Professional Documents
Culture Documents
Improvementof ISOIEC20000 Standardthroughthe Combinationwith ISOIEC27001
Improvementof ISOIEC20000 Standardthroughthe Combinationwith ISOIEC27001
net/publication/308756945
CITATIONS READS
0 1,450
4 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Nikos E Mastorakis on 30 September 2016.
Abstract: - This paper presents the improvement of the existing ISO/IEC 20000 standard in telecommunication
industry by using the combination with ISO/IEC 27001 standard. The aim of this research is to integrate all
security benefits from ISO/IEC 27001 into the existing Information Security Management process which is the
part of ISO/IEC 20000 standard. For the reference model is taken the IPTV system from one Middleware
vendor from United Kingdom. The result of the work is the improved ISO/IEC 20000 standard which can be
implemented in any buisiness environment. The paper has also the professional contribution because it
describes the process of the improvement of one real IPTV system for telecom operators.
A.5: Information security policies (2 IPTV system provides total head-end to enable
controls) communication - broadcasting convergence service,
A.6: Organization of information security (7 which provides broadcasting or moving picture
controls) contents and information to TV through IP network.
A.7: Human resource security - 6 controls Centralized STB management from head-end is
that are applied before, during, or after possible [7].
employment Some options which are included in IP STB
A.8: Asset management (10 controls) which are supported by this system:
A.9: Access control (14 controls) Supporting a variety of codec, such as
A.10: Cryptography (2 controls) WMV and MPEG 1/2/4 as well as H.264
A.11: Physical and environmental security Supporting push (download) type VOD
(15 controls) service linked to head-end
A.12: Operations security (14 controls) Simultaneous play function while
A.13: Communications security (7 controls) downloading contents
A.14: System acquisition, development and Real-time streaming function
maintenance (13 controls) Providing convenient GUI screen through
A.15: Supplier relationships (5 controls) middleware and browser
A.16: Information security incident Supporting Internet connection function by
management (7 controls) using wired and wireless media
A.17: Information security aspects of A variety of video outputs including
business continuity management (4 composite, component, S-Video and HDMI
controls) Audio output, such as analog audio and
A.18: Compliance; with internal SPDIF, etc.
requirements, such as policies, and with Digital TV tuner (optional)
external requirements, such as laws (8 Supporting a variety of interfaces, such as
controls) WLAN, HDMI and USB, etc.
Upgraded remote controlling through
4 Reference model linkage to head-end.
IPTV solution is a collective term of head-end
platform, transmission network and IP STB to 5 Integration process and results
enable communication - broadcasting convergence Information Security Management process from
service that provides broadcasting, moving picture ISO 20000 will be replaced with Plan-Do-Check-
contents and information to TV through IP network Act cycle which is the basis of ISO 27001. All 113
[1]. With conversion from the conventional PC- security controls which are divided in these 14
based subscriber terminal environment to IP STB groups will be the part of a new model of ISO
base centering on TV, IPTV solution provides 20000. Figure 4. shows this integration process. All
simple and convenient control function with the use other ISO 20000 processes are unchanged. The aim
of remote controller [2]. It supports system of this integration is to see are there any differences
implementation capable of centralized STV on results for other processes after this integration.
management in head-end. Figure 3. shows IPTV Table I. contains results before the
system which is taken as the reference model for implementation with ISO 27001 standard and after
this research. the implementation with this standard. Results have
IPTV service refers to the service of transmitting showed that all ISO 20000 processes are
a variety of contents and existing TV programs to implemented with the average implementation of
service subscriber's TV connected to set top box or 76.69% before the implementation of ISO 27001
receiver by using IP (Internet protocol)-based [2]. Especially bad were implemented processes
network. In a narrow sense, it extends the scope of from Service Delivery group of processes and
additional super high-speed Internet service to Resolution processes. Information Security
provide VOD, etc. from PC to TV. In a wider Management process has achieved the result of 76%
perspective, it actively receives broadcasting of the successful implementation. Seven processes
channels in AV (audio/video) form by utilizing have achieved a positive result which is above 75%
super high-speed Internet service subscriber of the successful implementation and six processes
network as the broadcasting medium [6], [8]. were under this border.
Results have showed that all ISO 20000 proof that this model can be implemented in any
processes are implemented with the average business environment. Our future research in this
implementation of 81.53% after the implementation area will be connected only to the improvement of
of ISO 27001. All 13 processes have achieved now ISO/IEC 20000 in the field of information security
a positive result which is above the border of 75% and we will test a new model in all these different
of the successful implementation. Information business environments but also make a combination
Security Management process has achieved a better with some other ITSM frameworks and standards
result for almost 9% which means that the result is especially MoR, CobiT, eTOM, ISO/IEC 22301,
now 85% in total. Capacity Management has ISO/IEC 27005 and ISO/IEC 31000. This paper has
achieved a better result for 5% which is 79% in total also opened a new section of researches which
for this process, Service Continuity & Availability needs to be finished in this area and which should
Management has achieved a better result for 10% produce a new version of ISO/IEC 20000 which
which is 81% in total for this process, Service Level should be produced directly from ISO International.
Management has achieved a better result for 13%
which is 78% in total for this process, Supplier References:
Management has achieved a better result for 8% [1] J.H. Deutscher and C. Felden, “Model Concept
which is 76% in total for this process, Incident and to Determine the Optimal Maturity of IT
Service Request Management has achieved a better Service Management Processes”, 8th
result for 9% which is 78% in total for this process International Conference on Computer and
and Problem Management has achieved a better Information Science (ICIS 2009), pp. 543-548,
result for 7% which is 79% in total for this process. 2009.
[2] K.Begic and A. Tanovic, “Improvement of
6 Conclusion implementation of ISO/IEC 20000 Edition 2
Results from the previous section have showed standard in IT systems of Telecom operator
that a new performed model of ISO/IEC 20000 has through the comparison with ITIL V3 best
achieved a better result for 4.84% than a previous practises”, 20th Telecommunication Forum
model. It means that functions connected to the (TELFOR), pp. 32-35, 2012.
security are not connected only to Information [3] M.Rovers, “ISO/IEC 20000:2011 – A Pocket
Security Management process but also to other Guide”, Van Haren Publishing, February 2013.
processes. ISO/IEC 27001 contains 14 different [4] M.Kunas, “Implementing Service Quality Based
security groups which influence strongly on some on ISO/IEC 20000”, ITGP, October 2012.
other processes and which are the part of this [5] D.Clifford, “Implementing ISO/IEC 20000
standard [7], [8]. These security controls include all Certification – The Roadmap (ITSM Library)”,
these topics: information security policy, Van Haren Publishing, February 2008.
organization of information security, human [6] M.Alojail and B.Corbitt, “ITIL maturity model
resource security, asset management, access of IT outsourcing: Evidence from a “leading
controls, cryptography, physical and environmental user””, 9th Iberian Conference on Information
security, operations connected to the security, Systems and Technologies (CISTI 2014), pp. 1-
communication operations connected to the security, 5, 2014.
system development, maintenance and acquisition, [7] M.Vicente, N.Gama, and M.M. da Silva, “Using
supplier relationships, information security incident ArchiMate to Represent ITIL Metamodel”, 15th
management, information security aspects Conference on Business Informatics (CBI), pp.
connected to the business continuity management 270-275, 2013.
and compliance with internal and external [8] H.B. Esmaili, H. Gardesh, and S.S.Sikari,
requirements. “Validating ITIL maturity to strategic business
A new performed model of ISO/IEC 20000 is – IT alignment”, 2nd International Conference
produced on a test environement on one IPTV on Computer Technology and Development
system which is produced in UK. Future research in (ICCTD), pp. 556-561, 2010.
this field is directed in the implementation of the [9] K.Pecina, R.Estremera, A.Bilbao, and E.Bilbao,
same improved model in other business “Physical and Logical Security management
environments which include insurance companies, organization based model on ISO 31000 and
power companies, microcredit organizations, ISO 27001”, IEEE International Carnahan
brokerage houses etc. The aim of all these different Conference on Security Technology (ICCST
researches is to confirm the validity of the new 2011), pp. 1-5, October 2011.
improved model of ISO/IEC 20000 and to get the
[10] K.Beckers, S.Fassbender, M.Heisel, and Reliability and Security (ARES 2012), pp. 242 –
H.Schmidt, “Using Security Requirements 248, August 2012.
Engineering Approaches to Support ISO 27001
Information Security Management Systems
Development and Documentation”, 7th
International Conference on Availability,