See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/375188674

INFORMATION SECURITY IN THE FUNCTION OF CORPORATE MANAGEMENT OF

INFORMATION TECHNOLOGIES

Article · November 2023

CITATIONS READS

0 75

4 authors, including:

Ljilja Sikman Tihomir Latinovic

University of Banja Luka University “VITEZ” Travnik
10 PUBLICATIONS 18 CITATIONS 153 PUBLICATIONS 227 CITATIONS

SEE PROFILE SEE PROFILE

Aleksandar Gacina
University of Banja Luka
1 PUBLICATION 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Tihomir Latinovic on 02 November 2023.

The user has requested enhancement of the downloaded file.

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

RAD ORIGINAL SCIENTIFIC PAPER

INFORMATION SECURITY IN THE FUNCTION OF CORPORATE

MANAGEMENT OF INFORMATION TECHNOLOGIES
1 1 2 3
, Danica Sav , Tihomir Lat ,
1
University of Banjaluka, Faculty of Technology, Bulevar vojvode Stepe S 73, 78000
Banjal Luka, Bosnia and Herzegovina, [email protected]
2
University of Banjaluka, Faculty of Mechanical Engineering, Bulevar vojvode St
71, 78000 Banja Luka, Bosnia and Herzegovina
3
University of Banjaluka, University Computer Center,
Banja Luka, Bosnia and Herzegovina

ABSTRACT
It is known that the three basic elements of information security are protection against
confidentiality, integrity and availability of information. The ISO/IEC 27001 standard helps
companies protect information in any form. The new version of the ISO/IEC 27001:2022 standard
follows new trends in IT and introduces new security controls. Information security is not the same
in 2022 as it was in 2013, as many companies have embraced remote work and are using virtual
applications. The standards of the ISO/IEC 27000 series represent answers to the increasing
challenges of implementing information security measures in the company. The paper researched,
analyzed and proposed the conceptual framework of information security in the function of
corporate management of information resources, services and business values. The goal is to show
that there is a strong connection between information security and company operations.
The recommendations and guidelines of the COBIT 2019 management framework were used
for information technology management. An important feature of the development and application
of the COBIT framework is its flexibility and alignment with many relevant standards.
Keywords: international standard 27000 series, COBIT, corporate management of
information technologies.

INTRODUCTION
In the contemporary business environment, all processes must have access to high-quality and
secure information and data. Information security is a part of our reality, our work, and our life.
System information security includes natural persons and environment, processes, organization and
technology ( l., 2019). Protecting everyday activities that involve critical data,
information, and intellectual property from cyber threats is a significant challenge in modern
society. To adequately safeguard an information system, it is necessary to align, implement, and
monitor all necessary security measures. For these reasons, there is a need for effective information
security management, leading to the development of standards and best practice guidelines that
provide recommendations for establishing effective protection of information resources.
The international standard ISO 27001 represents a contemporary framework for assessing
information security and implementing an Information Security Management System (ISMS) for
companies of all sizes, structures, or orientations. An essential characteristic of this standard is risk
management and risk assessment. Risk assessment is one of the most critical steps in the
implementacion of ISMS, not only because of the result of risk assessment is the basis for planning
and conducting the necessary controls but also because of the procedure and methodology of
conducting the assessment. (Sikman et al., 2022). Risks that compromise the three fundamental
security requirements - confidentiality, integrity, and availability - necessitate the use of security
controls. Such risks must be identified, and effective management of these risks is essential.

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 362

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

The process of managing security risks can rightfully be considered the foundation of
building a secure and reliable computer infrastructure. Identifying critical information resources
and determining their associated security risks is a process that enables more effective and cost-
efficient decision-making related to enhancing security ( beni glasnik BiH, 2022).
Legal regulations, existing standards, and "best practice" rules prescribe the same
recommendations for behavior and information security management system controls across all
institutions. Such recommendations are theoretically universal and applicable to a large part of
institutions. However, in practice, these requirements are specific to companies within their
business operations. There is a lack of connection between financial investments in an information
security management system and the quantitative representation of costs, which makes it difficult
for information security managers to present economic indicators of information security
investments to the institution's management ( ).
During the research on the exposed problem, most authors analyzed information security
policy based on knowledge management ( ). Some authors focused on the identification
and assessment of operational risk management related to Information and Communication
Technologies (ICT) based on the ISO/IEC 27001:2013 standard, applying a fuzzy logic (Pichit, &
Chuleekorn, 2018). Simultaneously, a lack of a specific, general model within institutions tailored
to their needs and size is observed, aiming to assess the functionality of the Information Security
Management System according to the ISO 27001:2022 standard, within the scope of corporate IT
governance.

WHAT CHANGES DOES THE NEW STANDARD ISO/IEC 27001:2022 BRING

The standard ISO 27001 is important for all institutions whose business functions related in
any way with information technology and the demand for the protection of confidentiality of
information resources. Applying this standard provides better connections with close organizations
in the wider environment. The introduction of this standard, businesses show their customers and
all interested parties that their business functions implemented on the basis of the principles of
security and that the business plans are focused on continuous improvement of the Information
security management system (ISMS) ( ., 2019). After nine years, a new version of the
ISO 27001 standard has been published. The new standard, ISO/IEC 27001:2022, has the same
broad goals as the previous version. The main changes introduced by the new standard are as
follows:
Changed title of the standard: The previous version, ISO 27001:2013, was titled "Information
Security Management System," while the new standard, ISO 27001:2022, is titled "Information
security, Cyber security, and Privacy Protection Management System." This indicates a fresh
approach to information security. The change and expansion of the title to include "cybersecurity
and privacy protection" better represent the standard's role, broadening its scope to cover more
technical aspects of data protection and cybersecurity.
Reduced number of security controls: The most significant change in Annex A of the
standard is the introduction of 11 new security controls. By aligning with ISO 27002, the total
number of controls has been reduced from 114 to 93. Some controls were added or merged with
existing controls. There are still 35 unchanged controls, 23 controls with modified names, 57
controls merged into 24 controls, and one control split into two. The new controls better reflect
changes in technology, the evolution of cyber threats, and take into account risks that were not
considered in the previous version. The new security controls are: Threat Intelligence, Information
security for use of cloud services, ICT readiness for business continuity, Physical security
monitoring, Configuration management, Information deletion, Data masking, Data leakage
prevention, Monitoring Activities, Web filtering, and Secure coding. Companies are required to
establish internal or use external resources (outsource services) to collect, analyze, and create final
information on cyber and indirect threats to the company through the implementation of these new
controls. It's worth noting that not all controls are mandatory for implementation. Certification
bodies may exclude certain controls if associated risks are not identified, or if there are no legal
requirements to establish such controls.

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 363

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

Changed structure of the standard: The new structure of the standard is divided into four
thematic categories instead of the previous fourteen. The standard now consists of the following
categories: organizational controls (37 controls), people controls (8 controls), physical controls (14
controls), and technical controls (34 controls). The reduction in the number of categories aims to
simplify the implementation of ISMS and provide better clarity in the process of implementation.
The advantages of the new version of the standard can be defined as follows:
Enhanced risk management: The new version of the ISO/IEC 2700:2022 standard provides
improved guidelines for identifying, assessing, and managing information security risks. This
enables organizations to better understand their risks and address them more effectively to reduce
the likelihood of unwanted incidents.
Simpler and improved structural approach to the standard and presentation of controls: The
change in the structure of the standard into four thematic categories makes it easier for
organizations to comprehend and implement controls. This simplification aids in the efficient
implementation of the Information Security Management System.
Expanded focus on cybersecurity and privacy: The addition of "cybersecurity and privacy
protection" in the title of the standard reflects a broader coverage of information security,
considering new challenges brought by the digital age, including cyber threats and data protection.
Assisting companies in reassessing their risks and threats and implementing security controls:
The introduction of new security controls in line with technological advancements and cyber
threats enables companies to better assess their specific risks and tailor protective measures to stay
ahead of potential threats.
All these advantages contribute to strengthening information security and empower
organizations to better manage their information resources in today's complex and dynamic
environment.

GENERAL CHARACTERISTICS OF THE APPLICATION OF THE ISO 27001

STANDARD
The application of the ISO/IEC 27001 standard worldwide is continually growing. Many
companies have recognized the benefits that the standard brings to modern business, contributing
to a competitive advantage in the market. Figure 1 presents the industrial sectors with the highest
number of certifications worldwide according to ISO/IEC 27001 for the year 2021 (ISO Survey,
2021).

Figure 1. Standard ISO/IEC 27001 - sectors with the largest number of certificates in the world in 2021 (ISO
Survey, 2021).

The highest number of certifications is in the Information Technology sector. Nowadays,

companies utilize electronic business, which holds the same significance as financial capital.
Therefore, data security and protection must be at a high level. For this reason, many companies
opt for implementing an ISMS.
The application of modern technologies in business results in market globalization and the
need for managing a protection system. In Bosnia and Herzegovina, there is an increasing number
of companies choosing to implement ISO 27001, as shown in Figure 2 (ISO Committee, 2021).

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 364

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

Figure 2. ISO/IEC 27001 standard - certificate number in BiH for the period from 2016 to 2021.

Figure 3 shows the number of companies in Bosnia and Herzegovina and neighboring
countries that implemented the ISO/IEC 27001 standard in 2021 (ISO Committee, 2021).

Figure 3. ISO/IEC 27001 standard - number of certificates in BiH and neighboring countries for 2021.

CORPORATE MANAGEMENT OF INFORMATION TECHNOLOGIES THEORETICAL

ASPECT
The use of computers, in the broader context of information technology, aims to increase
efficiency and effectiveness in daily activities and processes within a company. The information
system of every modern company, in the era of electronic business, should provide necessary
internal and external information to deliver quality services. Only a quality information system can
lead to a better understanding of the organization and create conditions for successful business
(Al . 21). By analyzing the quality of all components of the information
system and their interaction, it is possible to gain insight into the overall quality of the information
system and determine potential ways to optimize its quality. Nolan's law of minimum quality of an
information system states: "The quality of an information system is equal to the quality of its
weakest component." ( pp. 23). In most cases, the human factor poses the
greatest threat to the information system, as individuals with insufficient skills and knowledge can
hinder its optimal usage. Therefore, it is essential to establish an information system management
process.
Corporate governance of information systems and technologies can be categorized into two
levels ( , pp. 205):
Strategic IT governance, which focuses on the external environment and the strategic vision
of all stakeholders.
Operational IT management, which focuses on the internal environment, administration, and
management of business processes, as well as finding the best administrative and technological
solutions for an optimal business model.
Managing the information system is a part of corporate governance that ensures the effective
use of information technologies to achieve the company's ultimate goals. It is evident that the
company's business objectives determine the strategy of the information system. To determine the
strategy of the information system, the company's management, the responsible head of the IT
department, and other executives involved in strategic IT management need to be included. In

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 365

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

order to ensure a high-quality information system to achieve business objectives, potential risks
and threats that the company may not have immediately identified need to be identified. Therefore,
an audit of the information system is conducted, both by internal and independent external
auditors. The goal of auditing the information systems is to verify the alignment of business
objectives and information system objectives. The audit aims to determine the extent to which the
functioning of the information system aligns with the company's business objectives. The object of
the audit of information systems is to assess the maturity of IT controls that are part of the
information system and are interconnected to achieve the goals of the entire information system.
There are several methodologies for auditing information systems, with COBIT and ISO 27001
being two of them, used to methodologically assess the quality of the information system.

COBIT THEORETICAL AND TECHNICAL ASPECTS

COBIT (Control Objectives for Information and Related Technologies) is the most
commonly used standard for managing information systems and corporate governance of
information technology. The standard prescribes the domains, controls, and procedures used for
operational and corporate IT management. The author of the COBIT management framework is
ISACA (Information System Audit and Control Association), which is a leading global
organization providing knowledge, certifications, and education in the areas of security and
assurance, as well as corporate governance of information risks and technology.
The latest edition of COBIT 2019 aims to enable more flexible and customized
implementation of effective "Enterprise Governance of Information and Technology (EGIT)." The
new edition of COBIT introduces changes to the principles, including an adapted cascade of
objectives, the establishment of three new processes, the introduction of focus areas, and design
factors. Overall, the changes in COBIT respond to many IT-related changes that companies face.
The COBIT management framework clearly defines and specifies essential IT processes, precise
areas of responsibility, control objectives, and supervision. The framework also provides maturity
models, i.e., metrics and goals for IT processes:
Critical Success Factors (CSF)
Key Goal Indicators (KGI)
Key Performance Indicators (KPI) and management recommendations for performance
monitoring
Risk management recommendations
Control objectives and control tests
Achievement indicators for planned activities (IT activity goals)
Maturity models for each business process (quality of each process is evaluated on a
scale from 0 to 5)
A system for measuring the effectiveness of IT on business operations.

The following are explanations of individual stages of COBIT process maturity assessment:
Level 0 - Non-existent processes:
There is no corporate governance of information technology. The company lacks a
responsible person or IT governance center. IT investments are made only when problems arise,
and there is no risk assessment.
Level 1 - Initial stage:
The company management has not yet recognized the significance of IT governance, and
there are no formal procedures. The importance of IT risks is not recognized. IT governance is
conducted within the IT center, and top management is not familiar with these activities.
Level 2 - Repeatable processes:
IT governance exists, but procedures are not coordinated between the IT center or other
operational organizational units. There is no supervision, coordination, or standardized procedures.
Responsibility lies with individuals, and there is no employee training.
Level 3 - Defined processes:

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 366

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

Employees are familiar with and trained in procedures, and there is IT governance. However,
these procedures are not tailored to the company's operations. Responsibility for implementing
procedures lies with individuals, and there is no system supervision, making it unlikely to detect
deviations from defined processes.
Level 4 - Managed and measured processes:
Procedures and policies for IT governance exist, and it is possible to supervise these
procedures, measure their success, and correct any identified shortcomings. Responsibilities of
appropriate corporate bodies are defined. Companies continuously improve processes and activities
and set adequate IT governance objectives aligned with business goals. Modern methods are used
to measure the achievement of these objectives.
Level 5 - Optimized processes:
IT corporate governance processes are at a high level. The efficiency and effectiveness of IT
are continuously measured, and results are compared with other companies and best practices. The
involvement of IT in strategic plans is recognized. All IT activities are predefined according to
business priorities.

EXAMPLE OF FUNCTIONAL FRAMEWORK OF INFORMATION SECURITY AND

CORPORATE IT MANAGEMENT
When forming the functional framework for information security and corporate governance,
the following starting elements of integration were taken into account:
A) The management of the information security system in the company is based on the
application of legal, technical, and organizational frameworks for protection.
B) ISMS (Information Security Management System) complies with legal regulations,
professional standards, and certification systems.
C) The company's management analyzes the costs of such a system.
D) Input elements of the information security management system can be variable and non-
variable. Non-variable inputs are legal regulations since they do not change frequently, while
organizational and technical characteristics of the company are considered variable inputs.

The fundamental elements were created for the formation of the functional framework for
information security and IT governance in the company at all levels of COBIT process
development and operation. The basic elements of the model for each level correspond to security
controls according to the recommendations of ISO 27001:2022 standard. When creating the
functional framework, care was taken to ensure that each corresponding element corresponds to the
complexity levels of COBIT processes. Tables 1 to 6 represent the functional framework for
information security and IT governance according to the levels of COBIT process development.

Table 1. Level 0 Elements of Non-Existent Processes .

Elements of information security and IT governance at the zero level of development
There is no IT support center, IT management, and risk assessment in the company.
The importance of corporate governance is not recognized
The company addresses security issues reactively (after the problem occurs).

Table 2. Level 1 Elements of Initial Processes.

Elements of information security and IT governance at the first level of development
Management has no formal procedures for IT governance.
IT management is conducted by the IT center.
The company's management is not aware of IT risks and does not consider information security.
IT governance exists only when a security incident occurs.

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 367

 XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT
XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

Table 3. Level 2 Elements of Repeatable Processes

Elements of information security and IT governance at the second level of development
IT center conducts IT governance, but processes are not coordinated with other organizational units
There is no supervision and standardized working procedures.
Responsibility for IT management lies with individuals, and employees are not trained.
A system of logical controls is introduced for accessing information resources.
Procedures for operational implementation of information security exist

Table 4. Level 3 Elements of Defined Processes.

Elements of information security and IT governance at the third level of development
Procedures for IT governance exist but are not tailored to the company's operations.
Responsibility for implementing security procedures lies with individuals.
Employees receive training in information security.
There is no supervision and risk assessment of information security processes.
An internal information security policy exists but is not aligned with other organizational units.
Implementation procedures for personal, organizational, technical, and physical controls are not tailored to
the company's operations.

Table 5. Level 4 Elements of Managed and Measured Processes.

Elements of information security and IT governance at the fourth level of development.
Implementation procedures for personal, organizational, technical, and physical controls are tailored to the
company's operations.
Procedures and guidelines for IT governance exist, and process performance can be measured and adjusted.
A corporate body is responsible for implementing measurement processes using modern measurement
methods
The company establishes and improves IT governance procedures aligned with business objectives.
Processes for managing business continuity and annual investment plans for ISMS.
Monitoring legal provisions related to information security and company compliance.
Employee training procedures in information security.

Table 6. Level 5 Elements of Optimal Processes.

Elements of information security and IT governance at the fifth level of development
The efficiency and effectiveness of IT processes are continuously measured, and results are compared with
other companies and best practices.
IT governance processes are transparent, and corporate bodies continuously monitor processes.
All IT activities are predefined based on business priorities.
IT management and information security are essential business functions and serve strategic purposes.
Financial analysis of investments in the IT sector in a semi-annual or annual period.
Establishment of ISMS and preparation for certification.

CONCLUSIONS
Many companies employ various forms of information technology in their business
operations, which exposes them to numerous threats and new risks. To ensure the quality of their
information systems, identify potential risks, and achieve successful operations, periodic audits and
evaluations of information systems are increasingly being conducted.
The process of evaluating the success and maturity of information systems is performed
periodically. Standards and governance frameworks are used for auditing and assessing
information systems, ensuring secure and high-quality business operations. The combination of
information security standard ISO 27001:2022 and the COBIT governance framework for
corporate IT management greatly assists in the information systems evaluation process. This paper
presents levels of information security and IT management maturity, with each level incorporating

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 368

View publication stats

XII INTERNATIONAL CONFERENCE ON SOCIAL AND TECHNOLOGICAL DEVELOPMENT

XII M UNARODNA KONFERENCIJA O I TEHNOL RAZVOJU

fundamental procedures from both standards. It is demonstrated that a strong connection exists
between information security and company performance.

LITERATURE
Aleksi Poslovna informatika, Univerzitet u Banjoj Luci, Ekonomski fakultet.
ISO Committee. (2021). ISO/CASCO Ducument. Retrived July 14, 2023, from
https://www.iso.org/committee/
ISO Survey. (2021), The ISO Survay. Retrived July 14, 2023, from https://www.iso.org/the-iso-
survey.html
(2014). Metoda modeliranja politike informacijske sigurnosti temeljena na upravljanju
znanjem. Doktorski rad rebu, Fakultet elek
Zagreb, Republika Hrvatska.
Pichit, B. & Chuleekorn, N. (2018). Fuzzy rule-based risk management under ISO/IEC 27001:2013
standard for information security. Retrived March 23, 2023, from http://jcst.rsu.ac.th
beni glasnik BiH. (2022). Smjernice za izradu metodologije za procjenu rizika. Preuzeto
12.07.2023. sa http://www.mkt.gov.ba/Content/OpenAttachment?id=c12bbdf5-87b0-4adb-
b4a9-20ec8a997c5e&lang=bs
Digitalna transformacija poslovanja. Zagreb, Ekonomski fakultet.
Sikman, Lj., Latinovic, T., & Sarajlic, N. (2022). Modelling of Fuzzy Expert System for on
Security Management System UIS (University Information System). Technical Gazette,
29(1), 60-65.
(2021). Modelovanje sistema za upravljaje sigur informacija u okviru visokog
obrazovanja. Doktorski rad. Univerzitet u Tuzli, Fakultet elektrotehnike, Tuzla, BiH.
j alj, D. (2019). ISO 27001 Information systems security,
development, trends, technical and challenges. International Journal of Engineering, XVII(4),
45-48.

Trebinje, June, 15-18, 2023. Republic of Srpska, B&H 369