ISACA Business Model for Information Security


Effectively managing information security is more critical than ever, yet—until now—there have been no comprehensive models to guide security professionals.

To fill the gap, ISACA has developed the new Business Model for Information Security.

Released today, An Introduction to the Business Model for Information Security outlines the model and provides a case study using its guidance.

The guide is available as a free download at

“Information security managers spend too much of their time reacting and applying short-term, technology-focused fixes to rapidly changing threats and regulatory and technological environments,” said Jo Stewart-Rattray, chair of ISACA’s Security Management Committee.

“These solutions are deficient because many security weaknesses result from poor governance, a dysfunctional culture or untrained staff—all aspects that ISACA’s Information Security Model addresses.”

The model can be used in enterprises of all sizes and with any other information security framework already in place.

It is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems.

It includes traditional information security, and also privacy, and linkages to risk, physical security and compliance.

ISACA, a nonprofit association that serves more than 86,000 information security, assurance and IT governance professionals, based the model on the Systemic Security Management framework developed by the Institute for Critical Information Infrastructure Protection (ICIIP), which was formed by the Marshall School of Business of the University of Southern California (USA).

“This is ISACA’s first step in transforming the theoretical model into a practical tool that can be used by information security practitioners to unify security initiatives with the business mission,” said Kent Anderson, member of ISACA’s Security Management Committee.

“The ISACA model is valuable guidance because it takes a strong business-oriented approach, focusing on people and processes rather than on technology.”

An Introduction to the Business Model for Information Security is the first in a series of publications related to the model. Later this year, ISACA will release a practitioner’s guide and an executive’s guide.

Post a comment

Your email address will not be published. Required fields are marked *


Visited 859 times, 2 so far today