Fri Nov 14 07:16:01 PST 2014

Management: Standards: Which widely used control standards are best suited to the enterprise?


Option 1: Apply GAISP
Option 2: Apply COSO
Option 3: Apply ISO-27001 (ISMS)
Option 4: Apply ISO-27002
Option 5: Apply CoBit
Option 6: Apply ITIL
Option 7: Apply all relevant government standards
Option 8: Other standards that are industry specific.


IF the enterprise is government THEN apply GAISP and all relevant government standards,
OTHERWISE IF the enterprise is large and commercial OR the maturity is Defined or higher THEN combine GAISP, COSO, ISO-27001, ISO-27002, and industry-specific standards,
OTHERWISE IF the enterprise is small and not subject to substantial mandatory controls THEN apply GAISP and COSO,
OTHERWISE IF the enterprise is an audit organization THEN apply GAISP and CoBit,
OTHERWISE IF the enterprise is a service organization with only low consequence information technology, THEN apply GAISP and ITIL,
OTHERWISE IF combine GAISP, COSO, ISO-27001, and industry-specific standards.

OR select the standards used based on enterprise needs and the table below:

Diligence Yes Yes Yes Yes Yes Yes Yes
Comprehensive Yes Yes
Efficient Yes Yes Yes Yes Yes
Accepted Yes Yes Yes Yes Yes Yes Yes
Coverage (Executive, Management, Technical) EM E EMT EM EMT MT T
Control standards used


Policy and control standards are often considered fundamental to enterprise information protection because they (1) mitigate risks associated with failure to meet due diligence, (2) provide relatively comprehensive coverage so as to avoid obvious missteps and missed areas of import, (3) they reduce the time and effort in defining protection programs, and (4) they are widely accepted so that they are more likely to be accepted by management and between enterprises. The also exist at different parts of the space, covering executive responsibilities (E), management controls (M), and technical operations (T). Mapping this into the standards provided above, we have the following table:

Diligence Yes Yes Yes Yes Yes Yes Yes Yes
Comprehensive Yes Yes
Efficient Yes Yes Yes Yes Yes Yes
Accepted Yes Yes Yes Yes Yes Yes Yes Yes
Control standards used

Standards that are industry specific should be embraced when they are also efficient and accepted. National Institute of Science and Technology (NIST) special publications are generally pretty good and the 800 series are widely used in US Federal systems. International Standards Organization (ISO) standards 27002 and 27001 are widely embraced and almost mandatory for doing significant business with major enterprises on a global basis. The Information Technology Infrastructure Library (ITIL) is too limited in its coverage to be really useful and it is largely comprised of references to British Standards Institute (BS) standard BS7799, and not even the newest version of that. As a result, while it has substantial acceptance among information technologists because of their use of the other elements of the ITIL approach, it is unwisely embraced as adequate when in fact it is not adequate at all.

ISO-27002 grew out of BS7799, and BS7799 continues to be updated ahead of ISO27002, which ends up being the globally embraced version of BS7799. For that reason, ISO-27002 is preferred except for entities limited to the United Kingdom. ISO-27001 (also known as ISMS) is just the control standards extracted from ISO-27002.

CoBIT:The Control Objectives for Information and Related Technology (CoBit) has an enormous amount of backing among the information technology audit community but is highly technical in its orientation and is too dogmatic in ignoring the wisdom of the ages that has been put into ISO17799 and BS7799. It is useful for dealing with auditors, but it would be better to get an auditor who knows how to deal with the better standards.

COSO:The Committee of Sponsoring Organizations (COSO) of the Treadway Commission standard is explicitly included in the regulatory interpretation of the Sarbanes-Oxley Act and is by far the best commonly known and accepted approach to enterprise risk management, as far as it goes.

GAISP:The Generally accepted Information Security Principles (GAISP) standard is the universally accepted top level requirement for information protection and should be embraced by all.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved