Home	About Gamma	Tour our Web Site	Events	White Papers	Services	Visitors' Book	How to contact us
				IMS	Internal Control	ISMS	Smart Cards	Common Criteria

So what's the problem?

The devotees of ISO/IEC 27001 have long realised that is it essential to align information security with the needs of the business.  Their views, in some quarters, fall on deaf ears, as the Board of Directors view IT as something alien, always very detailed, more hype than reality and generally expensive and difficult to address.  Along comes the OECD guidelines on corporate governance and, in the UK, the Turnbull Report, and we all seem to be talking the same language.  IT auditors have been quick to point this out. They say "To achieve success in this information economy, enterprise governance and IT governance can no longer be considered separate and distinct disciplines". Surely corporate governance and IT governance (as the IT Governance Institute puts it) should never have been separate and distinct disciplines?  Internal controls must surely have always embraced all aspects of information security?  Surely IT was only deployed as an integral aspect of the performance of the organisation's business?  But these tenets, as observed in many organisations, may be untrue.  So the problem is that IT may be split from everyday business.  Are there really two systems in organisations?  Are the real business risks addressed so that the controls in both the IT and non-IT aspects are integrated? Or are there big holes to the detriment of businesses, society and the economy at large? Does this split exist? And if so, what do we do about it?  These are the questions we wanted to answer.

An innovative approach

The procedure works.  We identified nine business objectives and 32 business risks.  The risks could be categorised in many ways, for example: financial - e.g. not being paid;  marketing - e.g. failure to offer the right product technical - e.g. failure of the company's IT infrastructure

Of these 32 risks, twenty-one are currently judged as being applicable, and therefore worthy of a system of internal controls to deal with them.  Of interest, only nine risks have anything directly to do with information security, although in analysing the internal control structures, the existing security controls have a major bearing on several others.

In conclusion, we found that our internal control structure addressed ISO/IEC 27001, as it does ISO 9001:2000.  These standards are simply educated views of our internal control structure from different standards perspectives.  At the end of the day, it is the reliability of the internal control structure that is important, and the capability of management to know that.  This is where standards, such as ISO/IEC 27001 come to our assistance. 

• Have a look at our presentation slides given at the "7799 Goes Global Conference", held in London on 4/5th September 2002. 

• Have a look at our presentation slides given at the Symantec "BS 7799 and IT Corporate Governance" seminar held in Singapore on 5th May 2004.

• We have developed this into a Methodology. Take a look at our many presentations on the subject.

You may also like to read what we have to say about Gamma's own internal control system, our fast track ISMS methodology, measuring the effectiveness of internal control systems, and the role they play in corporate governance.