In-Depth

Shoring Up Your Framework

No single enterprise risk management framework is comprehensive enough to guide your company in meeting all of its compliance, governance, and risk management needs. Instead, you'll want to selectively combine standards by building around a central framework, such as COSO or AS/NZS 4360, and reinforcing it with one or more of these risk assessment standards.

• By Linda Briggs
• 07/17/2007

In a previous article, we looked at three comprehensive risk management frameworks: COSO, the lesser-known AS/NZS 4360, and the almost unheard-of (at least yet) British standard M_o_R. Although reasonable people can and almost certainly will differ on the terminology, in this look at risk assessment frameworks and standards, we've included the well-known IT control framework CobiT, the service management framework ITIL, and the set of information control objectives now called ISO 27002.

These additional, more narrowly defined frameworks and standards can augment what broader frameworks like COSO or AS/NZS 4360 offer. By combining one or more of them with your central framework, you can begin to build an effective company-wide approach to enterprise risk management.

CobiT

CobiT, for Control Objectives for Information and related Technology, is a well-known framework of IT control objectives published by the Information Systems Audit and Control Association (ISACA).

CobiT is a good example of a standard that can nicely complement either COSO or AS/NZS 4360. Because CobiT has well-defined IT processes and controls that focus on IT management, it can serve as a strong partner to AS/NZS 4360, which is a framework with a business-oriented foundation. CobiT defines controls for 34 high-level IT processes involving some 200 control practices. Yep, that's a lot. In that sense, CobiT is a structured standard for IT management that covers planning and organization, technology acquisition and implementation, delivery and support, and monitoring. In general, CobiT implementations can make IT activities more predictable and transparent.

A big advantage of CobiT is its popularity; because it's supported by a vast adopter community, and it has official maps to other frameworks and standards, implementation, maintenance, and review of your adherence to the standard can be easier. In considering CobiT, note that it is not an information security framework; only one of its 34 processes is related to security. Because information security is such a critical aspect of risk management, you may want to augment CobiT by selecting a security-focused framework or set of standards, such as ISO 27002 or NIST 800-30. (We discuss the ISO standard later in this article.)

Other possibilities for help in augmenting your enterprise security practices are OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), CORAS (Cost-of-Risk Analysis System), or CRAMM (CCTA Risk Analysis and Management Method). We'll discuss those three, along with NIST 800-30, in a subsequent article.

ITIL

The Information Technology Infrastructure Library (ITIL) is from the UK Office of Government Commerce (OGC). The series of books that make up ITIL focus in great detail on IT service delivery and operations management, as opposed to IT functions and activities. ITIL isn't so much a framework as an exhaustive set of IT best practices. As such, adherence to ITIL can reduce risk by making your IT services more predictable and thus manageable.

ITIL sorts services into 10 disciplines under two general practice areas: incident management (problem management, configuration management, change management, release management, and service desk) and service level management (IT financial management, capacity management, availability management, IT service continuity management, and IT security management).

ITIL was originally developed by the UK government for its use, and ITIL is a registered trademark of the UK's Office of Government Commerce (OCG). The framework, however, has since been widely adopted by the private sector throughout Europe.

A drawback to ITIL might be its sheer size and comprehensive approach; smaller organizations may simply find ITIL too costly for that reason. The Microsoft Operations Framework is a Microsoft-centric framework that is based on ITIL but offers a more limited implementation. Companies that want some of the benefits of ITIL without the full program, and who are Microsoft-centric, might consider that more limited implementation.

ISO 27002The ISO 27002 standard, formerly ISO 17799, is a broad yet security-focused framework. It's essentially a code of practice that outlines hundreds of potential controls and control mechanisms, which businesses can implement under the guidance of the ISO 27001 standard. The basis of the ISO 27002 standard is a document published by the UK government, which became a standard called BS7799 in 1995. In 2000 it was re-published by ISO as ISO 17799. A new version appeared in 2005, along with a new publication, ISO 27001. The two documents, ISO 27001 and 27002, are intended to be used together, with one complementing the other. ISO 27002 defines a comprehensive set of information security control objectives with best-practice security controls. Its stated objective is to specify "the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks." Note the focus on infosec within the context of business risk.The ISO (International Organizational for Standardization) organization itself admits that the ISO 27000 series "is in its infancy." ISO 27002 and ISO 27001 are mature standards, however; the 27000.org directory itself is owned by a worldwide alliance of information security consultants. ISO 27002 reflects a more holistic and managerial approach to IT than its precursor ISO 17799, and includes business continuity planning, system access control, system development and maintenance, physical and environmental security, compliance, personal security, security organization, computer and operations management, asset classification and control, and security policy. One strength of the 27001 standard: The CobiT framework has been mapped to it, which can help make external audits more efficient.

Whichever of these three assessments or standards you choose to explore further, keep in mind that appropriate risk management comes from a deep understanding of the principles involved, as well as a careful mix of the right frameworks and standards for your particular organization. Allow for the shortcomings of given frameworks and standards by selecting others to shore them up; you'll be rewarded with a broad and strong governance and risk management approach.