For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone
Note: ® ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.
Joined: Feb 27, 2007 Posts: 6 Location: Newcastle, UK
Posted: Tue Feb 27, 2007 11:36 pm Post subject: ITIL + Operational Risk Management
I am looking for some help on how to approach the re-write of our department Risk maps so they have an ITIL look and feel.
I have looked at our Information Security Risk maps and they have been written to conform with ISO27001 which has a list of controls all documented for you which makes it easy for writing up but with ITIL, it only gives you a framework to work to and therefore i have no idea where to start!
Anyone else had to re-write risk maps and if so, how did you approach it?
Joined: Feb 27, 2007 Posts: 6 Location: Newcastle, UK
Posted: Thu Mar 01, 2007 8:41 pm Post subject:
thanks for your reply John, I've had a look on the web and i've noticed a few companies have implemented ITIL alongside COBIT. Just wanted to see if anyone used any other control defined frameworks other than COBIT and how they went about doing Risk maps / controls to work them alongside ITIL.
Are you solely concerned with information security, or are you concerned with the operational risks, i.e. documenting IT Business Continuity risks. If the latter, there is a new standard that may include some guidance for you, see [pas56.standardsdirect.org. Otherwise, you may find some of the following helpful (links provided but if removed google for them):
Calder-Moir Framework (guides you to which standards/frameworks that may be appropriate for the purpose you require), COBIT v4 - see PO9 Assess and Manage IT Risks (as John said, looking at the controls will tell you what you should be assessing but not how. Just to add, I'd say that COBIT is widely recognised as the best guidance for IT Governance, although as the Calder-Moir framework shows, it isn't exhaustive, although old, techniques still relevant today)
I do wonder if there will be an ITIL v3 supplementary book on managing risks for an IT environment.
Joined: Feb 27, 2007 Posts: 6 Location: Newcastle, UK
Posted: Fri Mar 02, 2007 6:50 pm Post subject:
Thanks for your comments itilimp..
I am looking for ideas on how to re-write our current Risk maps (which cover the whole of IT not just security). Our risk maps are currently in a COBIT format but was looking to give them an ITIL look now that we are in the process of implimenting ITIL - just to bring everything together so it makes it easier when risk events are raised they link back to the high level risks.
We have ISO27001 in place and risk maps on Info Security all relate to the controls within ISO27001 which is quite straight forward until ITIL which is all process based.
Ah okay. Well v2 ITIL doesn't prescribe any formats (actually it dosn't prescribe anything at all but that's a whole other discussion) for risk. In v3 more awareness of risk is built into every book and every process (old and new) - but again, no templates that I am aware of. So I'd suggest you carry on with the format you are using if it fits the need, and just use ITIL to help you brainstorm other operational risks that you may not yet have considered. One approach you might take is to brainstorm the risks of each process defined in your IT organisation not being followed and the impact of that together with ways in which to mitigate/eliminate that risk.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
