Implementing an ISO-integrated Management System Using
Transcription
Implementing an ISO-integrated Management System Using
DISCUSS THIS ARTICLE Implementing an ISO-integrated Management System Using COBIT 5 By Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001 LA/LI, PRINCE2 (P) COBIT Focus | 2 March 2015 The Central Bank of Nigeria issued a compliance document titled “Nigeria Financial Services IT Standards Blueprint” 1 in May 2013. The blueprint, which includes time lines, is the main driver for the implementation of IT-related ® standards such as COBIT 5, ISO/IEC 27001:2013, ISO/IEC 20000:2011 and ISO/IEC 22301:2012 in banks and IT service provider organizations in Nigeria today. The blueprint was developed by Accenture for the regulatory body prior to the publication of COBIT 5. The revised edition, which is in the works, will reference COBIT 5 specifically. The implementation of these good practices is expected to result in improved operational effectiveness, uptime and availability, service quality, enterprise control and management, risk management and assurance, regulatory reporting, and business continuity. The compliance blueprint also provides information about the compliance priority (figure 1), time lines, scope and capability/maturity levels for each requirement. However, the compliance obligations extend beyond commercial banks to include their service providers, suppliers and vendors. ISO 8583 & ISO 20022 PCI DSS & ISO 27001 COBIT & ISO 38500 PRINCE2/ PMBOK SFIA XBRL Priority 3 ITIL and ISO 20000 Priority 2 Priority 1- Figure 1—Compliance Domains Data Centre Tier 3/4 ISO 22301 TOGAF OHSAS ISO 15504/CMMI Source: IT Standards Adoption Roadmap, www.cbn.gov.ng/ITStandards/Roadmap.asp 1|Page This case study explains how an IT service provider (the client) to the central bank leveraged COBIT 5 principles and implementation guidance to implement ISO 27001 and ISO 20000 standards as an integrated management system. Understanding the Structure of New ISO Management System Requirements In April 2012, ISO updated its directives. The overall goal is to make it easier to create integrated management systems and to adapt management system standards to the nature and culture of organizations. Figure 2 includes the high-level structure for all new and revised management system standards. Figure 2—High-level Structure for All New and Revised Management System Standards 0 1 2 3 4 Introduction Scope Normative references Terms and definitions Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the XXX management system 4.4 XXX management system 5 Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organization roles, responsibilities and authorities 6 Planning 6.1 Actions to address risks and opportunities 6.2 XXX objectives and planning to achieve them 7 Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 7.5.1 General 7.5.2 Creating and updating 7.5.3 Control of documented information 8 Operation 8.1 Operational planning and control 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement Source: ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2014, appendix 2, http://isotc.iso.org/livelink/livelink/fetch/2000/2122/4230450/4230452/ISO_IEC_Directives_Part_1_and_Consolidated_ISO_Supplement_%2D_2014_%285th_ edition%29_%2D_PDF.pdf?nodeid=16578881&vernum=-2 ® Afenoid Enterprise Limited was contracted in 2013 by the service provider to the Central Bank of Nigeria, MicroAccess Limited (the client) to implement two of the top priority standards that apply—ISO 27001 and ISO 20000—as part of the client’s service strategy positioning. The major constraint Afenoid needed to address as implementation consultants was the complexity of implementing two management system standards at the same time within a tight schedule and in a business environment with an inadequate IT governance culture. The release of a new edition of ISO 27001 in October 2013 introduced a new challenge as the client decided to update the implementation to meet the new requirements of ISO 27001:2013 while integrating with ISO 2|Page 20000:2011. The project director was able to leverage his accredited COBIT 5 training (COBIT Foundation, COBIT Implementation and COBIT Assessor credentials) to help the client pioneer the compliance and certification to the ISO 27001:2013 standard. After a third-party audit, the British Standards Institution (BSI) issued the certificate of compliance to the client in February 2014. Leveraging COBIT 5 Principles to Implement ISO 27001:2013 and ISO 20000:2012 To address the complexity and challenges to the implementation of the certification program, the client relied on COBIT 5 guidance on program management, change enablement and continual improvement to integrate the standards. The client leveraged COBIT 5 principles (figure 3) to guide it through the phases having divided the implementation program into the following phases: training and awareness, gap assessment, implementation design, and program management. Figure 3—COBIT 5 Principles Source: ISACA, COBIT 5, 2012 High-level Mapping of COBIT 5 to the New Management System’s Requirements Figure 4 shows how the client drew guidance from COBIT 5 to establish an integrated management system for ISO 27001 and ISO 20000. Figure 4—High-level Mapping of ISO Requirement to COBIT 5 Guidance Clause No, Management System Requirements COBIT 5 Guidance 3|Page 4 4. Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties Pain points, trigger events, stakeholder drivers, enterprise goals, IT-related goals and information on related guidance 4.3 Determining the scope of the information security and service management systems 4.4 ISO 27001 and ISO 20000 management systems 5 5. Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organization roles, responsibilities and authorities Responsible, Accountable, Consulted and Informed (RACI) chart from EDM 0105 processes RACI chart from APO 06, APO 08, APO 09, APO 10, APO 12, APO 13, BAI 04, BAI 06, BAI 07, BAI 09, BAI 10, DSS 01, DSS 02, DSS 03, DSS 04, DSS 05 Framework Principle and Policies—Appendix G, COBIT 5 Framework 6 6. Planning 6.1 Actions to address risk and opportunities 6.2 ISO 27001 and ISO 20000 objectives and planning to achieve them 7 7. Support 7.1 Resources Management practices from APO 06, APO 08, APO 09, APO 10, APO 12, APO 13, BAI 04, BAI 06, BAI 07, BAI 09, BAI 10, DSS 01, DSS 02, DSS 03, DSS 04, DSS 05 Enabler: People, Skills and Competencies 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 7.5.1 General 7.5.2 Creating and updating 7.5.3 Control of documented 4|Page information 8 8. Operation BAI 05 8.1 Operational planning and control 9 9. Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation Lag and lead indicators EDM 05, MEA 01, MEA 02, MEA 03 9.2 Internal audit 9.3 Management review 10 10. Improvement 10.1 Nonconformity and corrective action MEA 01, MEA 02, MEA 03, Process goals and metrics 10.2 Continual improvement Figure 5 shows the practical steps taken to leverage COBIT 5. Figure 5—Afenoid’s Implementation Approach Implementation Phases Training and awareness COBIT 5 Principle and Guidance Applied Meeting stakeholder’s needs Covering the enterprise end to end COBIT 5 Implementation phase 4 success factors (Educate and train in COBIT 5, other related standards and good practices) Gap assessment and implementation design Applying single integrated framework Enabling a holistic approach Actions Taken COBIT 5 Foundation training for top management team across all business units, ITIL Foundation for all IT service provider staff, and ISO 27001 and ISO 20000 certification training for process managers and process owners ® COBIT 5 Implementation phase 4 success factors (Educate and train in COBIT 5, other related standards and good practices) COBIT 5 guidance to design compliance to most of the ISO management system requirement clauses, especially clauses 4, 5, 6, 7, 9 and 10 The “related guidance” of each of the 32 COBIT 5 processes in the 5|Page management domain, to determine the processes that are specifically related to ISO 27001 and ISO 20000 Implementation design Applying single integrated framework Enabling a holistic approach Separating governance from management Programme management Separating governance from management Enabling a holistic approach COBIT 5 for stakeholder identification as well as stakeholder needs and expectations (Who is receiving benefits? Who is bearing risk? Who is providing resources?); scope of management system; organizational roles, responsibilities and authorities; performance evaluation; and internal audit ® The COBIT 5 : Enabling Processes product to help determine the critical integration points with the extensive guidance on process inputs, base practices, process outputs, process managers and process owners (as per RACI charts) Source: Afenoid, Project Initiation Document. Reprinted with permission. Conclusion 2 One of the five principles of COBIT 5 is Applying a Single, Integrated Framework. Leveraging this principle helped Afenoid’s client, MicroAcces Limited-a service provider to the Central Bank of Nigeria, to attain and maintain its certification to ISO 27001:2013 and ISO 20000:2011 through the continual improvement guidelines in COBIT 5. The subsequent successful surveillance audits by the Registered Certification Body, British Standard Institute, proves COBIT 5 to be highly recommended as an integrator of multiple IT-related management system standards. Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001 LA/LI, PRINCE2 (P) Is the Principal Consultant at Afenoid Enterprise Limited, an IT management and assurance firm. He works out of ® Abuja, the federal capital territory of Nigeria. He is also the ISACA Abuja (Nigeria) Chapter President. He can be reached at [email protected]. Endnote 1 2 Central Bank of Nigeria, “Nigeria ISACA, COBIT Financial Services IT Standards Blueprint ,” May 2013 5, 2012, pg. 14 6|Page