Security Zone: ITIL to integrate security management processes

The enormous interest in the Information Technology Infrastructure Library (ITIL) framework can really only be compared with the PRINCE2 Project Management methodology and the ISO 27000 series Information Security standards.

The enormous interest in the Information Technology Infrastructure Library (ITIL) framework can really only be compared with the PRINCE2 Project Management methodology and the ISO 27000 series Information Security standards.

ITIL now seeks to specifically integrate added-value security management processes into the framework with ITIL V3 ISO 27001 remaining a key aspect of the ITIL approach. However, most importantly, ITIL now strives for ongoing continual service improvement and service reporting arrangements that includes security activities.

Before this, ITIL largely omitted guidance on IT security procedures, as this was considered to be in the domain of the emerging information security management, code of practice first published in 1995 that led to the ISO 27000 series of standards.

The IT Infrastructure Library started as a collection of guide books on specific IT service management practices. In 2000/2001 the books were consolidated to standardise understanding of the two basic tenets of the ITIL Version 2 processes for both day-to-day IT service support and strategic IT service delivery.


In May 2007 the Office of Government Commerce incorporated the Plan-Do-Check-Act cycle into the launch of ITIL Version 3 which has now established the concept of a service management lifecycle around the following five areas:

  • Service strategy: corporate objectives, constraints, strategic risks, portfolio management
  • Service design: determine how to meet strategic requirement solutions
  • Service transition: implement the service or the change the way the service is delivered
  • Service operation: the day-to-day BAU management of the service
  • Continual service improvement: feedback on service and process in all directions.

The fundamental change between versions 2 and 3 of ITIL was driven by the "www - online everything" world of today that makes all public and private business processes dependent on the supporting IT technology and services.

ITIL V2 focused on aligning its 10 core support and delivery value chain management processes with the business and ITIL V3 retains and builds on these core business-aligned processes to evolve ITIL into a fully business integrated value-added service framework, with defined security management processes for the service design and transition tests before incorporating solutions into the operational environment's incident management processes.

ISO 20000 is the ITIL-based IT service management standard that also supports other converging approaches including Microsoft Operations Framework and components of ISACA's CobIT framework. Many individuals are becoming ITIL-certified as, along with the ISO 27000 series, the service management standard is increasingly required when selecting business partners and third-party suppliers simply because it is right to expect added business value from continually improving IT services with embedded and demonstrably secure management arrangements.

As ever all security and IT audit assurance professionals should encourage the development and use of embedded security management processes and the emerging ITIL V3 initiatives will help to achieve this by establishing appropriate matrices which go beyond compliance to minimum standards by embracing continuous service management security improvements.

An easy ITIL implementation win is to simply take a look at the site and select an appropriate set of key performance indicators to use in the ITIL V3 IT service management approach for improved continuous service and security improvements.

Chris Power, CISSP, is a senior IT audit and information governance assurance manager in the public sector internal audit team at Deloitte and chair of the Local Government London Audit Computer Group

Author's background

Chris Power, CISSP, joined Deloitte & Touche in January 2000 and is now a senior IT audit manager in the internal audit practice of the enterprise risk services group. Power has gained extensive information system audit and security experience across a diverse client base over the last 10 years and recently elected to specialise in public sector internal audit clients to provide audit assurance services for the design, implementation, administration and delivery of IT services and technology across a wide variety of systems and networks.

Prior to joining Deloitte, Power had worked in the GLC mortgage team on graduation and then for eight years in IT for the technical services branch of the London Fire Brigade. In 1990 Chris became a local government IT auditor and he has chaired the London Audit Computer Group since 1992. Chris has first hand experience of managing fraud and IT security threats and countermeasures including recovery from security compromises and disaster recovery

Security Zone

Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².

Read more Security Zone articles >>

Read more on Antivirus, firewall and IDS products