13/11/2024 Troy Tran

ITIL Framework - ISO27k, Information Security

Management process

1- Pre-requisites to Information Security Implementation:

An IT Business Service Catalogue – to assist us with the assessment of critical
data/information of each service, hence allowing us to define data and
information protection policies, as required below.
An IT Support Policy – allows our users/customers to contact our IT Support for
assistance when required.
Critical IT Service Policies – allows our users/customers to use critical (High
Priority) IT services professionally to minimize Risk.

1
13/11/2024 Troy Tran

Required Roles/Responsibilities:
- Service Owner – a must-have role for each service. This is the ultimate
decision maker of each service, and Risk management and Information
Security management, related to their services, are also parts of their
responsibilities.
- Service manager – responsible for the operation of their respective
services, and reporting to the Service Owner for issues, successes, etc…
- Process Owner and Process Managers – each process must have a process
owner and process manager.

2
13/11/2024 Troy Tran

2- Key Organizations to Drive Information Security

Medium/Large (IT) organizations

CEO/VPs

CIO CXX
CSO

Information Security
Management Department
(ISO27k)

Small (IT) Organizations

CEO/VP, HR or
Finance

IT Manager or IT
Director

Responsible for everthing

related to IT Services,
including Information Security.

Service Owners and Service

Managers play the key roles.

3
13/11/2024 Troy Tran

3- The Required Policies

ISO 27k Required Policies – Information Security Management activities should
be driven by an Information Security Policy. The policy should cover all areas of
security and should include:
- An overall Information Security Policy
- Use and Misuse of IT assets policy
- An access control policy
- A password control policy
- An e-mail policy
- An internet policy
- An anti-virus policy
- An information classification policy
- A document classification policy
- A remote access policy
- A policy on supplier access of IT service, information and component
- An asset disposal policy

4- The Required Processes:

ISO27k Required Processes:
- A security incident management process (aka Incident management)
- A risk management process
- A control review and audit process
- An identity and access management process (aka Access Management)
- Event management (aka Monitoring and Event Management)
- Procedures for penetration testing, vulnerability scanning, and so on
- Procedures for managing security-related changes, such as firewall
configuration changes (aka Change Management).

4
13/11/2024 Troy Tran

5- Other Related Processes:

ISO27k, Information Security Management process also interfaces with other
processes:
- Service Level Management
- Problem Management (Incident management and Problem management
work together to improve Service Quality)
- IT Service Continuity Management
- Service Asset and Configuration Management (IT Asset management and
Configuration management)
- Availability management
- Capacity management
- Financial management for IT Services
- Supplier management
- Legal and Human Resources management
These Interfacing processes contribute to the overall success of Information
Security management process. These should be implemented at a later stage.

5
13/11/2024 Troy Tran

6- Examples of Risk Management Process:

Service Name Service Service
Owner Manager
Laptop/Desktop TT VV

No. Risk Risk and Impact Priority Solutions Risk

Name Description (H, M, L) Assignee
1 Laptop Loss of company laptop High - - Remote Work TroyT
Loss while working remotely. policy.
Impact: - - Data Encription
- Can not work Policy.
remotely, - - Asset Control
- Financial Loss to policy.
company. Have to buy - - Equipment and
new laptop. Media Disposal
- Loss of company’s policy.
data (C.I.A impact). - - Etc…
2 Data Loss of data from High - - IT Acceptable TTran
breach, personal laptops, due Use policy (only
to IT is unable to allow for the use
loss of
manage these personal of company’s
data laptops effectively. hardware and
Impact: - Loss of software on
company’s data (C.I.A). company’s
networks).
- - Mobile
computer policy
and Mobile
Device policy
3 Hardware Old laptops can break High - - Laptops and VTran
Failures down due to old Desktops Lifecycle
hardware. Old laptops Management
due to
cause: policy
“old” - Slow performance, - Etc…
laptops - Loss of production
time => financial loss,
- “Bad” company image,
- Difficult or unable to
accommodate for the
latest software or

6
13/11/2024 Troy Tran

updates => prone to

Virus or cyber attacks.
Impact: - Loss of
production,
- Affect Company’s
Image,
- Virus and Cyber
attacks (C.I.A).