Implementing an ISO-integrated Management System Using

DISCUSS THIS ARTICLE
Implementing an ISO-integrated
Management System Using COBIT 5
By Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO
27001 LA/LI, PRINCE2 (P)
COBIT Focus | 2 March 2015
The Central Bank of Nigeria issued a compliance document titled “Nigeria Financial Services IT Standards Blueprint”
1
in May 2013. The blueprint, which includes time lines, is the main driver for the implementation of IT-related
®
standards such as COBIT 5, ISO/IEC 27001:2013, ISO/IEC 20000:2011 and ISO/IEC 22301:2012 in banks and IT
service provider organizations in Nigeria today. The blueprint was developed by Accenture for the regulatory body
prior to the publication of COBIT 5. The revised edition, which is in the works, will reference COBIT 5 specifically.
The implementation of these good practices is expected to result in improved operational effectiveness, uptime and
availability, service quality, enterprise control and management, risk management and assurance, regulatory
reporting, and business continuity.
The compliance blueprint also provides information about the compliance priority (figure 1), time lines, scope and
capability/maturity levels for each requirement. However, the compliance obligations extend beyond commercial
banks to include their service providers, suppliers and vendors.
ISO 8583 & ISO 20022
PCI DSS & ISO 27001
COBIT & ISO 38500
PRINCE2/ PMBOK
SFIA
XBRL
Priority 3
ITIL and ISO 20000
Priority 2
Priority 1-
Figure 1—Compliance Domains
Data Centre Tier 3/4
ISO 22301
TOGAF
OHSAS
ISO 15504/CMMI
Source: IT Standards Adoption Roadmap, www.cbn.gov.ng/ITStandards/Roadmap.asp
1|Page
This case study explains how an IT service provider (the client) to the central bank leveraged COBIT 5 principles and
implementation guidance to implement ISO 27001 and ISO 20000 standards as an integrated management system.
Understanding the Structure of New ISO Management System
Requirements
In April 2012, ISO updated its directives. The overall goal is to make it easier to create integrated management
systems and to adapt management system standards to the nature and culture of organizations. Figure 2 includes
the high-level structure for all new and revised management system standards.
Figure 2—High-level Structure for All New and Revised Management System Standards
0
1
2
3
4
Introduction
Scope
Normative references
Terms and definitions
Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested
parties
4.3 Determining the scope of the XXX management system
4.4 XXX management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organization roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.2 XXX objectives and planning to achieve them
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
8 Operation
8.1 Operational planning and control
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Source: ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2014, appendix 2,
http://isotc.iso.org/livelink/livelink/fetch/2000/2122/4230450/4230452/ISO_IEC_Directives_Part_1_and_Consolidated_ISO_Supplement_%2D_2014_%285th_
edition%29_%2D_PDF.pdf?nodeid=16578881&vernum=-2
®
Afenoid Enterprise Limited was contracted in 2013 by the service provider to the Central Bank of Nigeria,
MicroAccess Limited (the client) to implement two of the top priority standards that apply—ISO 27001 and ISO
20000—as part of the client’s service strategy positioning. The major constraint Afenoid needed to address as
implementation consultants was the complexity of implementing two management system standards at the same
time within a tight schedule and in a business environment with an inadequate IT governance culture.
The release of a new edition of ISO 27001 in October 2013 introduced a new challenge as the client decided to
update the implementation to meet the new requirements of ISO 27001:2013 while integrating with ISO
2|Page
20000:2011. The project director was able to leverage his accredited COBIT 5 training (COBIT Foundation, COBIT
Implementation and COBIT Assessor credentials) to help the client pioneer the compliance and certification to the
ISO 27001:2013 standard. After a third-party audit, the British Standards Institution (BSI) issued the certificate of
compliance to the client in February 2014.
Leveraging COBIT 5 Principles to Implement ISO 27001:2013 and
ISO 20000:2012
To address the complexity and challenges to the implementation of the certification program, the client relied on
COBIT 5 guidance on program management, change enablement and continual improvement to integrate the
standards. The client leveraged COBIT 5 principles (figure 3) to guide it through the phases having divided the
implementation program into the following phases: training and awareness, gap assessment, implementation
design, and program management.
Figure 3—COBIT 5 Principles
Source: ISACA, COBIT
5, 2012
High-level Mapping of COBIT 5 to the New Management System’s
Requirements
Figure 4 shows how the client drew guidance from COBIT 5 to establish an integrated management system for ISO
27001 and ISO 20000.
Figure 4—High-level Mapping of ISO Requirement to COBIT 5 Guidance
Clause No,
Management System Requirements
COBIT 5 Guidance
3|Page
4
4. Context of the organization
4.1 Understanding the organization and
its context
4.2 Understanding the needs and
expectations of interested parties
Pain points, trigger events,
stakeholder drivers,
enterprise goals, IT-related
goals and information on
related guidance
4.3 Determining the scope of the
information security and service
management systems
4.4 ISO 27001 and ISO 20000
management systems
5
5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organization roles, responsibilities
and authorities
Responsible, Accountable,
Consulted and Informed
(RACI) chart from EDM 0105 processes
RACI chart from APO 06,
APO 08, APO 09, APO 10,
APO 12, APO 13, BAI 04, BAI
06, BAI 07, BAI 09, BAI 10,
DSS 01, DSS 02, DSS 03, DSS
04, DSS 05
Framework Principle and
Policies—Appendix G,
COBIT 5 Framework
6
6. Planning
6.1 Actions to address risk and
opportunities
6.2 ISO 27001 and ISO 20000 objectives
and planning to achieve them
7
7. Support
7.1 Resources
Management practices
from APO 06, APO 08, APO
09, APO 10, APO 12, APO
13, BAI 04, BAI 06, BAI 07,
BAI 09, BAI 10, DSS 01, DSS
02, DSS 03, DSS 04, DSS 05
Enabler: People, Skills and
Competencies
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented
4|Page
information
8
8. Operation
BAI 05
8.1 Operational planning and control
9
9. Performance evaluation
9.1 Monitoring, measurement, analysis
and evaluation
Lag and lead indicators
EDM 05, MEA 01, MEA 02,
MEA 03
9.2 Internal audit
9.3 Management review
10
10. Improvement
10.1 Nonconformity and corrective
action
MEA 01, MEA 02, MEA 03,
Process goals and metrics
10.2 Continual improvement
Figure 5 shows the practical steps taken to leverage COBIT 5.
Figure 5—Afenoid’s Implementation Approach
Implementation Phases
Training and awareness
COBIT 5 Principle and
Guidance Applied
Meeting stakeholder’s
needs
Covering the enterprise
end to end
COBIT 5 Implementation
phase 4 success factors
(Educate and train in
COBIT 5, other related
standards and good
practices)
Gap assessment and
implementation design
Applying single
integrated framework
Enabling a holistic
approach
Actions Taken
COBIT 5 Foundation training
for top management team
across all business units, ITIL
Foundation for all IT service
provider staff, and ISO 27001
and ISO 20000 certification
training for process managers
and process owners
®
COBIT 5 Implementation
phase 4 success factors
(Educate and train in COBIT 5,
other related standards and
good practices)
COBIT 5 guidance to design
compliance to most of the
ISO management system
requirement clauses,
especially clauses 4, 5, 6, 7, 9
and 10
The “related guidance” of
each of the 32 COBIT 5
processes in the
5|Page
management domain, to
determine the processes that
are specifically related to ISO
27001 and ISO 20000
Implementation design
Applying single
integrated framework
Enabling a holistic
approach
Separating governance
from management
Programme management
Separating governance
from management
Enabling a holistic
approach
COBIT 5 for stakeholder
identification as well as
stakeholder needs and
expectations (Who is
receiving benefits? Who is
bearing risk? Who is providing
resources?); scope of
management system;
organizational roles,
responsibilities and
authorities; performance
evaluation; and internal audit
®
The COBIT 5 : Enabling
Processes product to help
determine the critical
integration points with the
extensive guidance on
process inputs, base
practices, process outputs,
process managers and
process owners (as per RACI
charts)
Source: Afenoid, Project Initiation Document. Reprinted with permission.
Conclusion
2
One of the five principles of COBIT 5 is Applying a Single, Integrated Framework. Leveraging this principle helped
Afenoid’s client, MicroAcces Limited-a service provider to the Central Bank of Nigeria, to attain and maintain its
certification to ISO 27001:2013 and ISO 20000:2011 through the continual improvement guidelines in COBIT 5. The
subsequent successful surveillance audits by the Registered Certification Body, British Standard Institute, proves
COBIT 5 to be highly recommended as an integrator of multiple IT-related management system standards.
Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001
LA/LI, PRINCE2 (P)
Is the Principal Consultant at Afenoid Enterprise Limited, an IT management and assurance firm. He works out of
®
Abuja, the federal capital territory of Nigeria. He is also the ISACA Abuja (Nigeria) Chapter President. He can be
reached at opeyemi@afenoid.com.
Endnote
1
2
Central Bank of Nigeria, “Nigeria
ISACA, COBIT
Financial Services IT Standards Blueprint ,” May 2013
5, 2012, pg. 14
6|Page