IT Governance and Information Security IT Governance and Information Security Guides, Standards, and Frameworks Yassine Maleh, Abdelkebir Sahid, Mamoun Alazab, Mustapha Belaissaoui First edition published 2022 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487–2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2022 Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and pub- lisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans- mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978–750–8400. For works that are not available on CCC please contact mpkbookspermissions @tandf.co.uk Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-0-367-75324-5 (hbk) ISBN: 978-0-367-75325-2 (pbk) ISBN: 978-1-003-16199-8 (ebk) DOI: 10.1201/9781003161998 Typeset in Times by Apex CoVantage, LLC For Adam, Lina, Walid and Sabrine . . . Yassine Maleh In loving memory of my dad Abdelkebir Sahid Mamoun Alazab would like to acknowledge the support from Charles Darwin University, and the Department of Corporate and Digital Development, Northern Territory Government of Australia. This work was supported by the Ministry of Education of the Republic of Korea and the National Research Foundation of Korea (NRF-2021S1A5A2A03064391) Contents Preface xv About the Authors xvii Introduction 1 SECTION 1 IT Governance: Definitions and Standards 7 1 Information System and IT Governance Evolution 9 2 IT Governance and Information Security: Guides and Standards 45 SECTION 2 Maturity Frameworks for Information Technology Governance 85 3 IT Governance in Organizations: A Maturity Framework Based on COBIT 5 87 4 IT Service Management as a Key Pillar for IT Governance: A Maturity Framework Based on ITILv4 129 5 Cloud Computing as a Key Pillar for Agile IT Governance 157 SECTION 3 Maturity Frameworks for Information Security Governance 187 6 Information Security Governance: Best Practices in Organizations 189 7 Information Security Governance: A Maturity Framework Based on ISO/IEC 27001 215 8 Information Security Policy: A Maturity Framework Based on ISO/IEC 27002 247 Conclusion 293 References 295 Acronyms 317 Index 319 vii Detailed Contents Preface xv About the Authors xvii Introduction 1 Book Topic 1 Book Overview 3 Book Objectives 3 The Book’s Organization 4 Section 1: IT Governance: Definitions and Standards 4 Section 2: Maturity Frameworks for Information Technology Governance 5 Section 3: Maturity Frameworks for Information Security Governance 5 SECTION 1 IT Governance: Definitions and Standards 7 1 Information System and IT Governance Evolution 9 1.1 Introduction 9 1.1.1 Information System Definition and Objective 11 1.1.2 Information System Concept 12 1.1.3 Concepts of Enterprise Application 15 1.1.4 Features of Enterprise Applications 16 1.1.5 Autonomy 16 1.1.6 Distribution 17 1.1.7 Heterogeneity 17 1.1.8 Dynamism 17 1.1.9 EIS and Company Strategy 18 1.1.10 Enterprise Information Systems Complexity 20 1.1.11 Complexity Factors 20 1.1.12 Evolution of EIS’s 21 1.1.13 IT Governance 22 1.1.14 Urbanization 26 1.1.14.1 The Metaphor of the City 26 1.1.14.2 The Urbanization of Information System 28 1.1.15 Flexibility 29 1.1.16 Agility 30 1.1.16.1 IS Organizational Design 30 1.1.16.2 Competencies and Skills of IS Professionals 32 ix