Aligning Cyber Security to ITIL: What Service Management and Security Have in Common

January 9, 2024

Organisations that have invested in ITIL-based service management often find themselves running two parallel governance structures. On one side, the service management team manages incidents through defined processes, handles change through a change advisory board, and maintains service continuity plans. On the other side, the security team manages security incidents, reviews changes for security implications, and maintains business continuity plans. These structures overlap significantly and often contradict each other when they interact.

The integration opportunity is significant. Security and service management share more process territory than either discipline typically acknowledges. Getting clarity on where they align and where they diverge reduces duplication, eliminates gaps, and produces better outcomes in both domains. The goal is not to merge security into ITIL or to replace ITIL with a security governance framework. It is to connect the two so that processes that should work together actually do.

Incident Management: The Clearest Integration Point

Security incident response and ITIL incident management are often treated as separate processes with separate tools, separate teams, and separate reporting lines. In practice, a security incident is a service incident with a particular cause and a particular set of response requirements. Starting from that premise, you can integrate security incident response into the existing incident management process rather than maintaining two parallel processes.

The integration typically involves adding a security classification to incident categories, defining escalation paths that bring the security team in when a security classification is applied, and adding security-specific response procedures to the incident management process documentation. What does not change is the incident management framework itself: the triage, prioritisation, communication, and resolution processes that the service management team already operates. Security enriches those processes; it does not replace them.

Change Management and Security Review

The change advisory board is an ITIL construct that most service management teams use to evaluate the risk and impact of proposed changes. Security should be a standing input to that process, not an afterthought. Every change to production systems has potential security implications. Some changes introduce new vulnerabilities. Some changes modify access controls. Some changes affect the organisation's compliance posture. Without a security lens in the change advisory process, those implications are discovered after the change is implemented rather than before.

Adding security review to change management does not require building a separate security change process. It requires defining what security review looks like for different categories of change. A standard change with no security implications might require a checkbox. A significant change to infrastructure or application access controls requires a formal security assessment before the change is approved. The criteria for what triggers deeper review should be documented and applied consistently, so the change advisory board is not making ad hoc security judgements without a framework.

Service Continuity and Business Continuity Planning

ITIL's service continuity management and security's business continuity planning are often developed independently and then fail to align when they are tested together. Service continuity planning focuses on maintaining service levels during disruption. Security continuity planning focuses on maintaining security controls during disruption, and on recovering from security-specific disruptions like ransomware. Both need to work together during an actual incident.

Aligning the two starts with a shared business impact analysis. Both disciplines need to understand which services and systems are critical, what the recovery time objectives are, and what dependencies exist between systems. If the service continuity plan and the security continuity plan have different answers to those questions, neither plan will execute reliably in a real incident. A single business impact analysis that feeds both plans eliminates that inconsistency and reduces the ongoing maintenance burden of keeping two separate documents current.

Configuration Management and the Security Baseline

ITIL's configuration management process maintains a configuration management database that records the organisation's IT assets and their relationships. Security needs that same information to maintain an asset inventory, assess exposure, and track the security baseline for each system type. In many organisations, the security team maintains a separate asset inventory that is never quite current because it is maintained separately from the authoritative configuration management database.

Integrating security requirements into configuration management means defining security attributes in the configuration management database, including system classification, data sensitivity, and the applicable security baseline. It also means ensuring that the configuration management process captures security-relevant configuration data, so that drift from the security baseline is detectable through the same tooling used to detect configuration drift generally. This integration reduces administrative overhead and improves the accuracy of both the security programme and the service management capability.

  • Add a security classification to incident categories in the existing incident management process
  • Define escalation paths that route security-classified incidents to the security team
  • Establish a security review step within the change advisory process with clear criteria for depth of review
  • Conduct a single shared business impact analysis that feeds both service and security continuity planning
  • Include security attributes in the configuration management database

To discuss aligning security governance with ITIL service management in your organisation, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Cyber Strategy
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?