Home » ITIL » Information Security and ITIL®

Information Security and ITIL®

The IT Infrastructure Library® or ITIL® is a collection of guidelines and best practices that can create an integrated and efficient IT infrastructure in any company. ITIL implementation has a number of benefits. It can improve the quality of services and service delivery, align IT with overall business goals, and, most importantly, reduce the cost of maintaining the IT infrastructure and IT support. The ITIL framework can also be advantageous to Information Security personnel.

How ITIL Handles Information Security

The ITIL framework takes an iterative view of Information Security. An iterative or cyclical process means that control, planning, implementation, evaluation and maintenance activities are essential for Information Security. ITIL ensures that the right steps for Information Security are being taken at all levels – operational, tactical and strategic. Information Security is viewed as a repetitive process with constant review and changes.

ITIL divides Information Security into four parts:

  • Policies: The long-term IT and Information Security goals that the company or institution wants to achieve.
  • Processes: The steps the organization needs to take to achieve these goals.
  • Procedures: The allocation of work and responsibilities to employees and the timeframe to achieve the goals.
  • Work Instructions: Detailed instructions that need to be followed for completing every action.

Seven Step Approach

Information Security implementation and monitoring is not a single step.  ITIL defines it as seven distinct steps:

  1. Customers identify and define their security requirements using risk analysis.
  2. These requirements are analyzed and compared to the existing security measures and the minimum baseline to check their feasibility.
  3. An SLA (Service Level Agreement) is drawn up by the IT department and the customer. This document defines the Information Security requirements that can be realistically achieved and how they will be achieved. This is perhaps the most important step.
  4. The detailed processes required to achieve and deliver Information Security are defined in the OLA (Operational Level Agreement). This document also includes the negotiable terms.
  5. Implementation and monitoring of the SLA and OLA is the next step.
  6. The customer is informed about the progress of the Information Security activities.
  7. The customers give their feedback and this is incorporated into the SLA and OLA. Changes can also be ordered by the IT department itself.

Service Level Agreements and Other Documents

As mentioned before, Service Level Agreements are an important part of the ITIL Information Security implementation process. An SLA is a formal, written document that defines the services that are to be provided, details Service Level Targets, and identifies the responsibilities of the IT service provider and the customer.  This document defines the performance criteria and the performance indicators to be used. Typical SLAs also include information like the auditing process, physical security measures, access modes, user access rights, authorization processes, and reports to be delivered.

Apart from SLAs and OLAs, ITIL requires three other types of documentation for Information Security:

  • Information Security Policies – According to ITIL, security policies must be defined and distributed by senior management and must contain Information Security objectives, scope, goals and definition of roles and responsibilities.
  • Information Security Plans – This document describes the implementation of policies.
  • Information Security Handbook – This is a document or manual for daily use and contains working instructions.

Tags: , , , ,

About this author:


Frank is a leading trainer in IT Security.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.