Skip to main content
SpringerLink
Log in

Mapping of Enterprise Governance of IT Practices Metamodels

  • Conference paper
  • First Online:
Information Systems (EMCIS 2017)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 299))

Abstract

The paper proposes a metamodel for ISO 27001 and its mapping with COBIT 5 using ArchiMate, an Enterprise Architecture (EA) modeling language. The metamodel’s purpose is to reduce the perceived complexity of implementing these Enterprise Governance of IT (EGIT) practices simultaneously. For the ontological mapping to be complete, the metamodel is extended with the ISO Technical Specification 33052 and 33072 which propose a Process Reference Model and a Process Assessment Model respectively, specifying Base Practices and Information Items from the ISO TS 33072 – composing the ISO TS 33052 processes - mapped to ISO 27001 controls. By applying best-known metamodeling techniques and modeling principles in conjunction with the use of EA models we further simplify the understanding of different EGIT practices by providing a standard based visualization on how these practices work together. Furthermore, we present the mapping and modeling of a COBIT 5 process and respective ISO 27001 controls as an example. The paper concludes by summarizing the considerations and techniques used in this research, as well as discussing limitations and future work in this domain.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. De Haes, S., Van Grembergen, W.: Enterprise Governance of Information Technology: Achieving Strategic Alignment and Value, Featuring COBIT 5. Springer, New York (2015)

    Google Scholar 

  2. Symons, C.: IT governance framework: structures, processes and communication. IT Governance Series, Forrester Research (2005)

    Google Scholar 

  3. Coleman, T., Chatfield, A.: Promises and successful practice in IT governance: a survey of Australian senior IT managers. In: 15th Pacific Asia Conference on Information Systems: Quality Research in Pacific, PACIS 2011, Queensland, pp. 1–15 (2011)

    Google Scholar 

  4. Debreceny, R.S., Gray, G.L.: IT governance and process maturity: a multinational field study. J. Inf. Syst. 27(1), 157–188 (2011)

    Google Scholar 

  5. Sahibudin, S., Sharifi, M., Ayat, M.: Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in organizations. In: Asia International Conference on Modeling (2008)

    Google Scholar 

  6. IT Governance Institute: Global Status Report on the Governance of Enterprise IT, ISACA, COBIT 5: Enabling Processes (2011)

    Google Scholar 

  7. Winniford, M., Conger, S., Erickson-Harris, L.: Confusion in the ranks: IT service management practice and terminology. Inf. Syst. Manag. 26(2), 153–163 (2009)

    Article  Google Scholar 

  8. Hill, P., Turbitt, K.: Combine ITIL and COBIT to meet business challenges. BMC Softw. (2006)

    Google Scholar 

  9. Willson, P., Pollard, C.: Exploring IT governance in theory and practice in a large multinational organization in Australia. Inf. Syst. Manag. 26(2), 98–109 (2009)

    Article  Google Scholar 

  10. Moore, J.W.: An integrated collection of software engineering standards. J. IEEE Softw. 16(6), 51–57 (1999)

    Article  Google Scholar 

  11. Oud, E.J.: The value to IT of using international standards. Inf. Syst. Control J. 3, 35–39 (2005)

    Google Scholar 

  12. Aaen, I.: Software process improvement: blueprints versus recipes. IEEE Softw. J. 20, 86–93 (2003)

    Article  Google Scholar 

  13. Gama, N., Sousa, P., Mira da Silva, M.: Integrating enterprise architecture and IT service management. In: 21st International Conference on Information Systems Development, Italy (2012)

    Google Scholar 

  14. Gehrmann, M.: Combining ITIL, COBIT and ISO/IEC 27002 for structuring comprehensive information technology for management in organizations. Navus: Revista de Gestão e Tecnologia 2(2), 66–77 (2012)

    MathSciNet  Google Scholar 

  15. Nastase, P., Nastase, F., Ionescu, C.: Challenges generated by the implementation of the IT standards CobiT 4.1, ITIL v3 and ISO/IEC 27002 in enterprises. Econ. Comput. Econ. Cybern. Stud. Res. 43(3), 1–16 (2009)

    Google Scholar 

  16. Biffl, S., Winkler, D., Hörn, R., Wetzel, H.: Software process improvement in Europe: potential of the new V-Model XT and research issues. Softw. Process: Improv. Pract. 3(3), 229–238 (2006)

    Article  Google Scholar 

  17. Liao, L., Qu, Y., Leung, H.K.N.: A software process ontology and its application. In: Proceedings of 4th International Semantic Web Conference (ISWC 2005), Galway, Ireland (2005)

    Google Scholar 

  18. Mataracioglu, T., Ozkan, S.: Governing information security in conjunction with COBIT and ISO 27001. arXiv preprint arXiv:1108:2150 (2011)

  19. Pereira, R., Mira da Silva, M.: Designing a new integrated IT governance and IT management framework based on both scientific and practitioner viewpoint. Int. J. Enterp. Inf. Syst. 8(4), 1–43 (2012)

    Article  Google Scholar 

  20. Susanto, H., Almunawar, M.N., Tuan, Y.C.: Information security management system standards: a comparative study of the big five. Int. J. Electr. Comput. Sci. 11(5), 23–29 (2011)

    Google Scholar 

  21. Von Solms, B.: Information security governance: COBIT or ISO 17799 or both? Comput. Secur. 24(2), 99–104 (2005)

    Article  Google Scholar 

  22. Vicente, M., Gama, N., Mira da Silva, M.: Using ArchiMate to represent ITIL metamodel. In: IEEE International Conference on Business Informatics, pp. 270–275 (2013)

    Google Scholar 

  23. Schlindwein, S.L., Ison, R.: Human knowing and perceived complexity: implications for systems practice. Emerg.: Complex. Organ. 6, 27–32 (2004)

    Google Scholar 

  24. ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012)

    Google Scholar 

  25. Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary, 3rd edn. ISO Standard 27000 (2014)

    Google Scholar 

  26. Information Technology – Security Techniques – Information Security Management Systems – Requirements, 2nd edn. ISO Standard 27001 (2013)

    Google Scholar 

  27. Nicho, M., Muamaar, S.: Towards a taxonomy of challenges in an integrated IT governance framework implementation. J. Int. Technol. Inf. Manag. 25, 2 (2016)

    Google Scholar 

  28. Information Technology – Process Assessment – Process Capability Assessment Model for Information Security Management – ISO Technical Specification 33072 (2016)

    Google Scholar 

  29. Information Technology – Process Assessment – Process Reference Model for Information Security Management, ISO Technical Specification 33052 (2016)

    Google Scholar 

  30. Sheikhpour, R., Modiri, N.: An approach to map COBIT processes to ISO/IEC 27001 information security management controls. Int. J. Secur. Appl. 6(2), 13–28 (2012)

    Google Scholar 

  31. Haufe, K., Colomo-Palacios, R., Dzombeta, S., Brandis, K., Stantchev, V.: Security management standards: a mapping. Procedia Comput. Sci. 100, 755–761 (2016)

    Article  Google Scholar 

  32. Lankhorst, M.: Enterprise Architecture at Work: Modeling, Communication and Analysis. The Enterprise Engineering Series, 2nd edn. Springer, Heidelberg (2009)

    Book  Google Scholar 

  33. The Open Group: ArchiMate 2.0 Specification (2012)

    Google Scholar 

  34. Almeida, R., Pinto, P., Mira da Silva, M.: Using ArchiMate to integrate COBIT 5 and COSO metamodels. In: European, Mediterranean & Middle Eastern Conference on Information Systems, Krakow, Poland (2016A)

    Google Scholar 

  35. Almeida, R., Pinto, P., Mira da Silva, M.: Using ArchiMate to assess COBIT 5 and ITIL implementations. In: 25th International Conference on Information Systems Development, Poland (2016B)

    Google Scholar 

  36. Luxembourg Institute of Science and Technology: TIPA for ITIL. http://www.tipaonline.org

  37. Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E.: An integrated conceptual model for information system security risk management and enterprise architecture management based on TOGAF, ArchiMate, IAF and DoDAF. Luxembourg Institute of Science and Technology Technical report (2016)

    Google Scholar 

  38. Goeken, M., Alter, S.: Towards conceptual metamodeling of IT governance frameworks approach-use-benefits. In: 42nd Hawaii International Conference on System Sciences (2009)

    Google Scholar 

  39. Hinkelmann, K.: Meta-modeling and Modeling Languages. FHNW School of Business, University of Applied Sciences, Northwestern Switzerland

    Google Scholar 

  40. Roux-Rouquié, M., Soto, M.: Virtualizations in systems biology: metamodels and modeling languages for semantic data integration. Trans. Comput. Syst. Biol. I 3380, 132 (2005)

    MathSciNet  Google Scholar 

  41. Schütte, R., Rotthowe, T.: The guidelines of modeling – an approach to enhance the quality in information models. In: Ling, T.W., Ram, S. (ed.) Conceptual Modeling ER 98, Singapore, pp. 240–254 (1998)

    Google Scholar 

  42. Milicevic, D., Goeken, M.: Ontology-based evaluation of ISO 27001. In: Cellary, W., Estevez, E. (eds.) I3E 2010. IAICT, vol. 341, pp. 93–102. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16283-1_13

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Instituto Superior Técnico, Lisbon, Portugal

    Renato Lourinho, Rafael Almeida & Miguel Mira da Silva

  2. INESC-INOV, Lisbon, Portugal

    Pedro Pinto

  3. Luxembourg Institute of Science and Technology, Esch-sur-Alzette, Luxembourg

    Beatrix Barafort

Authors
  1. Renato Lourinho
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rafael Almeida
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Miguel Mira da Silva
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pedro Pinto
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Beatrix Barafort
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Renato Lourinho .

Editor information

Editors and Affiliations

  1. Department of Digital Systems, University of Piraeus, Piraeus, Greece

    Marinos Themistocleous

  2. Department of Management and Technology, Bocconi University, Milan, Italy

    Vincenzo Morabito

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Lourinho, R., Almeida, R., Mira da Silva, M., Pinto, P., Barafort, B. (2017). Mapping of Enterprise Governance of IT Practices Metamodels. In: Themistocleous, M., Morabito, V. (eds) Information Systems. EMCIS 2017. Lecture Notes in Business Information Processing, vol 299. Springer, Cham. https://doi.org/10.1007/978-3-319-65930-5_39

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65930-5_39

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65929-9

  • Online ISBN: 978-3-319-65930-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation