CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

How to integrate COSO, COBIT, and ISO 27001 frameworks

Recently, the ISO (International Standardization Organization) updated ISO 9001, ISO 14001, and ISO 27001 to make easier to use them together. But, how do they interact with practices outside the ISO world?

How to integrate COSO, COBIT, and ISO 27001 frameworks. This article will present how ISO 27001 can be used with COSO and COBIT frameworks to reduce administrative effort and increase the benefits each of them can bring to organizations.

What is COSO?

COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a joint initiative supported by five private sector organizations in the United States to combat corporate fraud.

The COSO framework, currently in version 2013, assists management, boards of directors, and other relevant stakeholders, from higher “entity” level to lower “function” level, in understanding what constitutes an internal control system and when internal control is being effective. It does so by defining 17 control principles to achieve:

  • effectiveness and efficiency of the organization’s operations
  • reliability, timeliness, and transparency of reporting
  • adherence to laws and regulations

The 17 control principles are divided into these components:

  • control environment: standards, processes, and structures for carrying out internal control
  • risk assessment: process for identifying and assessing risks for the achievement of objectives
  • control activities: actions to help ensure that management’s directives are carried out
  • information & communication: information to support the components of internal control and communication to continuously provide, share, and obtain necessary information
  • monitoring activities: evaluations to ascertain whether each component and control is present and functioning

To cope with the speed of business dynamics and the need for quick responses, COSO emphasizes management’s judgment and common sense over rigorous adherence to policies and procedures to make decisions. This requires from stakeholders a deep understanding of organizational context to:

  • determine how much control is enough
  • select, develop, and deploy controls on a daily basis
  • monitor and assess the effectiveness of controls

What is COBIT?

COBIT (Control Objectives for Information and Related Technologies) is an IT management and governance framework managed by ISACA (Information Systems Audit and Control Association). It provides implementable controls over information technology, organized into IT-related processes, which support the fulfillment of these business requirements:

  • effective use of information, considering relevance, time, and delivery conditions
  • efficient allocation of resources
  • confidentiality, to protect information against unauthorized access and disclosure
  • integrity of information content
  • availability when demanded by business’s processes
  • compliance with legal requirements
  • reliability of information used to make decisions

The COBIT processes framework, currently in its fifth version, published in 2012, is divided into four domains:

  • plan and organize: the use of IT to help the organization to achieve its objectives
  • acquire and implement: the acquisition of IT solutions, their integration with business processes, and the maintenance required to ensure these solutions keep fulfilling business needs
  • deliver and support: focus on applications execution and their results in an effective and efficient way; it also covers security and training needs
  • monitor and evaluate: provides assurance that IT solutions are achieving their goals and are compliant with legal issues

For each process, COBIT defines inputs, outputs, key activities, objectives, and performance measures. Although COBIT has more detail in terms of processes, it still lacks technical details to support implementation.

And, what about ISO 27001?

ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 11 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:

  • 4 – Context of the organization
  • 5 – Leadership
  • 6 – Planning
  • 7 – Support
  • 8 – Operation
  • 9 – Performance evaluation
  • 10 – Continual improvement

ISO 27001:2013 Annex A covers controls related to organizational structure (physical and logical), human resources, information technology, supplier management, etc.

For detailed information, read: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.

One of the limitations of ISO 27001 is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read: ISO 27001 vs. ISO 27002.

How can ISO 27001 interact with COSO and COBIT?

Basically, COSO, COBIT, and ISO 27001 have these aspects in common:

  • Driven by objectives. While COSO and COBIT have objectives clearly defined, ISO 27001 requires information security objectives to be defined by each organization according to its context in terms of confidentiality, integrity, and availability, to ensure that security and the organization’s processes are integrated.
  • Process oriented. All three frameworks make use of a process approach to organize the activities, and this can be used to form a systemic view of how they can interact.
  • Use of controls. While with COSO the controls are more generic, with the objective being to cover as many business processes as possible, COBIT reduces its scope to information technologies, and ISO 27001 to information security. This results in opportunities to overlap them and optimize actions.

The relationship between them can be seen as:

relationship_between_coso_cobit_and_iso_27001Figure 1: Relationship between COSO, COBIT, and ISO 27001

Here’s how I would summarize a possible relationship between these three frameworks:

“Reliability of reporting” (COSO), supported by “effective use of information” (COBIT) and “integrity” and “availability” controls (ISO 27001).

This clear relationship greatly simplifies the work to show how information security can be integrated into the business, not only at an operational level, but all way to the top, including permeating other organizational processes.

The whole is greater than the sum of its parts

When we make two or more things work together in a way that results in an effect greater than the sum of each individual contribution, we have synergy; and, by understanding which aspects from ISO 27001 can be used to support other organizational frameworks, like COSO and COBIT, we may discover new ways to optimize our resources and, at the same time, improve security and business performance.

To learn more about ISO 27001 requirements and facilitate the integration process with other frameworks, try our free online training:  ISO 27001:2013 Foundations Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “How to integrate COSO, COBIT, and ISO 27001 frameworks”

  1. Michael Brown says:

    FYI- COBIT and ISACA are no longer acronyms. As of ver 5, COBIT is just COBIT. And ISACA no longer bothers with the acronym for itself.

    COSO has 2 frameworks. There is the Internal Control – Integrated Framework, which was updated in 2013 and the Enterprise Risk Management – Integrated Framework which was updated in 2017, tho has yet to be released.

    • Rhand Leal says:

      Thanks for your feedback. This article is deemed for people that are very beginners on information security and risk management issues, so we considered important to explain the meaning of COBIT and ISACA acronyms, even if ISACA itself does not bother with them.

      Regarding COSO 2 frameworks, in this article the purpose was to compare the high level frameworks, and Enterprise Risk Management is one part of the Internal Control framework.

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.