A view of the traditional service offerings of audit and assurance firms for IT security, and where further work could be done based on ISF SOGP
ISF Benchmark Information Security Assurance Programme 13
Security Governance Framework
Traditional Focus Area
CObIT 5 EDM EDM01 EDM02 EDM03 EDM04 EDM05 APO APO01 APO02 APO03
APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 BAI
BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 DSS
DSS01 Evaluate, Direct and Monitor Ensure Governance Framework
Setting and Maintenance Ensure Benefits Delivery Ensure Risk
Optimisation Ensure Resource Optimisation Ensure Stakeholder
Transparency Align, Plan and Organise Manage the IT Management
Framework Manage Strategy Manage Enterprise Architecture Manage
Innovation Manage Portfolio Manage Budget and Costs Manage Human
Resources Manage Relationships Manage Service Agreements Manage
Suppliers Manage Quality Manage Risk Manage Security Build, Acquire
and Implement Manage Programmes and Projects Manage Requirements
Definition Manage Solutions Identification and Build Manage
Availability and Capacity Manage Organisations Change Enablement
Manage Changes Manage Change Acceptance and Transitioning Manage
Knowledge Manage Assets Manage Configuration Deliver, Service and
Support Manage Operations
8 10 7 4 8 18 17 12 17 10 3 9 13 8 3 10 8 22 15 12 17 9 10 7 9
14 9 10 20
12 3 X X X 5 X X X X
15
18
13
X 1 X
1
Stakeholder Value Delivery
Quick Win Additional Focus
Information Security Strategy
Security Direction
DSS02 DSS03 DSS04 DSS05 DSS06 MEA MEA01 MEA02 MEA03
Manage Service Requests and Incidents Manage Problems Manage
Continuity Manage Security Services Manage Business Process
Controls Monitor, Evaluate and Assess Monitor, Evaluate and Assess
Performance and Conformance Monitor, Evaluate and Assess the System
of Internal Control Monitor, Evaluate and Assess Compliance with
External Requirements
4 1 8 41 19 11 14 4
X 2 X X
ISF Benchmark
15 2 X X
1 18 2 X X X 4 X X X X 9 X X X X X X Information Security
Strategy Stakeholder Value Delivery 13 3 X X 3 X X X X X X X X X 6
13 2 X X 2 X X X 6 X X X X 5 12 1 X X X X 5 X X X X Managing
Information Risk Assessment 4 10 1 X X X X X 3 X X 5 5 12 1 X X X X
X X X X X Confidentiality Requirements Integrity Requirements
Availability Requirements 12 1 Information Risk Treatment 5 1 X
Legal and Regulatory Compliance 1 0 Information Privacy 9 0
Information Security Policy 5 X 11 1 X 5 X Information Security
Function 2 0 2 X Staff Agreements 4 X X X 9 2 X Security Awareness
Programme X 6 0 3 X X Security Awareness Messages 8 1 X 3 X X
Security Education / Training 10 Roles and Responsibilities 5
Information Classification 5 Document Management 3 Sensitive
Physical Information 4 5 11 1 X X X X X X X X X 4 5 11 1 X X X X X
X X X X X X X 4 X X 6 X X X X 0 2 X X 0 1 X 1 X X X X X 1 X X X 0 X
X 2 X 2 X 3
X
X 3 X X
X X X
8 X X X X
Security Direction
2 X
X X
0
X
1 X
X
Information Security Assurance Programme
X X 1
X
1 X
X
Information Risk Assessment Methodologies
X 1
X
X 1
X 1
0
X X
1
0
2 X
X
2 X
X
0
1
X
X
1
X
X
1
X X
X
X X 1 X X 1 X 1 X 2 X X X 0 1 X X X 0 X 0 X 0 1 X X 1 0 X 1 X X
2 X X 0 X 0 X 0 0
10 1
2 5 0 2 X 1 X Information Classification Document Management
Sensitive Physical Information Asset Register Application
Protection Browser-based Application Protection Customer Access
Arrangements Customer Contracts 3 0 4 0 Access Control 2 0 User
Authorisation 1 0 Access Control Mechanisms 1 0 Sign-on Process 0 0
2 0 Computer and Network Installations 0 1 0 Server Configuration 0
1 0 Virtual Servers 0 1 0 Network Storage Systems 0 1 0 Back-up 8
Change Management 4 Service Level Agreements 7 Security
Architecture 4 Critical Infrastructure 2 0 5 0 1 0 3 0 1 5 0 X 3 0
0 1 0 0 0 1 0 0 0 1 0 0 3 X X X 1 0 0 0 0 0 0 1 0 0 0 0
X
X
X 3 X
X
3 X
X
Roles and Responsibilities
2
X
3 X
X X
2
X
X X X 1
1
1
1
0
3 X
X
2
1
1
1
X
1
1
1
1
X X X 1 X X X 0 X X 0 X X 0 X 0 X 0 X 0 X 0 0 X X 0 X X 0 X 0 X
0 X 0 X 0 X 0 X 0 0
5
3
8 0
X 0 2 1 4 0 X X X Service Level Agreements Security Architecture
Critical Infrastructure Cryptographic Solutions Information Leakage
Protection Network Device Configuration Physical Network Management
External Network Connections 1 0 1 0 Firewalls 1 0 Remote
Maintenance 1 0 Voice over IP (VoIP) Networks 1 0 Telephony and
Conferencing 0 0 1 0 Patch Management 0 1 0 Malware Awareness 0 1 0
Malware Protection Software 0 3 0 Security Event Logging 0 5 0
System / Network Monitoring 1 Intrusion Detection 9 5 7 0 X X 2 X X
X X 2 1 4 0 X 0 0 1 0 1 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0
0 1 3 X 3 Emergency Fixes 2 Forensic Investigations
X X
X X
X
X X
Change Management
1
X 0
X X 1 X
1
0
X
1
1
1
1
1
1 X
1 X
1
1
1
2 X
X
1 X
X X
Information Security Incident Management
X
X 0 0 0 0 0 0
X 0
X 0
X 0
X 0
X 0 0 0
X 0
X 0
X 0
X 0 1 X
1 4 9 0 X X X 0 X 1 0 3 0 Emergency Fixes Forensic
Investigations Local Environment Profile Office Equipment Remote
Environments Mobile Device Configuration Mobile Device Connectivity
1 0 1 0 Portable Storage Devices 1 0 Consumer Devices 1 0 Email 7 0
External Supplier Management Process 3 3 5 0 Hardware / Software
Acquisition 1 2 0 Outsourcing 0 1 0 Cloud Service Contracts 0 3 0
System Development Methodology 1 4 0 Quality Assurance 5
Specifications of Requirements 2 System Design 1 System Build 3
Systems Testing 0 0 2 0 3 3 0 X X 0 X 0 0 1 0 0 0 1 0 0 0 1 0 0 0 0
0 0 0 0 0 1 X X X X 2 X X X X 0 X 0 X 3 X 3 X X X X
0
0
1 0
Intrusion Detection Information Security Incident Management
4
2
X
2
0
1
1
1
1
1
1
1
1 X
0
X
1 X
1 X
0
X
0
X X X 0 X X 1 X
X
X
X X 0 0 0
X 0
X 0
X 0
X 0
X 0
X 0
X 0 2 X X 0 0 0 0 0
0
5 0
X 0 0 2 0 X 2 X System Design System Build Systems Testing
Security Testing System Promotion Criteria Installation Process
Post-implementation Review Physical Protection 2 0 1 0 Power
Supplies 1 0 Hazard Protection 1 0 Business Continuity Strategy 1 0
Business Continuity Programme 0 0 1 0 Resilience 2 4 0 Crisis
Management X 0 2 0 Business Continuity Planning 0 1 0 Business
Continuity Arrangements 0 1 0 Business Continuity Testing 6
Security Audit Management 4 Security Audit Process Planning 4
Security Audit Process Fieldwork 5 Security Audit Process Reporting
1 0 1 0 X 2 0 3 0 X 0 4 0 X 3 X 0 3 0 3 X 3 0 3 0 X 1 4 0 X 3 X X 0
0 0 0 0 0 0 0 0 1 X 0 X 1 0 0
5 X X X X
Specifications of Requirements
0
0
1
X
1
X
0
X
X
0
X
X
0
X
2 X
1 X
1 X
1
1
0
2
1
X
1
1
X X 0 0 0 0 X 0 0 0 0 X 0 0 0 0
X
X X 0
X
X
X
0
0
0
0
0
0 0 4 2 X X 1 X Security Audit Process Planning Security Audit
Process Fieldwork Security Audit Process Reporting Security Audit
Process Monitoring Security Monitoring Information Risk Reporting 4
1 X 0 X X 2 5 1 X 0 X X 2 0 4 1 X X 1 14 4 X X X X X X X X 0 X X 7
X 9 3 X X 0 X X X 5 X X X 7 0 X 2 3 X X
6 1
X 0
X
X 4 X X
Security Audit Management
0
0
0
0
1 X
0
X 1 X
X
Monitoring Information Security Compliance
1 X
1 X
1 X
2 X X
2 X X
2 X X
1 X
1
X
