Book review

Information Security Management
with ITIL V3

by Jacques A. Cazemier, Paul Overbeek & Louk Peters

Published by Van Haren

ISBN 978-90-8753-552-0

132 pages

~US$58 from Amazon

The ITIL v2 security book has been extensively revised for ITIL v3 and is now much more closely aligned with ISO27k, both in terms of cross references and more importantly in its consistent reflection of ISO27k’s basic ISMS elements throughout.

The book starts by laying out the fundamental concepts in information security and information security management.  These chapters are presumably aimed more at ITIL people than infosec professionals, but serve to set the context for the remainder.

Chapter 4 delves into the classical ITIL realms of service strategy, service design etc., pointing out how information security can and indeed should be integrated within the ITIL processes.  Many existing ITIL users who are relatively new to security will probably appreciate that there is quite a lot of work here if the advice, which the authors discuss in a rather matter-of-fact style, is taken to heart.  Similarly, information security professionals will appreciate that ITIL’s highly structured approach to service design, delivery, management and maintenance has benefits if security becomes an integral part of that structure.

Chapter 5 offers more pragmatic, implementation-oriented advice.  It starts by reminding the reader than information security is not a ‘fire and forget’ type one-time project activity, but needs constant care and attention in order to track the every-changing security environment.  In ISO27k terms, this is accomplished through the Plan-Do-Check-Act style continual improvement activities which seek both to improve the organization’s information security status over time, and to keep it aligned with new threats, vulnerabilities and impacts as they arise.

The explicit inclusion of information security awareness in chapter 5 is noteworthy.  It acknowledges that organizations cannot secure their information assets through purely technical security controls, but need to address human factors as well.

The information security management structures proposed in chapter 5 may seem somewhat curious at first glance but are not too far from the norm, namely a division of responsibilities between those performing the strategic security policy setting, compliance and related management/directive activities, and the more tactical (but no less important) day-to-day security administration and operations activities.

The maturity model presented in chapter 5 is another curiosity, blending conventional capability maturity model ideas (essentially bringing information security under explicit management control) with an external focus on security.  While security is a housekeeping or internal organizational issue at first, customer and market orientation in the higher levels have the potential to turn information security into a valuable commercial element of the organization’s service offering.  Providing secure IT services, rather than just IT services, is the goal.

Conclusion

This is an excellent guide for organizations that use either or both the standards, helping them benefit from the intersection of ITIL’s service management and IT service-oriented viewpoint with ISO27k’s risk-based PDCA approach to information security management.  Organizations that embrace ITIL v3 and diligently follow the guidance in this book will reap the business benefits of world-leading information security practices from ISO27k.