Skip the navigation

Explainer: Security standards and frameworks

Like pieces of a puzzle, frameworks help companies meet specific security goals. By Bob Violino

By Bob Violino
April 17, 2006 12:00 PM ET

Computerworld - Many companies are using standards and frameworks to deal with certain aspects of information security. These models can help protect systems and data, but each plays a very different role in an overall security plan.

Some of the most popular ones, including the Control Objectives for Information and Related Technology (Cobit), ISO 27001, the IT Infrastructure Library (ITIL) and Statement on Auditing Standards (SAS) No. 70, offer guidelines for improving some elements of security. But experts say these models are more like pieces of a puzzle than comprehensive security standards.

"All of these frameworks supply IT with repeatable processes that are consistent across the various IT functions" and help technology executives provide better service, says Kimberly Sawyer, vice president of computing and network services at Lockheed Martin Corp.'s IT department, known as Enterprise Information Systems, in Orlando.

But none of the standards alone provides full security, Sawyer says. "They contain various information security concepts that must be interpreted, integrated and incorporated into the daily operations," she says. "Comprehensive security requires discipline and integration across all aspects of planning, service delivery, risk management architecture, tool selection, policy development and audits."

Lockheed Martin is using Cobit, ITIL and ISO 27001 for different purposes: Cobit for measuring and assessing IT controls, ITIL to improve internal IT services, and ISO 27001 for IT governance. Although each helps to bolster security, none is a stand-alone solution, Sawyer says. "IT organizations must integrate the frameworks to ensure [that] best practices are integrated across the information security discipline," she says.

Here's a look at some of the key standards and their roles in a security plan.


Developed in 1996 by the Information Systems Audit and Control Association and the IT Governance Institute, Cobit provides a framework for users and IT, security and auditing managers. It's gaining acceptance as a good practice for controlling data, systems and related risks.

"Cobit has enabled us to more systematically approach audit issues to identify root causes of deficiencies," says Sawyer.

What is your company’s ISO 27001 status? Source: Exclusive Computerworld survey, March 2006

The framework includes tools to measure a company's capabilities in 34 IT processes. Among them are a list of critical success factors that provides best practices for each IT process, maturity models to help in benchmarking and performance-measurement elements. The standard is becoming vital as companies strive to comply with regulations such as the Sarbanes-Oxley Act.

"Cobit only has one security module, but when you look at [the standard] from a broad perspective, it addresses a lot of elements of security," says Mike Nelson, president of SecureNet Technologies Inc., a consulting firm in San Ramon, Calif., that focuses on information security. "Where it begins to break down is in providing details of the 'how.' It gives detail of controls and objectives of controls" but doesn't explain how to implement them, he says.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!