You are here


Information Communication Technology (ICT) enables people to interact and communicate no matter the distance, also makes it easy for us to obtain goods and services in convenient ways. The world in which we live in today has been changed by ICT. ICT has the potential to transform radically every sector of any country economy. People around the world have started appreciating the ability of Information and Communications Technology (ICT) to stimulate rapid development in all sectors of the economy. ICT is redefining the way we do almost everything and it is a ready tool for all strata of society. The advent of ICT has really affected banking industries positively. The banking operations have changed beyond recognition since the adoption of ICT in both developed and developing nations. With the use of ICT, customer can stay at home and carry on banking operation right on its table either through the use of Internet or telephone banking. The introduction of ICT in banking sector was dated to 1970 but there was no much effect until early 90’s.

ICT are often credited with helping fuel strong growth in the many economies. It seems apparent then that, technological innovation affects not just banking and financial services, but also the direction of an economy and its capacity for continued growth. IT affects financial institutions by easing enquiry, saving time, and improving service delivery. In recent decades, investment in IT by commercial banks has served to streamline operations, improve competitiveness, and increase the variety and quality of services provided. ICT has brought revolution in the functioning of the banks and the financial institutions.


Each financial organization has a standard and approved guideline and policy in every sector of ICT which may need to align with:

⇒ ‘Guideline on ICT Security for Banks and Non-Bank Financial Institutions’ published by
⇒ Bangladesh Bank The international standardization and Framework of ICT.

Bangladesh Bank Guideline:

Bangladesh Bank listed out the following sectors in guideline which need to line up for management the ICT sector of financial organization efficiently and effectively:
• ICT Security Management
• ICT Risk Management
• ICT Service Delivery Management
• Infrastructure Security Management
• Access Control of Information System
• Business Continuity and Disaster Recovery Management
• Acquisition and Development of Information Systems
• Alternative Delivery Channels (ADC) Security Management
• Service Provider Management
• Customer Education Financial organization also tags on the following ICT guidelines and procedures:
• Document Control Procedures and Guidelines
• Asset Management Procedures and Guidelines
• Access Control Procedures and Guidelines
• Monitoring and Logging Procedures and Guidelines
• Backup and Restore Procedures and Guidelines
• Capacity Management Procedures and Guidelines
• Incident and Problem Management Procedures
• Information Security Compliance Assessment Procedures and Guidelines
• IT-IS Risk Management Framework and Guidelines
• Media Handling Procedures and Guidelines
• Network Devices Security Procedures and Guidelines
• Personnel Security Procedures and Guidelines
• Physical and Environmental Security Procedures and Guidelines
• Release Management Procedures and Guidelines
• Information System Security Awareness and Training Procedures Guidelines
• Patch Management Procedures and Guidelines
• IT Staff and End User Training Procedures and Guidelines
• Virus Control Procedures and Guidelines
• Change Management Procedures and Guidelines
• Configuration Management Procedures and Guidelines
• IT Operations Procedures and Guidelines
• IT Organizations Procedures and Guidelines
• IT Project Management Procedures and Guidelines
• IT Staff and End User Training Procedures and Guidelines
• IT Strategy Development Procedures and Guidelines
• Service Level Management Procedures and Guidelines
• Software Development Procedures and Guidelines

Mandatory documents:

Mandatory documents required by ISO 27001:2013 which need to meet up to make parallel with international standardization:
• Scope of the ISMS(Information Security Management System) (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
• Inventory of assets (clause A.8.1.1)
• Acceptable use of assets (clause A.8.1.3)
• Access control policy (clause A.9.1.1)
• Operating procedures for IT management (clause A.12.1.1)
• Secure system engineering principles (clause A.14.2.5)
• Supplier security policy (clause A.15.1.1)
• Incident management procedure (clause A.16.1.5)
• Business continuity procedures (clause A.17.1.2)
• Statutory, regulatory, and contractual requirements (clause A.18.1.1)

Mandatory records:

Mandatory records required by ISO 27001:2013 which need to meet up to make parallel with international standardization:
• Records of training, skills, experience and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Logs of user activities, exceptions, and security
events (clauses A.12.4.1 and A.12.4.3)

Non-mandatory documents:

There are numerous non-mandatory documents that can be used for ISO 27001:2013 implementation, especially for the security controls:
• Procedure for document control (clause 7.5)
• Controls for managing records (clause 7.5)
• Procedure for internal audit (clause 9.2)
• Procedure for corrective action (clause 10.1)
• Bring your own device (BYOD) policy (clause A.6.2.1)
• Mobile device and teleworking policy (clause A.6.2.1)
• Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
• Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
• Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
• Procedures for working in secure areas (clause A.11.1.5)
• Clear desk and clear screen policy (clause A.11.2.9)
• Change management policy (clauses A.12.1.2 and A.14.2.4)
• Backup policy (clause A.12.3.1)
• Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
• Business impact analysis (clause A.17.1.1)
• Exercising and testing plan (clause A.17.1.3)
• Maintenance and review plan (clause A.17.1.3)
• Business continuity strategy (clause A.17.2.1)

International standardization & Framework for Information & Technology in different area:

In this figure we can gain some perspective as to how different frameworks and practices fit into areas of organizational control, processes, or individual tasks of IT Service Management. Their
relative importance / impact to IT Service Management in general are represented by size. Please note that this figure is a simplified impression of very complex topics.

ISO/IEC 38500:

ISO/IEC 38500 is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. The standard is heavily based on the AS 8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology, originally published in January 2005.

ISO/IEC 27001:

Part of IT Service Management is addressing security concerns in information management systems. The ISO 27000 series and ISO 27001 in particular, is a standard that states requirements for “Information technology – Security techniques – Information security management systems.” In terms of IT Service Management, it’s very important that services are designed and operated in a manner that ensures protection of information assets from a wide range of threats that may interrupt business continuity, and minimize business damage. In short, the ISO 27001 implementation ensures the preservation of Confidentiality, Integrity and Availability of business-critical data.

ISO/IEC 20000:

ISO/IEC 20000 is the first international standard for IT service management. It was developed in 2005, by ISO/IEC JTC1/SC7 and revised in 2011. It is based on and intended to supersede the earlier BS 15000 that was developed by BSI Group. ISO 20000 is the standard originallydeveloped to reflect best practices within ITIL. However, while ITIL lists only recommendations, ISO 20000 states clear specifications for a Service Management System, focused around the alignment between service delivery and requirements, efficiency and control of services. ISO 20000 complements ITIL well, and ITIL adopters can fulfill ISO 20000 requirements with relative ease.


COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance. COBIT provides an implementable “set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers.


ITIL an acronym for Information Technology Infrastructure Library is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is the most recognizable IT Service Management practice (often described as best practice), with an accompanying framework that is clear and easy to follow and implement. ITIL best practice describes processes involved in the Service Lifecycle, with a focus on efficiency and effectiveness. This kind of approach makes ITIL the center of IT Service Management, and other
frameworks and standards can be considered as complements to ITIL within ITSM.


Microsoft Operations Framework (MOF) is a series of guides aimed at helping information technology (IT) professionals establish and implement reliable, cost-effective services. MOF was created to provide guidance across the entire IT life cycle. Completed in early 2008, MOF 4.0 integrates community-generated processes; governance, risk, and compliance activities; management reviews, and Microsoft Solutions Framework (MSF) best practices. The guidance in the Microsoft Operations Framework encompasses all of the activities and processes involved in managing an IT service: its conception, development, operation, maintenance, and—ultimately—its retirement.

Six Sigma:

Six Sigma is a framework that is designed for process improvement by identifying and removing the causes of defects or errors. The Six Sigma methodology is particularly compatible with ITIL; a basic premise of Six Sigma is a focus on improvement efforts surrounding process, product or service performance that impacts the end user. This relationship is very similar to the relationship of services to the business and how those services are managed via the ITIL processes. Even though it’s not directly addressed to IT, Six Sigma methodology includes process reengineering, metrics, roles and responsibilities, while addressing change management, and is mostly operational procedure based.

Leave a Reply