Abstract
Many companies have already adopted their business processes to be in accordance with defined and organized standards. Two standards that are sought after by companies are IT Infrastructure Library (ITIL) and ISO 27001. Often companies start certifying their business processes with ITIL and continue with ISO 27001. For small and medium-sized businesses, it is difficult to prepare and maintain the ISO 27001 certification. The IT departments of these companies often do not have the time to fully observere standards as part of their daily routine. ITIL and ISO 27001 perfectly fit into companies and help reduce errors through the standardization and comparability of products and services between themselves and other companies and partners. ISO 27001 specifically looks at security risks, countermeasures and remedial actions.
We start with the processes that need to be in place for implementing ITIL in an organisation’s business processes. We use a cloud service provider as a running example and compare ITIL processes with ISO 27001 processes. We identify which aspects of these two standards can be better executed. We propose a mapping between ITIL and ISO 27001 that makes them easier to understand and assists with the certification process. We show further how to prepare for audits as well as re-certification. Often, these two processes are seen separately and not in conjunction, where synergies can be exploited. Legal requirements, compliance and data security play an integral part in this process. In essence, we present checklists and guidelines for companies who want to prepare for standardization or that are already certified, but want to improve their business processes. We illustrate our method using an high availability video conferencing cloud example.
Chapter PDF
Similar content being viewed by others
References
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Stoica, I., Zaharia, M.: Above the clouds: A berkeley view of cloud computing. Technical report, EECS Department, University of California, Berkeley (2009)
Mell, P., Grance, T.: The NIST definition of cloud computing. Working Paper of the National Institute of Standards and Technology (NIST) (2009)
Vaquero, L.M., Rodero-Merino, L., Caceres, J., Lindner, M.: A break in the clouds: Towards a cloud definition. Special Interest Group on Data Communication (SIGCOMM) Computer Communication Review 39(1), 50–55 (2008)
Buyya, R., Ranjan, R., Calheiros, R.N.: Modeling and simulation of scalable cloud computing environments and the cloudsim toolkit: Challenges and opportunities. In: Proceedings of the International Conference von High Performance Computing and Simulation (HPCS). IEEE Computer Society Press (2009)
Beckers, K., Kuester, J., FaĂźbender, S., Schmidt, H.: Pattern-based support for context establishment and asset identification of the iso 27000 in the field of cloud computing. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES). IEEE Computer Society Press (2011)
Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley (2001)
Fowler, M.: Analysis Patterns: Reusable Object Models. Addison-Wesley (1996)
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley (1994)
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley (2006)
International Organization for Standardization (ISO), International Electrotechnical Commission (IEC): Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001 (2005)
Government, H.: It infrastructure library (itil) (2012), http://www.itil-officialsite.com/home/home.aspx
Calder, A.: Implementing Information Security based on ISO 27001/ISO 27002: A Management Guide. Haren Van Publishing (2009)
Kersten, H., Reuter, J., Schroeder, K.: ITSicherheitsmanagement nach ISO 27001 und Grundschutz. Vieweg+Teubner (2011)
Klipper, S.: Information Security Risk Management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Vieweg+Teubner (2010)
Cheremushkin, D., Lyubimov, A.: An application of integral engineering technique to information security standards analysis and refinement. In: SIN 2010 (2010)
Lyubimov, A., Cheremushkin, D., Andreeva, N., Shustikov, S.: Information security integral engineering technique and its application in isms design. In: Proceedings of the International Conference on Availability, Reliability and Security, ARES (2011)
Montesino, R., Fenz, S.: Information security automation: how far can we go? In: Proceedings of the International Conference on Availability. IEEE Computer Society Press (2011)
Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., Weippl, E.: Information security fortification by ontological mapping of the iso/iec 27001 standard. In: Proceedings of the International Symposium on Dependable Computing. IEEE Computer Society Press (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Beckers, K., Hofbauer, S., Quirchmayr, G., Wills, C.C. (2013). A Method for Re-using Existing ITIL Processes for Creating an ISO 27001 ISMS Process Applied to a High Availability Video Conferencing Cloud Scenario. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds) Availability, Reliability, and Security in Information Systems and HCI. CD-ARES 2013. Lecture Notes in Computer Science, vol 8127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40511-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-40511-2_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40510-5
Online ISBN: 978-3-642-40511-2
eBook Packages: Computer ScienceComputer Science (R0)