Standardization of Information Security Management System : ISO / IEC 27001 : 2005 , ITIL ® , CoBIT ®

Information is currently the most important asset of modern companies. Its security is therefore very important and becomes the top priority of each company. Unfortunately, there is no simple recipe providing 100 % security of information. A company must apply the best security procedures with the aim to achieve an appropriate level of its information security. This paper presents and compares the most widely used approaches to Information Security Management System – ISO/IEC 27001:2005, BS 7799, ITIL and CoBIT. Each standard has its own scope, focus and target audience, which complement each other and play an important role in a company. The company should have an implemented methodological guidance of IT management to ensure a consistent approach to IT management and IT security. In addition to the standards and frameworks, other important players in the standardization of information security are e.g. AIM, BISLA, CMMI, ISO/IEC 15504–x, AS8015, etc.


INTRODUCTION
History of Information Security (hereinafter "IS") goes far in the past, beginning about 4000 years ago in the ancient Egypt. Rulers, soldiers, diplomats and businessmen in the following millennia realized the importance of protecting the information, and the field began to develop significantly during the World War II [1]. Development of IS and ICT called for additional security attributes of information: the basic safety requirements (ensuring confidentiality, integrity, availability) were gradually enhanced by the new attributes that are listed in the section of Theoretical background of information security management. The emergence of new IS/ICT challenged new security threats that have been dealt with ad hoc [2,3,4]. Since IS begun to play an important role in supporting its activities, companies needed established methodological guidelines in line with governmental guidelines. Several organizations, both private and governmental, have therefore established bodies of standards in order to set up the standards, benchmarks and, in some cases, also IS legislation, so as to maintain an adequate level of security and proper use of funds, and to ensure the adoption of a system of the best security practices. Security procedures have thus become an important tool of achieving the required level of IS. This has been reflected in the activities of standardization bodies, issuing a growing number of standards, methodologies, frameworks etc., and gradually covering all the activities in the areas of IS/ICT governance in a company. Currently, there are several standards, methodologies, frameworks and models, such as ISO/IEC270xx series standards, BS 7799, ITIL ® , PRINCE2 ® , CoBIT ® , OPM3 ® , CMMI ® , P-CMM ® , PCI DSS etc. [5]. IS is thus becoming an important part of the company security, and a decisive factor in improving company's performance. Actual violation of IS leads to loss of confidence of both business partners and customers [6,7]. This paper briefly describes and compares selected standards (ISO/IEC 27001:2005, BS 7799) and frameworks (ITIL ® and CoBIT ® ), which are parts of ISMS.

II. THEORETICAL BACKGROUND OF INFORMATION SECURITY MANAGEMENT
IS/ICT significantly influences the development of a company. IS is a prerequisite for the effective performance of a company. In broad terms, this means security of the IS and the protection of the information space and practically the protection of the company's IS/ICT [2].
According to the ISO/IEC 27001:2005 international standard, IS provides information about a wide spectrum of risks, in order to secure continuity of business processes, minimize losses and maximize the return on investment [9,8,10]. The European Union and multinational organizations (OECD, OSN, G8, etc.) perceive IS as a world-wide problem. To protect their company's valuable assets and privacy, they establish various institutions and institutional systems (e.g. ENISA, HLIG, etc.), where they set up strategic goals and take measures to meet the goals [11]. IS is of a multilateral character, i.e. it must reflect the interests of the IS/ICT users as well as the rights of personal and legal entities, the data of which are processed in their systems. According to BS 7799 standard, ISMS is a part of the total management system based on the approach to risks, the role of which is to introduce, implement, operate, monitor, revise, maintain and improve the IS [12,13].
Information is a content of data occurring in various forms: written, oral, image and electronic (digital) forms. It can be processed by various means. Since information is a key asset, its jeopardizing poses a serious problem that should be addressed quickly and efficiently. Existence of a required level of the assets' attributes is a pre-requisite of  [10,14]. Adequate protection of information is based upon the purpose for which the information is used and what and how it is endangered. The practice frequently encounters combined requirements for protecting information. According to ISO/IEC 27001:2005 and ISO/IEC  27002:2005, basic security requirements for data  protection involve confidentiality, integrity, availability, authenticity, accountability and privacy. Confidentiality means ensuring that information is provided and is accessible only to authorized persons. Integrity means ensuring the correctness and completeness of the information in terms of content and form. Availability of information means that the information is accessible to authorized persons whenever they need it -the right information to the right people at the right time. Authenticity of information is to ensure the integrity and originality of a document. Traceability enables to determine which entity conducted safety-related activities, e.g. who entered, changed, deleted or read the information. Finally, protection of data privacy provides protected access to information only to a closer range of authorized users [1,2,8,10,15].
Nature of IS is best explained in the essence of the OECD guidelines of 2002. The document is binding, but recommendatory in character. It emphasizes the necessity to support the development of security culture, i.e. focus on security in the IS/ICT development and adaptation of new ways of thinking and behaving in the IS/ICT utilization. The guidelines are based on nine basic principles -safety awareness, responsibility, response, ethics, democracy, risk assessment, design and implementation of security, IS management and reassessment. In solving IS and implementing ISMS, it is necessary to consider these principles, which are described in detail in the above-mentioned ISO/IEC 27001:2005 standard. Similar principles are also comprised in a number of policy documents, whether international or national [2,3,4].

III. METHODOLOGY OF RESEARCH
Aim of the present paper is, based on the studies and evaluation of the available literature, to analyze and compare selected standards, methodologies, frameworks and models of ISMS (descriptive research). To achieve the aim, we analyzed secondary sources (domestic and foreign professional literary sources, especially standards, methodologies, frameworks and models, studies, documents and journals related to this topic, as well as monographs, handbooks, textbooks, textbooks, websites, etc.) and applied the research methods (the study of literature, literary research, excerpts, their processing and sorting), the methods of obtaining new data (document analysis), methods of the data processing (such as analysis and synthesis, induction and deduction, comparison and generalization). Spreadsheets and word expression interpretation were used as complementary methods.

IV. STANDARDIZATION IN THE FIELD OF INFORMATION SECURITY MANAGEMENT
General support for standardization in the field of IS management initiated a number of norms, standards, methodologies and frameworks. The following sections of the present paper provide a brief overview of the most important standards and frameworks.

A. ISO/IEC 27001:2005
Requirements regarding the implementation on ISMS in a company are provided by the international ISO/IEC 27001:2005 standard, which is owned by ISO [12,16]. It specifies the basic requirements for design, implementation, operation, monitoring, reviewing and improving the documented ISMS within the company. It describes how to implement security controls adapted to the needs of individual organizations or their parts. It is also used to assess the conformity of internal or external interested parties and certification audits [10,16,18,23] [21]. It is designed in a way enabling the company arrange or integrate its ISMS in compliance with the requirements of another management system. The current ISO/IEC 27001:2005 standard is structured into eight chapters and three annexes [18,23]. The main part of the standard defines mandatory parts of ISMS, especially the area of risk assessment. Annex of the standard describes eleven control areas based on a set of the best practices in the areas of [9, 22, 23, [21,22]. The goal is to design and operate an IS in compliance with the IS rules, and to update it in case of changes [22].
Slovak Republic adopted the above-mentioned standard under the name of STN EN ISO 27001:2006, which enables effective and clear management of information security in a company. Certificate acquired according to this standard is therefore of international validity: a Slovak company that acquired the ISMS ISO 27001 standard does not need to prove in another country that the requirements of this standard were met. Introduction of ISMS in a company ensures the protection of assets of any kind (digital information, paper documents and physical assets (computers and networks), knowledge and skills of employees and the protection of natural objects of the organization) [8]. It demonstrates the confidence that the information and the data obtained is handled carefully, the message is defined in terms of safety rules and the risks associated with the threats identified in the process are managed properly. It also declares compliance with the legislative requirements for information security (e.g. Act Coll., etc.) [25,26].

B. BS 7799
The international BS 7799 standard was issued in the year 1995 BSI. The BS 7799:1995 standard was focused on supporting the companies in the ISMS implementation, without emphasizing the performance of risk assessments. Contribution was the achievement of the primary level of information security system and standard security management of security issues in the company [10]. In 1998-1999, the standard was revised and expanded to two parts [ [12].

C. ITIL ®
ITIL ® (Information Technology Infrastructure Library ® ) is a complex system of volumes leaving certain freedom in the implementations of processes. It belongs to the portfolio of the best practices of OGC. It is a processoriented framework for the field of management of IT services [32,33,34]. It is suitable for both IT services suppliers and also bigger IT divisions [35]. It is based on the PDCA cycle [32,33,34]. ITIL ® framework was designed and gradually published since the year 1980 under the name of GITIM, as a response to the demand of the British government with the aim of assuring quality of services and decreasing the IT expenses of the British government and private sector of CCTA. Original framework fastened on the common practice, governmental agencies and private sector. The concepts are similar: providing and supporting IT services. The first set of ITIL ® V1 was issued in the year 1989. The whole library contained 46 individual volumes. Continuity between individual volumes was not maintained [33,34,36]. In the year 1990, the concept was accepted by the big companies and governmental agencies in Europe. It was gradually introduced to non-governmental institutions and organizations in Great Britain and all over the world. In the year 2000, Microsoft ® started using ITIL ® V1 as the basis for the development of its own framework entitled Microsoft Operations Framework ® (hereinafter "MOF ® ").
In the year 2001, ITIL ® V1 was revised (denoted as ITIL ® V2). ITIL ® V2 comprised 10 parts: two basic volumes (Service Support and Service Delivery), which were divided into several brief volumes and other nine volumes [33,34,37]. In the year 2006, a new version of the ITIL ® glossary was published. In the year 2007, an enhanced version of ITIL ® V3 (5 volumes) was published. ITIL ® V3 was built upon the control of the IT life-cycle or the control of the value provided by IT to their customers, i.e. consumers of IT services [33,34,38,39,40]. A new version denoted as ITIL ® 2011 Edition and issued in 2011comprises five basic volumes -Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement, as well as complementary volumes, such as The Introduction to the ITIL ® Service Lifecycle, omitting some processes, adding new processes, check lists of changes and reviewed field of the expertise certification. Amended was particularly the volume of Service Strategy and ITIL ® glossary [33,34,40,41]. Framework is neither a standard nor a methodology of ITSM as it does not deal with particular feature of the company's organizational structure, nor the way of occupying the roles of processes by certain work positions (it gives just recommendations which should/should not be cumulated in one person, and the similarity and contents of both procedures and the project methodology of ITSM implementation [42]. It currently serves as the basis for the development of the process itself. Major advantage of introducing the processes according to ITIL ® is the use of agreed terminology (event, incident, problem, activity, role, etc.) facilitating communication between the company with its customers

D. CoBIT ®
CoBIT ® (Control OBjectives for Information and related Technology) is a framework designed in 1996 by the international ISACA for IT governance. It comprises a set of practices enabling to achieve strategic goals of company through the effective utilization of available sources and minimization of IT risks. CoBIT ® is primarily designed for managers, auditors and IT users, providing them with a system of processes, indicators and metrics which can be used to introduce the system of IT Governance in order to maximize the benefit of IT utilization. The framework is used to set up or audit information processes in bigger companies [35]. The framework was first time issued in 1996. The second version of 1998 was enhanced by audit procedures, a set of implementation tools, elaborated processes and detailed goals. The third version of 2000 was complemented by managerial procedures within the innovated framework. Major change was that CoBIT ® was included into ITGI section. There is also PDCA cycle [48]. The final version of CoBIT ® is version 5 of 2012, which consolidates and integrates frameworks CoBIT ® 4.1, Val IT 2.0 and Risk IT, including ITIL ® 2011 Edition and relating ISO standards, and comprising the features of BMIS and ITAF models [49]. It defines the IT processes divided into two main fields of process domains -Governance: (Evaluate, Direct and Monitor/EDM) -5 processes, Management: (Align, Plan and Organize/APO) -13 processes, (Build, Acquire and Implement/BAI) -10 processes, (Deliver, Service and Support/DSS) -6 processes, (Monitor, Evaluate and Assess/MEA) -3 processes, the structure of which forms a loop representing the life-cycle of the information system. Each of the processes in individual area splits into detail activities, their inputs and outputs. Evaluation scale for all processes has 6 degrees: 0-process does not exist, 5process is fully optimized. CoBIT ® 5 is built upon five basic principles [50] Similarly to ITIL ® 2011 Edition, CoBIT ® 5 is based on a fact, that, in order to achieve its goals, the company should identify its business requirements, which will consequently generate the requirements for IT sources, integrated in the IT processes bringing the desired service and information.

E. Other Standards, Frameworks and Models
Besides the above-mentioned standards and frameworks, there are other important players in the field of the IS standardization, e.g. (own source):  ISMS standardization plays an important role in the ISMS implementation and management in a company. Each standard, methodology, framework or model has a different focus, complementing each other and thus playing an important role in managing the company. While CoBIT ® and ISO/IEC 27001 suggest the company's management what to do, ITIL ® tells how to do it from the aspect of IT service management. ISO/IEC 27001 focuses only on IS. It is a tool of IT management, i.e. management of IT departments responsible for operation. On the other hand, CoBIT ® is a framework for IT Governance, i.e. in terms of the functioning and role of IT from a position of senior management, which may not have a deep knowledge of IT and no focus on IS. It is designed for those who have responsibility for business processes and technology, those who depend on the relevance and reliability of information processed through IT and also for those who provide services in the field of the IT quality, management and control. CoBIT ® has thus a broader scope than ITIL ® . The fundamental difference between CoBIT ® and ITIL ® is that CoBIT ® has not come out from practice, but it is the work of several professional auditing and consulting companies, which corresponds to the language used in publications. For people with IT experience, CoBIT ® processes may seem less clear and legible than the ones defined in ITIL ® , and implementation therefore may be more demanding for them. However, the advantage of CoBIT ® is that its publications are freely available for download on the Internet. CoBIT ® is thus based on a number of existing IT practices. It is sometimes referred to as an "integrator" summarizing various IT practices under one roof, while helping link these practices with business requirements. Frameworks and standards are not mutually exclusive, but rather complementary. Processes according to ITIL ® and ISO/IEC 27001 are commonly used for tactical and operational management. CoBIT ® is used at the highest level of IT management, providing management framework based on a model of IT processes. We can say that ITIL ® or ISO/IEC 27001 cover specific areas of IT and can be inserted into the CoBIT ® framework. On the level of processes, mapping is in the ratio m:n, i.e. certain set of processes of the CoBIT ® framework corresponds to certain set of processes according to ITIL ® and ISO/IEC 27001.
It is important that the top management of the company took full responsibility for the IT management to actively manage IT strategy. Company management should assert that the company has implemented a standard, framework or methodology of IT management ensuring a unified approach to IT management and IT security within the company [5,56,57].