• (0)

    ISO 27001 & ISO 22301 Blog

    How to integrate COSO, COBIT, and ISO 27001 frameworks

    Recently, the ISO (International Standardization Organization) updated ISO 9001, ISO 14001, and ISO 27001 to make easier to use them together. But, how do they interact with practices outside the ISO world?

    How to integrate COSO, COBIT, and ISO 27001 frameworks. This article will present how ISO 27001 can be used with COSO and COBIT frameworks to reduce administrative effort and increase the benefits each of them can bring to organizations.

    What is COSO?

    COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a joint initiative supported by five private sector organizations in the United States to combat corporate fraud.

    The COSO framework, currently in version 2013, assists management, boards of directors, and other relevant stakeholders, from higher “entity” level to lower “function” level, in understanding what constitutes an internal control system and when internal control is being effective. It does so by defining 17 control principles to achieve:

    • effectiveness and efficiency of the organization’s operations
    • reliability, timeliness, and transparency of reporting
    • adherence to laws and regulations

    The 17 control principles are divided into these components:

    • control environment: standards, processes, and structures for carrying out internal control
    • risk assessment: process for identifying and assessing risks for the achievement of objectives
    • control activities: actions to help ensure that management’s directives are carried out
    • information & communication: information to support the components of internal control and communication to continuously provide, share, and obtain necessary information
    • monitoring activities: evaluations to ascertain whether each component and control is present and functioning

    To cope with the speed of business dynamics and the need for quick responses, COSO emphasizes management’s judgment and common sense over rigorous adherence to policies and procedures to make decisions. This requires from stakeholders a deep understanding of organizational context to:

    • determine how much control is enough
    • select, develop, and deploy controls on a daily basis
    • monitor and assess the effectiveness of controls

    What is COBIT?

    COBIT (Control Objectives for Information and Related Technologies) is an IT management and governance framework managed by ISACA (Information Systems Audit and Control Association). It provides implementable controls over information technology, organized into IT-related processes, which support the fulfillment of these business requirements:

    • effective use of information, considering relevance, time, and delivery conditions
    • efficient allocation of resources
    • confidentiality, to protect information against unauthorized access and disclosure
    • integrity of information content
    • availability when demanded by business’s processes
    • compliance with legal requirements
    • reliability of information used to make decisions

    The COBIT processes framework, currently in its fifth version, published in 2012, is divided into four domains:

    • plan and organize: the use of IT to help the organization to achieve its objectives
    • acquire and implement: the acquisition of IT solutions, their integration with business processes, and the maintenance required to ensure these solutions keep fulfilling business needs
    • deliver and support: focus on applications execution and their results in an effective and efficient way; it also covers security and training needs
    • monitor and evaluate: provides assurance that IT solutions are achieving their goals and are compliant with legal issues

    For each process, COBIT defines inputs, outputs, key activities, objectives, and performance measures. Although COBIT has more detail in terms of processes, it still lacks technical details to support implementation.

    And, what about ISO 27001?

    ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 11 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:

    • 4 – Context of the organization
    • 5 – Leadership
    • 6 – Planning
    • 7 – Support
    • 8 – Operation
    • 9 – Performance evaluation
    • 10 – Continual improvement

    ISO 27001:2013 Annex A covers controls related to organizational structure (physical and logical), human resources, information technology, supplier management, etc.

    For detailed information, read: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.

    One of the limitations of ISO 27001 is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read: ISO 27001 vs. ISO 27002.

    How can ISO 27001 interact with COSO and COBIT?

    Basically, COSO, COBIT, and ISO 27001 have these aspects in common:

    • Driven by objectives. While COSO and COBIT have objectives clearly defined, ISO 27001 requires information security objectives to be defined by each organization according to its context in terms of confidentiality, integrity, and availability, to ensure that security and the organization’s processes are integrated.
    • Process oriented. All three frameworks make use of a process approach to organize the activities, and this can be used to form a systemic view of how they can interact.
    • Use of controls. While with COSO the controls are more generic, with the objective being to cover as many business processes as possible, COBIT reduces its scope to information technologies, and ISO 27001 to information security. This results in opportunities to overlap them and optimize actions.

    The relationship between them can be seen as:

    relationship_between_coso_cobit_and_iso_27001Figure 1: Relationship between COSO, COBIT, and ISO 27001

    Here’s how I would summarize a possible relationship between these three frameworks:

    “Reliability of reporting” (COSO), supported by “effective use of information” (COBIT) and “integrity” and “availability” controls (ISO 27001).

    This clear relationship greatly simplifies the work to show how information security can be integrated into the business, not only at an operational level, but all way to the top, including permeating other organizational processes.

    The whole is greater than the sum of its parts

    When we make two or more things work together in a way that results in an effect greater than the sum of each individual contribution, we have synergy; and, by understanding which aspects from ISO 27001 can be used to support other organizational frameworks, like COSO and COBIT, we may discover new ways to optimize our resources and, at the same time, improve security and business performance.

    To learn more about ISO 27001 requirements and facilitate the integration process with other frameworks, try our free online training:  ISO 27001:2013 Foundations Course.

    Advisera Rhand Leal
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.