ITIL Security Management

What is ITIL Security Management?

The process of ITIL Security Management describes the structure model of security in the management organization. It is based on the Code of Practice for Information Security Management that is also often known as ISO/IEC 17799. Security Management is basically information security.

Primarily, the goal of information security is to guarantee the safety of an organization’s information. When the security of the information is in place, the value of the information is what must be protected. Values are predetermined by the confidentiality, the integrity, and the availability. The secondary aspects include privacy, anonymity and verifiability.

What is the goal of Security Management?

Security Management has one goal that is actually split into two separate parts. The first part is the realization of the security requirements that are defined in the Security Level Agreement (SLA) and other externally requirements which are usually specified in supporting contracts, legislation, and possible internal or external obligatory policies.

The second part of this goal is the realization of a basic level of security. This is necessary in order to guarantee the continuity of the management organization. It is also needed to reach a simplified Service Level Management for the information security; interestingly enough it is actually less complicated to manage a limited amount of SLAs rather then to manage a large amount of them.

The actual input if the Security Management Process is formed by the SLAs with specific security requirements, legislation documents and other supporting contracts. These requirements can also have a double use as Key Performance Indicators (KPIs).

A KPI is often used to indicate key goals related to performance that are being met within an organization that show that they are in fact headed in the correct direction in order to meet their organizational goals. KPIs can also be used for the process management, as well as for the validation of the results of the Security Management Process.

What is the Security Management Process?

The Security Management Process is made up of activities that are performed by the Security Management or the activities that are controlled by the Security Management. The fact that organizations and the information systems within them are constantly changing means that the activities that are present within the Security Management Process must be continually revised so that they can remain up to date and effective. It is important to understand that Security Management is a constant process.

Inputs are the requirements that are created by the client. These requirements are then translated into the security services, such as the security quality that should be provided in the security area of the Service Level Agreements.

Both the client and the plan sub-process have inputs in an SLA and the SLA can be an input for both as well. Then security plans for the organization should be developed. The plans should contain the security policies and the Operational Level Agreements.

Following that the security plans should then be implemented and the implementation should be evaluated. Following that evaluation the plans and the implementation of the plan should be well maintained.

So, knowing this, it is clear now that the activities, products, and the process are documented. Any external reports will be written and then sent to the client. The client with then be able to adapt their own requirements based on the information they have received in the reports. More so, the service provider can also adjust their plan or the implementation based on their own findings in order to satisfy the requirements that are stated in the SLA.

{qbapagebreak title=ITIL Security Management Activities}

ITIL Security Management Activities

Let us take some time to explain what some of the activities we mentioned earlier are. There are various activities. Some of these activities include control, plan, implementation, and evaluation.

Security Management Control

This is the first activity in the Security Management Process, it can also be known as a sub-process. The control activity is designed to organize and manage the Security Management Process. It also defines the processes, the distribution of responsibility, the police statements, and the management framework.

The Security Management framework is used to define the sub-processes for the expansion of security plans, the implementation of the security plans, and the evaluation and how the out come of the evaluation is translated into action plans. The framework management also defines what should be reported to the client.

Security Management Plan

The plan activity or sub-process contains activities that leas to the Security area in the SLA when cooperating with the Service Level Management. Moreover, the plan sub-process includes the actions that are related to the supporting contracts that are specific for security.

With the plan sub-process the goals that are formed in the SLA are identified in the form of Operational Level Agreements or OLAs. OLA’s can be defined as security plans for a particular internal organization unit of the service supplier.

Aside from the input of the SLA, the plan sub-process works with the policy statements of the service supplier as well. When we discussed control we mentioned that these statements are defined in that processes, that still applies in this activity as well.

Now the Operational Level Agreements for the information security should be setup and implemented with the techniques basses on the ITIL process. What exactly does this mean? Well this means that there has to be some type of cooperation with the other ITIL process.

Security Management Evaluation

The evaluation of the implementation and the plans happens to be a very important part. Evaluating is always needed in order to measure the level of success of the implementation and the security plans. The Evaluation is also important for the client and even the third parties.

Results of the Evaluation are then used to maintain the agreed upon measures and the implementation. These results can lead to new requirements and this can lead to a change. The request for change is defined and it is sent to the Change Management Process.

There are three main types of evaluation, one is self assessment, another is internal audit, and the third is external audit.

Self assessment is carried out in the organization of the processes, the internal audit is carried out by the internal information technology auditors, and finally the external audit is carried out by the external or independent information technology auditors.

There is another variance of evaluation as well, this is based on the communicated security incidents, and this will also be performed. The most important activities for this type of evaluation are the security monitoring of the IT systems, verification of compiled security legislation and implementation of the security plans, and trace and react to any undesirable use of the IT Supplies.


We can no look at this framework with a new found respect. It is very obviously a complicated and intricate design that can easily be adapted by any organization. I personally can see a great benefit to putting such a well developed structure to work for any business.

Security of the information within an organization is a very big issue in our more technical day, this method of management is undeniably genius and can be used to keep all information secure, complete, and in place until it is needed.

Editorial Team at Geekinterview is a team of HR and Career Advice members led by Chandra Vennapoosa.

Editorial Team – who has written posts on Online Learning.

Pin It