIT) is more frequently used for IT
management in the US and other countries, the IT
Infrastructure Library (ITIL) is more frequently used in the
UK, The Netherlands and Australia.
Most countries have local organisations that, for various
reasons, publish standards. This may be because best practice
is only available or applicable locally. For instance, the Dutch
standard for the Dutch national flag will not be of much
interest to a Mexican factory (unless it decides to step into the
flag manufacturing business). However, this is not always the
case. The need for project management best practice led to
PRINCE2
5
in Europe and PMBOK
6
in the US. This is in spite
of the fact that project management is not done much
differently on both continents.
Issues With Standards
Since standards come about through discussions
among individuals, wilfulness and cultural, political and
(inter)national differences have led and will always lead to a
proliferation of standards; the not invented here syndrome is
prevalent.
It should be understood that folk art and the wilfulness of
individuals lead to an abundance of good practices. It has been
said before that the good thing about standards is that there are
so many of them. This is indeed good, because when there are
many standards, it is likely that one of the many standards on a
particular subject can be made to fit in a certain situation. This
is particularly useful when a de facto standardan
international best practice from the set of good practiceshas
not yet been recognised. Since standards are sometimes
regarded as straitjackets, it is nice to have a choice. If COBIT
will not fit, one can go for an ITIL implementation; if the NIST
Handbook on security is too overwhelming, one can try ISO
17799. Professionals should use the better parts of these
standards as building blocks and be prepared to deconstruct
standards. As Pablo Picasso said, Every act of creation is first
of all an act of destruction.
Value to IT
The value of using standards lies in not having to reinvent
the wheel, which saves resources, but the biggest value lies in
using the best practice of others to ones own benefit. It would
be difficult for an individual organisation to come up with a
better IT management framework than COBIT or ITIL. Also,
most governance regulations (such as the Sarbanes-Oxley Act
in the US and Tabaksblat in The Netherlands) mention that the
organisations to which such regulations apply must implement
best practices. If the organisation then chooses a de facto
standard, it will be compliant (i.e., the risks of using an
internally developed standard with omissions or errors are
reduced by using de facto standards). Larger organisations have
learned that drafting their own policies for security is often
much more costly and less successful than basing their polices
on ISO 17799.
Another benefit of using standards for IT management and
IT security becomes obvious the moment an organisation
decides to outsource part of its business; using a publicly
available standard as the basis for service level agreements
between the organisation and its business partners will lead to
less misunderstanding and lower associated costs.
Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5
Benefit to Auditors
Auditors benefit substantially from using de facto standards.
Whilst auditors in the past have created their own set of
standards, audit programmes and checklists to audit against,
the use of publicly available international standards (such as
COBIT, ISO 17799 and ISO 9001) leads to lower costs to both
auditor and auditee and helps the auditee to understand the
auditor better. It also enables the auditee to use the same
standard for internal auditing as that used by the external
auditora basis for integrated auditing. Even the auditing
process itself has been internationally standardised through
standards such as ISO 19011 and EA 7/03.
7
The need for more attention to governance has also given
rise to the need for certification. Judging quicklywithout a
costly external auditing or review processwhether doing
business with an organisation is advisable is easier when this
organisation can show compliance by handing over its
certificate from an external, independent party that has
previously assessed the quality of security of that organisation.
There are currently more than 1,000 organisations
8
certified
against BS 7799,
9
the de facto standard for information
security management systems. Other standards for which a
certification scheme exists are BS 15000, ISO 9001, the
European Foundation for Quality Management (EFQM)
and TickIT.
Summary of International
Tactical Standards
Within the scope of IT auditing (i.e., IT management,
security, business continuity planning and the auditing process
itself), the following tactical de facto standards are of
particular interest:
IT managementCOBIT, BS 15000,
10
Microsoft Operations
Framework and ITIL
Project managementPRINCE2 and the PMBOK
Security managementISO 13335, ISO 13569 (banking and
financial services), ISO 17799/BS 7799-2 (both translated in
local versions in a number of countries), IT Baseline
Protection Manual (Germany), ACSI-33
11
(Australia),
numerous National Institute of Standards and Technology
12
standards from the NIST Handbook (SP800-12, USA),
COBIT

Security Baseline, ENV12924 (Medical

Informatics) and the Information Security Forum Standard of
Good Practice
13
Quality managementISO 9001, EFQM and Baldrige
National Quality Plan
Software developmentTickIT, Capability Maturity Model
Integration (Software Engineering Institute)
IT governanceCOBIT, IT Governance Implementation
Guide, COSO Internal ControlIntegrated Framework and
COSO Enterprise Risk ManagementIntegrated Framework,
and the recent Australian standard AS 8015-2005 (corporate
governance of information and communication technology)
Risk managementAustralian standard AS/NZS 4360
14
BCPBritish Standards Institution PAS-56 and Australian
standard HB 221-2004
AuditingCOBIT and ISO 19011
Figure 1 structures these standards into international,
national and organisational standards.
Operational Standards
Next to this considerable number of tactical standards (i.e.,
standards describing processes and procedures), an even larger
number of operational, technical standards exist. The ISO,
European Telecommunications Standards Institute, and
National Institute of Standards and Technology (NIST) have
published standards on issues including encryption (FIPS 197),
(technical) evaluation criteria for IT security (ISO 15408),
contingency planning (FIPS 87) and password usage (FIPS
112). More information can be found at www.iso.ch,
www.nist.gov and http://csrc.nist.gov/publications/fips/.
It is not by accident that figure 1 mentions two recent
standards for business continuity management: Publicly
Available Specification 56 from the British Standards
Organisational
International National Standard or
Standard Standard Guidelines
IT Management BS 15000 COBIT
MOF
ITIL
Project PMBOK
Management PRINCE2
APMs
Security ISO 13335 BS 7799-2 Baseline Protection
Management ISO 13569 NIST standards Manual
ISO 17799 ACSI-33
COBIT Security
Baseline
ENV12924
ISF Standard of
Good Practice
Software ISO 12207 TickIT CMMI
Development/ ISO 15504 Bootstrap
Acquisition
Process
Improvement
Quality ISO 9001 EFQM
Management Baldrige
National
Quality Plan
IT Governance COSO Internal COBIT
Control IT Governance
Integrated Implementation
Framework Guide
Australian
standard AS
8015
Risk AS/NZS 4360
Management COSO
Enterprise
Risk
Management
BCP PAS-56
AS/NZS 4360
and
HB 221-2004
Auditing ISO 19011 COBIT
Figure 1Structure Amongst Standards
I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5
Institution and Handbook 221, Business Continuity
Management, by Standards Australia. Both standards describe
the strategic and operational framework to implement
resilience to disruption, interruption or loss in supplying
products and services. The processes described in these
standards go beyond IT disaster recovery planning. A recent
Deloitte survey
15
showed that only about a third of the
respondents felt they had a comprehensive BCM governance
structure in place, and only half of these include executive
involvement in setting and driving their programs. Two-thirds
of those surveyed indicated that they still do not have a process
to ensure that an appropriate BCM programme is maintained.
There is an apparent need for best practice guidance. This is
where these standards can be of much use.
Implementation of any standard that is unfit for purpose can
lead to projects running out of budget due to omissions in the
standard or its lack of clarity. Successful standards leave room
for interpretation but, at times, this interpretation leads to
problems. A standard such as ISO 17799 describes the what of
security but not the how. Especially during a certification
process, this can lead to discussions with the external auditor
on the question of when compliance has been reached.
Families of Standards
Some of the standards mentioned previously are part of a
family of standards. For instance, BS 15000, the British
Standard for IT Service Management, consists of two parts.
Part one is the specification for service management, and part
2, the Code of Practice for Service Management, is one step
lower in the hierarchy. Further down the hierarchy, ITIL gives
best practice for the processes described in BS 15000, and the
organisations in-house procedures are found below that.
A similar hierarchy is found within BS 7799-2, the
specification for security management; ISO 17799, the set of
best practices; and ITIL Security Management, describing the
IT security processes.
Mapping Standards
Because so many good standards exist and professionals
need to have several standards within their toolkits, the need to
map those standards onto each other has arisen. This calls for a
metastandarda standard for standards. A metastandard
enables semiscientific comparison amongst standards.
Unfortunately, such a metastandard does not exist. Any
comparison or mapping tends to compare apples and oranges.
As the IT Governance Institute has experienced during its
elaborate mapping of COBIT and ISO 17799,
16
mapping cannot
always be one-on-one, because the COBIT control objectives
operate at a higher level and the detail of
ISO/IEC 17799:2000 is much closer to the level of detail
of the COBIT control practices.
Most of the standards mentioned previously describe
process properties. Technical standards, such as ISO 15408,
Evaluation Criteria for IT Security (previously called Common
Criteria), describe systems properties in more detail. An
example of a standard on process properties is ISO 9001,
which describes the plan-do-check-act (PDCA) Deming Cycle
for quality management.
Standards and IT Governance
Ryan Peterson
17
stresses that IT management deals with
internal business orientation and short-term operational
problems, whilst IT governance also focuses on external
business orientation and has a longer-term perspective.
ITGIs IT Governance Implementation Guide, available
from the ISACA Bookstore, describes in great detail the steps
to implementing IT governance. A number of these steps point
the reader toward understanding existing preferred IT
models, standards and best practices. The book explicitly
mentions BS 7799 and ITIL for IT security and IT
management. It also says (for IT governance implementation
projects) to use available best practices and standards to
further refine detailed improvement requirements, clearly
pointing to PRINCE2 and the PMBOK.
There clearly appears to be a need for standards when
implementing IT governance.
Mapping a number of the aforementioned standards on
Petersons model leads to figure 2.
ITGIs Board Briefing on IT Governance, 2
nd
Edition,
18
proposes a framework (see figure 3) on which some of the
standards mentioned can be mapped (see figure 4), indicating
the focus area of IT governance for which they are pivotal.
Development
Good standards are revised regularly, whilst bad standards
fade away. In this context, good means that the standard is
used by a large number of organisations. The best standard will
be the most successful. Betamax was the better video recorder
standard, but VHS gained the market. The next paragraph
describes the revision status of a number of important security
process standards.
In December 2000, part one of British Standard 7799
became ISO 17799. This standard contains more than a
thousand best practice security controls grouped into 127
paragraphs. A number of countries were not positive on
ISO 17799, which was understood by ISO and led to an
Business
Orientation
Time
Orientation
IT
Governance
IT
Management
E
x
t
e
r
n
a
l
I
n
t
e
r
n
a
l
Future Present
C
O
S
O
B
S

1
5
0
0
0
C
O
B
I
T
I
S
O

9
0
0
1
I
S
O

1
3
3
3
5
B
S

7
7
9
9
P
A
S
5
6
H
B
2
2
1
I
T
I
L
I
S
O

1
7
7
9
9
Figure 2Leading Management and Security
Standards Mapped on Petersons
IT Governance Model
I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5
immediate revision project. As a result, this year will see an
improved update of this standard.
Part two of BS 7799 was never released as an ISO standard.
Part two describes the same 127 paragraphs but in normative
form (i.e., all verbs should are changed into shall, turning
guidance into specification). More important, it explains the
plan-do-check-act cycle for information security management.
With the 2002 revision of this standard, it is now fully in line
with ISO quality standards. A project to turn part two of
BS 7799 into a worldwide ISO standard for security
management has been started.
The five-part technical report ISO 13335Guidelines for
the Management of IT Security (GMITS)is currently in a
major revision process. It will be made more compact and
more in line with ISO 17799. The result will be a two-part ISO
standard (as opposed to a technical report containing data of a
different kind from that which is normally published as an
International Standard) on the management of information
and communications technology security.
ISO Technical Report 13569, Banking and Related
Financial ServicesInformation Security Guidelines, is also
under revision. It provides guidelines on the development of an
information security programme for the financial services
industry. It includes discussion of the policies; the
organisation; and the structural, legal and regulatory
components of such a programme.
An overview of the revision status of all ISO SC27
standards is contained in the catalogue of SC27 projects and
standards on the JTC1 web site.
ITGIs Mapping Project
Recognising the importance of well-recognized standards
other than COBIT, the IT Governance Institute has defined a
framework for comparing standards and collections of best
practices. It has also used this framework to map at a high
level a number of standards for IT management, security and
quality onto COBIT. Recently the more detailed mapping of the
control practices of COBIT to the controls of ISO 17799 has
been published.
Other organisations have also mapped various standards.
The German Federal Office for Information Security
19
has
mapped its IT Baseline Protection Manual to ISO 17799, and
the itSMF web site contains an Excel spreadsheet mapping
COBIT, ISO 17799 and ITIL.
Annex C of part two of BS 7799 also maps BS 7799 to ISO
9001 and ISO 14001.
Implementation Experiences
No standard covers every subject in detail. The advice here is
to pick and choose. Any professional in any subject should be
familiar with the standards in his/her profession. The contents or
philosophies behind them should be in his/her tool kit ready to
be used where appropriate. For instance, ISO 17799 mentions
the importance of security audits and reviews but contains no
information on how to perform them. Here the COBIT audit
guidelines can be used, especially now that the COBIT controls
have been extensively mapped to ISO 17799. The strategic
security management process itself is described in BS 7799, and
the operational IT part of security management is described in
ITILs Security Management. Security professionals should be
able to build a security management system for their employers
using the best of these standards.
An organisation deciding to adopt a set of standards faces a
number of challenges. First, it will take time to convince
everyone to work according to these standards. This
investment, as well as the cost of transferring from the old way
of working to the new way, is often forgotten. A standard will
not always fit; adaptation, if possible, will create costs.
Implementing standards, due to their formal nature, will make
processes more rigid and more static. In some organisations,
this can lead to problems. The dynamics of todays business
processes sometimes calls for more flexibility; standards do
not always provide this.
Conclusion
The use of standards raises the value of IT, but there is no
standard that covers all aspects of IT management, security and
quality. COBIT covers a large subset of all possible aspects but
may need to be complemented. This is also acknowledged by
Stakeholder
Value
Drivers
IT Resource
Management
IT Strategic
Alignment
Risk
Management
IT Value
Delivery
Performance
Measurement
Figure 3Focus Areas of IT Governance
ITIL
COBIT
ISO 9001 BS 7799
BS 15000
ISO 17799
ISO 13335
PAS56
HB221
PRINCE2
PMBOK
MOF
COSO
Figure 4Leading Standards Mapped to the Focus
Areas of the IT Governance Framework
I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5
ITGI. To decide where extra standards are required, the recent
publication of the ITGI mapping project can be of much benefit.
Endnotes
1
American Institute of Certified Public Accountants (AICPA);
2005 Top Technologies Survey, USA,
January 2005
2
This term was first used by Donn B. Parker in Fighting
Computer Crime, John Wiley & Sons, USA, 1998.
3
www.iso.ch
4
Joint Technical Committee, www.jtc1.org
5
OGC; Managing Successful Projects with PRINCE2,
The Stationery Office, London, revised edition 2002
6
Project Management Institute, www.pmi.org
7
European Cooperation for Accreditation,
www.european-accreditation.org
8
See www.xisec.com for the unofficial international certificate
register.
9
See www.bsi-global.com.
10
The two-part British Standard 15000 gives guidance and a
specification for IT Service Management,
www.bsi-global.com.
11
Australian Communications-Electronic Security Instruction
33, www.dsd.gov.au/infosec/publications/acsi33.html
12
www.nist.gov
13
www.isfsecuritystandard.com
14
Standards Australia, www.standards.com.au
15
CPM Global Assurance and Deloitte & Touche LLP, 2004
Benchmark Survey on Business Continuity Management
16
IT Governance Institute, COBIT MappingMapping of
ISO/IEC 17799:2000 With COBIT, www.isaca.org/cobit
17
Peterson, Ryan R.; Information Strategies and Tactics for
Information Technology Governance, Strategies for
Information Technology Governance, edited by W. Van
Grembergen, Idea Group Publishing, 2003
18
www.itgi.org
19
www.bsi.bund.de (German and English versions of the web
site and documents are available).
Ernst Jan Oud, CISA
is senior manager with Deloitte Enterprise Risk Services. His
areas of expertise are information security and business
continuity management. Oud is a member of the standards
committee responsible for BS 7799 in The Netherlands as well
as the committee that developed and maintains the certification
scheme. As a certified BS 7799 lead auditor, he is familiar with
internal auditing against this standard.
Oud teaches BS 7799 at NEN, the Dutch standards institute,
and business continuity at TIAS Business School. In November
2002, he published a practical guide on BS 7799
implementation. He has published a number of articles and has
spoken at ISACAs EuroCACS and Network Security
Conference, and served as expert reviewer for the ITGI
publication COBIT MappingOverview of International IT
Guidance. He is writing a practical guide on business continuity
management.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA
TM
Information Systems Control Association
TM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org