Information Security Governance Raising The Game - Full Report-1

Information Security
Governance
Raising the game
September 2011
Published by
Information Security Forum Limited
Tel: +44 (0)20 7213 1745

Fax: +44 (0)20 7213 4813
Email: info@securityforum.org
Web: www.securityforum.org
Principal Author
Adrian Davis
Review and quality assurance

Jason Creasey
David Moloney
Steve Thorne
Design
Louise Liu
Special acknowledgements
The Information Security Forum would like to thank Dr. Lizzie Coles-Kemp (Royal Holloway, University of London)
and Alan Choo Siew Loon (National University of Singapore) for their assistance on this project.
Key to symbols
Member quote Project related material available on MX
Note
Warning
This document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security
Forum (ISF) or by persons who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org.
Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly
from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information
Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
Information Security Governance • Information Security Forum www.securityforum.org

Executive summary
When the information security function adopts governance, it raises its game, systematically engaging with senior
management and other corporate governance functions. This not only manages information risk and minimises
reputational damage, it also delivers continuing added value from information technology.
Information security governance (ISG) enables the direction and oversight of information security related activities
across an enterprise by senior management. It shows customers, business partners, shareholders and regulators that
information is being protected according to industry best practice. ISG provides the agility to deal with incidents
quickly and effectively, and enables better management of all information security activities – decreasing the chances
of breaches, internal misuse and abuse, and the unforeseen effects of change.
This Information security governance – raising the game report showcases the ISF framework for ISG, and provides
a series of actions an enterprise can take to prepare and plan for ISG implementation and enhancement. The ISF
framework for ISG has three objectives: deliver value to stakeholders, achieve strategic goals and provide information
risk assurance. Each objective has activities associated with it:
INFORMATION SECURITY GOVERNANCE
A. DELIVER C. PROVIDE
B. ACHIEVE INFORMATION RISK
VALUE TO
STRATEGIC GOALS ASSURANCE
STAKEHOLDERS
A1. Improve B1. Execute C1. Oversee

effectiveness strategic assurance
and efficiency objectives programme
A2. Meet B2. Set and refine

C2. Implement
stakeholder information risk
risk assessment
requirements appetite
A3. Enable
B3. Sustain buy-in C3. Ensure
business
and commitment compliance
initiatives
A4. Integrate B4. Maintain

with enterprise C4. Manage supply
security
processes chain risk
requirements
C5. Monitor
and report
on assurance
The ISF framework for ISG is supported by an explanation of the relationship between corporate governance, ISG and
information risk assurance, and guidance on the monitoring and reporting associated with ISG. Additionally, currently
available ISG frameworks are described and compared with the ISF framework for ISG.
To assist Members in assessing ISG, a maturity model is also presented in this report supported by a spreadsheet-based
Information security governance diagnostic tool, which is available on the ISF’s Member Exchange (MX) system.
Finally, the report discusses the way forward for information security governance, including ISF input into the upcoming
draft of ISO/IEC 27104 Information technology – Security techniques – Governance of information security.
www.securityforum.org Information Security Forum • Information Security Governance

Contents
Part one: Introduction

About this report 1
Purpose of the report 1
Who should read this report 1
Other related ISF reports and tools 1
Basis for the report 4
Part two: Understanding information security governance

Overview 5
What is information security governance? 5
Why is information security governance needed? 5
How does it relate to other governance frameworks? 6
How do ISG and corporate governance relate? 7
How do ISG and information security assurance fit together? 9
Drivers for ISG 9
The outcomes of implementing ISG 10
Summary 11
Part three: Preparing for information security governance

Overview 12
PREPARING STEP 1: Evaluate the status of information security in the enterprise 12
PREPARING STEP 2: Review information security strategy and objectives 13
PREPARING STEP 3: Understand published ISG frameworks 14
PREPARING STEP 4: Assess ISG in the enterprise 17
Applying the results 18
Summary 18
Part four: Planning for ISG implementation

Overview 20
PLANNING STEP 1: Describe information security governance framework 21
PLANNING STEP 2: Identify and engage your stakeholders 21
PLANNING STEP 3: Define what will be measured and how 24
PLANNING STEP 4: Gain approval to implement information security governance 25
PLANNING STEP 5: Prepare final implementation plan 25
Summary 26
Part five: Implementing the ISF framework for ISG

Overview 27
5a: Objective A: Deliver value to stakeholders
Overview 28
A1 Improve effectiveness and efficiency 29
A2 Meet stakeholder requirements 30
A3 Enable business initiatives 30
A4 Integrate with enterprise processes 30
Related ISF deliverables 31
Summary 32

Contents
Part five: Implementing the ISF framework for ISG (continued)

5b: Objective B: Achieve strategic goals
Overview 33
B1 Execute strategic objectives 34
B2 Set and refine information risk appetite 34
B3 Sustain buy-in and commitment 35
B4 Maintain information security requirements 37
Summary 39
5c: Objective C: Provide information risk assurance
Overview 40
C1. Oversee assurance programme 41
C2. Implement risk assessment 42
C3. Ensure compliance 42
C4. Manage supply chain risk 43
C5. Monitor and report on assurance 45
Summary 47
Part six: Monitoring and reporting on ISG

Overview 48
Monitoring 48
Reporting 49
Summary 52
Part seven: Where next for ISG?

Overview 53
Development of ISG 53
Future ISF work 54
Concluding remarks 54
Appendix A: Information security governance diagnostic tool 56
Appendix B: Aligning ISF and other ISG frameworks 59
Appendix C: Prepare and plan actions: the checklist 63
Appendix D: STARS model 65

The ISF Security Model
The ISF have developed a security model to support organisations in designing their approach to addressing information
security and to give them a basis for identifying the key aspects of an information security programme. The ISF provides
insights, best practice standards and tools which address each aspect of the model to aid organisations in enhancing
their information security environment.
Within the ISF Security Model, the Information Security Governance report forms part of the Research and Reports
service. Using a rating from very low to very high, the way in which this report aligns with the ISF Security Model is
shown below.
Compliance
The policy, statutory and contractual
obligations relevant to information
Risk security which must be met to operate in
The potential business impact and today’s business world to avoid civil or
likelihood of particular threats criminal penalties and mitigate risk.
materialising – and the application
Governance of controls to mitigate risk to
The framework by which policy and acceptable levels.
direction is set, providing senior
management with assurance that security
management activities are being
performed correctly and consistently.
TE
PR
CH
PE
OC
NO
OP
CO
ES
LO
RIS
LE
MP
GY
GO
LIA
VE
E
NC
RE
NG
RN
SE
HA
E
AR
XC
AN
CH
EE
&R
CE
DG
EP
LE
OR
OW
TS
KN
TOOLS & METHODS Technology

The physical and technical infrastructure,
including networks and end points,
Process required to support the successful
Business processes, applications deployment of secure processes.
People and data that support the
The executives, staff and third parties operations and decision making.
with access to information, who need
to be aware of their Information
Security responsibilities and
requirements and whose access to
systems and data need to be managed.
key
Very high High Medium Low Very low
Figure 1: The ISF Security Model
A pdf copy of the ISF Security Model can be downloaded from the ISF’s Member Exchange (MX) system,
which can be used to clearly describe to your team and others (management, potential Supply Chain or other
Membership prospects) the key aspects of the information security environment within your organisation.

Part 1: Introduction
About this report
Part one
This report presents the main findings from the ISF project Information Security Governance undertaken in 2011.
It highlights the results from this project, including a definition of information security governance (ISG), an ISG
framework and guidance on how to create, implement and maintain ISG.
The report supersedes and replaces the ISF Briefing Paper: Information security governance.
Purpose of the report
Enterprises are under increasing pressure to show they are well governed from both legal and regulatory perspectives.
Information – and its protection – is a business issue, rather than just an IT issue, and consequently forms part of
an enterprise’s overall governance framework. As a result, information security is now expected to be part of
corporate governance and contribute to enterprise success. Information security governance (ISG) can be used
to demonstrate how information is protected and to highlight the contribution information security makes to the
enterprise’s performance and its governance activities.
This Information Security Governance report provides a framework for ISG that can be adopted to manage information
security and information risk objectives across an enterprise through the direction and oversight of information
security activities. The report also examines topics such as information strategy and its relationship with ISG, explores
key drivers, benefits and identifies stakeholder groups. The report can be used to assess an enterprise’s ISG and
understand where enhancements can be made to strengthen ISG.
Who should read this report
There are two main audiences for this report:
• The Chief Information Security Officer (CISO), or the person holding equivalent responsibilities (such as Director
of Information Security), and information security professionals involved in creating, implementing, maintaining
or managing information security. These individuals can use this report to enhance their knowledge of ISG and
examine how to improve the governance arrangements either in place or proposed
• Senior management, CIO, business and IT managers within the enterprise, as this report explains what ISG is and
the benefits information security delivers to an enterprise. This audience can use the report to understand ISG,
support and challenge the CISO about ISG and its implementation.
CISO is used throughout this report to refer to the leader of the information security function.
Other related ISF reports and tools
The relationship of these reports and tools with the ISF framework for information security governance is shown in
Figure 2 over the following pages.
www.securityforum.org Information Security Forum • Information Security Governance 1

INFORMATION SECUR
A. DELIVER VALUE TO STAKEHOLDERS B. ACHIEVE STRATEGIC G

Part one
A1. Improve effectiveness and efficiency

A1 B1. Execute strategic objectiv
B1
ROSI ² Return on security investment Managing a security function Diagnostic
:orkshop report version 1
ROSI ² Return on security investment tool Role of information security in the enterprise
Securing business applications :orkshop report
Information security incident management Information security strategy
Establishing an information security :orkshop report
incident management capability
Benchmark
A2. Meet stakeholder requirements B2. Set and refine information

Managing a security function Diagnostic version 1 Risk convergence Implications for information
Role of information security in the enterprise risk management
:orkshop report Information Risk Assessment Methodology IR
Security function diagnostic tool series of reports
IRAM Business Impact Reference Table BIRT
A3. Enable business initiatives B3. Sustain buy-in and commi

Architectural responses to the Protecting information in the end user
disappearing network boundary environment
Securing consumer devices Role of information security in the
Managing access in a changing world enterprise Rich picture
Threat Hori]on series of reports Role of information security in the
enterprise :orkshop report
A4. Integrate with enterprise processes B4. Maintain security requirem

Risk convergence Implications for Guidelines for information security
information risk management Practical approaches to information
Solving the data privacy pu]]le classification :orkshop report
Achieving compliance The information lifecycle A new way of
Cyber citi]enship in an enterprise looking at information risk
environment
Figure 2: ISF framework for information security governance and associated ISF deliverables
2 Information Security Governance • Information Security Forum www.securityforum.org

RITY GOVERNANCE
GOALS C. PROVIDE INFORMATION RISK ASSURANCE
Part one
ves C1
C1. Oversee assurance programme
Information security assurance An overview for
implementing an information security assurance
programme
The 211 Standard of Good Practice for
Information Security
n risk appetite C2. Implement risk assessment

Information Risk Assessment Methodology IRAM tool
IRAM Risk Analyst :orkbench RA:
RAM Benchmark
Device risk and control diagnostic tool
Security Healthcheck
tment C3. Ensure compliance

Monitoring compliance :orkshop report
Security audit of business applications
ments C4. Manage supply chain risk

Information security in third party relationship
management
Securing cloud computing Addressing the seven
deadly sins
Information security for external suppliers
A common baseline
External suppliers baseline maturity assessment tool
Third party security assessment tool
C5. Monitor and report on assurance

Reporting information risk
ISF Briefing Paper Key performance indicators
for information security
Information security metrics SIG report

Basis for the report
The material used to produce this work was drawn from:
• debate and discussion of key topics at four ISF solution development workshops
• analysis of over 75 responses from Members and non-Members collected at the workshops and through a
web-based project questionnaire run in conjunction with National University of Singapore and Royal Holloway,
University of London
Part one
• examination of 13 case studies, drawn from both Members and others

• interaction with other organisations active in this field, such as the International Standards Organisation (ISO) and
the TNO (Netherlands Organisation for Applied Scientific Research)
• prior ISF research, including the ISF Briefing Paper: Information security governance
• research carried out as part of the project.
Project-related material is available on the ISF’s Member Exchange (MX) system, including workshop slides,
minutes, the Information security governance diagnostic tool and the analysis results.

Part 2: Understanding information
security governance
Overview
When discussing information security governance (ISG), it is vital to be able to define it concisely and within a
business context, positioning drivers and benefits to a number of audiences, including senior management, business
and information security professionals.
What is information security governance?
Drawing on Member input and project research – and taking into account previous ISF work on defining ISG – the
Part two
following definition has been agreed for the purposes of this report:
ISG is the direction and oversight of information security-related activities across an enterprise by senior management.
ISG is a strategic mechanism to manage information risk and deliver information security across an enterprise by
taking senior management’s direction, creating and performing information security-related activities that achieve the
required aims and provide assurance, and offer timely reliable information on performance.
The ISF has designed a framework for information security governance with three objectives: to deliver value to
stakeholders, achieve strategic goals, and provide information risk assurance. The ISF framework for ISG is described
in detail in Part 3: Preparing for information security governance of this report; it is aligned to and expands on the ISF
2011 Standard of Good Practice, as highlighted in the box below.
Relationship to the ISF 2011 Standard of Good Practice
The 2011 Standard of Good Practice contains the following relevant topic:
Area SG1 – Security Governance

Topic: SG1.1 Security Governance Framework
Principle: A framework for information security governance should be established, and commitment demonstrated
by the organisation’s governing body.
Objective: To ensure that the organisation’s overall approach to information security supports high standards of
governance.
Why is information security governance needed?
Enterprises have been required to demonstrate ever more rigorous and effective governance over the last two or
three decades. Corporate governance codes such as Turnbull, Dey, Sarbanes Oxley and King suggest that enterprises
put in place a risk management framework – and that the status of such an activity should be reported to stakeholders.
There are several areas of risk that should be addressed by this activity, one of which is information risk.
“In terms of governance, we have a lot of catching up to do. I believe that information security is 10 –
15 years behind IT, who themselves are 10 – 15 years behind corporate governance.”

Part 2: Understanding information security governance
Over the same period, the protection and use of information has also come under increasing scrutiny and this has
resulted in enterprises having to demonstrate compliance with laws and regulations such as the Data Privacy Act
(UK), breach notification laws (specific US states), Basel II/III, Solvency II, Sarbanes Oxley, Payment Card Industry Data
Security Standard (PCI DSS) and Binding Corporate Rules (European Union but with international implications). In
parallel, enterprise stakeholders, customers and the public in general have become more aware of and impacted by
breaches of privacy and identity theft. This awareness has led to the demand for enterprises to protect information
more effectively.
As the requirement to protect information has become more stringent, the scale, complexity and sophistication of
IT-related attacks on enterprises have increased. Enterprises are attacked regularly using techniques, including hacking,
malware and social engineering, designed to maliciously acquire information or damage enterprise assets. The same
enterprises also have to deal with the consequences of errors or accidents leading to corruption or disclosure of
information.
Against this backdrop, boards and stakeholders need assurance that information risk is being addressed and that
Part two
legal and regulatory requirements for information protection are being met in a structured, efficient and consistent
manner. The information security function is not always well-placed to provide such assurances to the board,
especially when it is engaged with tactical and operational aspects. An added complexity is the technical orientation
of information security which can make it challenging to communicate with staff and senior management in a language
they understand.
“ISG is about creating confidence upwards and sideways in you and the function. It says we know what
should be done and here is how we’re doing it.”
How does it relate to other governance frameworks?
ISG is part of, and consistent with, the wider governance activities within the enterprise. Information security
governance can serve as a powerful link between senior management and those responsible for enterprise-wide
information security. Acting as a two-way filter, ISG takes the mandate provided by senior management and oversees
information security initiatives throughout the enterprise. Effective ISG will ensure that senior management is provided
with information security-related reporting that is straightforward, easy to understand and positioned in the business
context. This reporting can assist management to make decisions about information risk that support the strategic
direction of the enterprise. Figure 3 shows the relationship between corporate governance and ISG.
ISF Definitions
The direction and management of an

Corporate governance enterprise within its operating
environment
The direction and oversight of

Information security governance information security-related activities
across an enterprise
Providing evidence to senior

management that information risks
Information security assurance are being managed effectively
enterprise-wide
ISF resource: Information Security Assurance
Figure 3: The relationship of corporate governance and ISG in an organisation

As shown in Figure 3, ISG gives senior management a link to lower-level information security operations. ISG, because
of its position in an enterprise, should thus be viewed as a strategic mechanism to deliver information security. The
next sections discuss the relationship of ISG with corporate governance and information security assurance.
The 2011 Standard of Good Practice contains the following relevant topics:
Topic: SG1.2 Security Direction

Principle: Control over information security should be provided by a high-level working group, committee or
equivalent body, and managed by a senior executive.
Objective: To provide a top-down management structure and mechanism for co-ordinating security activity and
supporting the information security governance approach.
Part two
How do ISG and corporate governance relate?
The ISF’s report Information risk management in corporate governance defined corporate governance at a high level to
be concerned with how the enterprise is directed and managed within its operating environment. According to the
report, corporate governance can be considered in more detail across six key areas.
Number Area Content

1 Board conformance The structure and composition of the board (and its
committees).
Board
2 Board performance and The effectiveness with which the board discharges its duties.
Perspective effectiveness
3 Strategy, planning and monitoring The way in which the board ensures financial accountability,
management structure and plans for the future.
4 Risk management and compliance The way in which the board ensures strong internal controls
with robust risk management and compliance processes.
Organisation
5 Transparency and disclosure Transparent reporting and disclosures of financial and non-
Perspective financial information.
6 Stakeholders and the triple Good corporate citizenship including social, ethical and
bottom line environmental conduct, the relationship and communication with
external stakeholders.
ISF resource: Information risk management in corporate governance
Figure 4: The six key areas of corporate governance
It can be seen from the figure above that the six key areas of corporate governance can be split into two groups of
three. The first group deals with the operation of the board, its setup and its duties, while the second group is more
directed towards what the enterprise needs to do to support the board in achieving good corporate governance.
An overview of global corporate governance codes is provided in the Directory of information security
principles, standards and corporate governance, which is available for download from the Security Assurance:
ISO 27000 and beyond project area on the ISF’s Member Exchange (MX) system.

From a business perspective, corporate governance requirements (such as the Combined Code, Sarbanes Oxley,
Turnbull, King and Dey reports, and Basel II) now require boards to identify and manage risk – and, in the case of
Basel II, link risk management to the allocation of capital within a business. ISG can assist boards to meet their
objectives in the key areas of risk management and compliance (number 4 in Figure 4) and transparency and disclosure
(number 5).
In the corporate governance frameworks referenced in this report, information security and information risk are not
defined as key risks to the enterprise. Instead, information risks are seen as being part of operational, IT or similar,
high-level risk categories. ISG can add to governance by:
• delivering value to stakeholders from information security

• helping to achieve strategic goals, and alignment between enterprise and information security strategies
• providing assurance that information risk is managed in alignment with the enterprise risk appetite and that
compliance requirements are being met.
Part two
Risk appetite and tolerance
There are a number of published definitions for risk appetite, including those from AIRMIC, the Institute of
Operational Risk (IOR), International Standards Organisation (ISO) ISO31000: 2009 Risk management – Principles
and guidelines, and the Committee of the Sponsoring Organisations of the Treadway Commission (COSO)
Enterprise Risk Management framework.
For the information security or information risk professional, these definitions are of limited use. In this report the
following definitions have been adopted:
Risk appetite: An expression of the nature and quantum of risk or uncertainty which an enterprise is willing to
take or accept to achieve its objectives.
Risk tolerance: The amount of variation in risk or uncertainty an enterprise can bear in achieving its objectives
and aligned to its appetite – its capacity to take risk.
Previous ISF work has indicated that it is easier to identify risk appetite at the business unit level. Risk appetite will
change over time and should thus be monitored and reviewed regularly. Triggers for change include:
• changes in stakeholder expectations enterprise strategies

• growth, mergers and acquisitions
• evolving external threats
• increased competition
• new product development.
The other definitions can be found at the following websites:
AIRMIC: http://www.airmic.com/report/research-definition-application-concept-risk-appetite
IOR: http://www.ior-institute.org/education/sound-practice-guidance/8-sound-practice-guidance-part-1
ISO: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43170
COSO: http://www.coso.org/ERM-IntegratedFramework.htm

ISG addresses the known risks to information and can help a board discharge its responsibility to ensure that
information risk is managed across the enterprise within its corporate governance approach. ISG is thus part of the
overall corporate governance framework.
How do ISG and information security assurance fit together?
Corporate governance, information security strategy and ISG typically provide direction and set strategy for information
security within an enterprise. Activities associated with this strategy are then implemented as part of one or more
information security assurance programmes, which are concerned with the effective implementation of information
security management enterprise-wide.
Information security assurance covers activities such as performing an assessment of security, monitoring the state
of security, and establishing clear actions to help mitigate the risks associated with a business application, system or
network. During an information security assurance process, multiple sources of validation are typically considered
and amalgamated to formulate an overall opinion, both on a quantitative and qualitative basis. These typically include
Part two
information security audit results, incident reports, security awareness, system monitoring logs, threat and vulnerability
management and fraud testing. This information is captured, tracked and reported upon to provide a level of assurance
to senior management as to how effectively security is working.
The relationship between IT governance and information security governance
IT governance, as defined by the IT Governance Institute (ITGI), is the leadership and organisational structures and
processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. IT
governance has five objectives:
• aligning IT strategy with the business strategy

• cascading strategy and goals down into the enterprise
• providing organizational structures that facilitate the implementation of strategy and goals
• insisting that an IT control framework be adopted and implemented
• measuring IT’s performance.
The objectives of IT governance and ISG thus overlap to some degree but, typically, ISG is regarded as being a
separate activity from IT governance.
Drivers for ISG
The drivers for ISG encompass both management and technical aspects of information security. The respondents to
the project questionnaire believed that the management drivers are of greater importance than the technical drivers,
as illustrated in Figure 5:

Manage information security better across the enterrpise

Meet corporate governance / policy requirement
Increase support to the business
Provide a coherent model to deliver information security
Provide enterprise-level control of information security (link to Enterprise Risk Management)
Enhance the standing of the information security function
Protect brand / reputation
Add or demonstrate value from information security
Create a reporting and measurement structure for information security
Meet regulatory requirements
Enhance fit with other business functions and the way they operate
Increase in risks and threats to information
Respond to incident / successful attack on organisation
Meet legal requirement
Response to market forces (ie keeping competitive advantage or responding to competitors’ moves)
Interdependence on and interconnections with other people’s systems
Pressure for adoption from customers
Demands for increased demands from external stakeholders
Pressure for adoption from stakeholders
Part two
Pressure for adoption from peers

Change in operating model (outsourcing etc.)
Increase in the commoditisation of IT
Pressure for adoption after incident or successful attack
Increase in consumerisation
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
In most / all cases (%)
Figure 5: Drivers for adopting ISG, taken from 75 responses to the project questionnaire
The results presented are taken from 75 responses to the web-based project questionnaire, covering both
ISF Members and non-Members.
The highest-scoring drivers are all focused on the business and how ISG can be used to enhance the management
and value of information security. If these drivers for ISG are not enough to cause adoption, or do not provide
sufficient justification to establish ISG in an enterprise, then a stronger case may need to be made by including the
outcomes of ISG described in the next section.
Project research indicated that the majority of the benefits identified were the complement of the drivers.
For example, the driver ‘manage information security better across the enterprise’ became the benefit
‘better management of information security across the enterprise’.
The outcomes of implementing ISG
ISG enables the CISO and the information security function to:
1. Shape responses to topical and evolving threats and issues such as the cyber environment, cloud adoption,
external suppliers and consumerisation
2. Enhance agility, so that the information security function is forward-looking, dynamic and growing, flexible enough
to scale in size and respond to business demands and challenges
3. Understand risks (both within information security and outside) and answering the risk/reward question – getting
to and focusing on the sweet spot that balances known risks with the cost of mitigating those risks
4. Demonstrate legal and regulatory compliance, and due diligence
5. Create a security-positive culture in the enterprise by raising awareness of the need for information security and
knowledge of information security risks

6. Increase the quality of decisions by:

- providing a framework for decisions and decision support with relevant and reliable management information
- evidencing decisions (with audit trails, metrics and measurements)
7. Improving communication, demonstrating and explaining the actions taken by information security to a variety of
audiences, including:
- Internal – board, staff, legal, HR and IT
- External – regulators, customers, suppliers and the public
8. Planning, preparing and rehearsing for incidents and linking information security incident management to corporate
incident management.
“ISG has helped me break down silos and link pockets of excellence.”
ISG outcomes are, in general, related to improving the ability of the information security function to support the
enterprise’s activities and the manner in which it communicates. These outcomes, being business-focused, can be
Part two
used to further strengthen the investment in ISG.
Many outcomes are generic and desirable in all enterprises. However, efforts should be made to identify
outcomes specific to your enterprise.
Summary
ISG is part of effective corporate governance by providing assurance that information risk is being addressed and that
legal and regulatory requirements for information protection are being met in a structured, consistent manner. It can
also provide a direct link between senior management and lower-level information security activity.
The next section looks at the actions required to prepare for ISG in an enterprise.

Part 3: Preparing for information
security governance
Overview
Establishing and implementing a robust ISG framework will maximise the benefit of ISG to an enterprise. This
section provides a series of actions to prepare for ISG. Project research has identified four actions that can be taken
to prepare for ISG implementation. These actions include understanding how information security relates to the
enterprise, the published ISG frameworks that can be used and assessing the status of ISG in an enterprise. Figure 6
shows these actions:
PREPARING Evaluate the status of information

STEP 1 security in the enterprise
PREPARING Review information security

STEP 2 strategy and objectives
Part three
PREPARING Understand published ISG

STEP 3 frameworks
PREPARING
STEP 4 Assess ISG in the enterprise
Figure 6: Preparing for ISG: Actions
The Information security governance diagnostic tool can be used to support the completion of these actions. Note that,
depending on the results of the diagnostic, either preparatory or enhancement actions can be recommended.
The Information security governance diagnostic tool is a spreadsheet-based tool for Members to assess the
ISG maturity. The diagnostic is described in Appendix A: Information Security Governance diagnostic tool and
can be downloaded from the ISF’s Member Exchange (MX) system.
PREPARING STEP 1 Evaluate the status of information security in the enterprise
The first action captures the big picture and provides the CISO with an understanding of the high-level relationship
between information security, the enterprise and the status of information security.
The tasks that should be performed as part of this action include:
• Understanding enterprise goals, processes and how it delivers value:

- examine current governance frameworks
- study the enterprise strategy
- comprehend the link between business and information risks

Part 3: Preparing for information security governance
• Recognising how information security is adding value to the enterprise by:

- engaging with the business units and senior management
- understanding enterprise strategic objectives and key programmes and projects
- identifying where and how information security is enabling the business and is adding or protecting value.
Completion of these tasks will provide the CISO with an understanding of the enterprise and the context in which
information security and ISG will operate. This action will help to define the drivers, benefits and outcomes of ISG in
the enterprise.
“Two key reasons for having ISG is that one, it helps your senior managers meet their corporate
governance obligations and two, it supports the corporate governance framework.”
PREPARING STEP 2 Review information security strategy and objectives
Once the enterprise strategy is understood, the next action is to examine the information security strategy and
how it aligns with and supports the enterprise. The first task is to review the current information security strategy
and understand how the strategy can be enhanced and the alignment strengthened. Tools such as benchmarking or
maturity assessment, using both qualitative and quantitative measures, can be used.
Part three
Once the gap analysis is complete, the information security strategy should be updated. When updating the strategy,
the following points should be included:
• specific references to ISG and how the information security strategy and ISG support each other
• forward-looking components such as horizon scanning and scenario planning
• alignment between the information security strategy and the enterprise strategy.
Connecting information security strategy to ISG
The ISF report Information security strategy defined information security strategy, using generally accepted strategy
models, as a plan of action that takes the information security function from ‘what do we do now?’ To ‘what
do we want to do in the future?’ The plan typically consists of a number of strategic projects or initiatives which
move the enterprise closer to its future, desired, state. How long the journey takes will vary from enterprise to
enterprise, but Members noted that, typically, an enterprise strategy takes a view of between two and six years.
The business strategy will typically identify where the enterprise believes it can offer, create or protect value for
its customers and stakeholders. Value drivers will help frame the enterprise risk appetite and can be used to align
information security and its strategy with the business strategy. The information security strategy will typically
need to draw upon the enterprise’s strategy and the IT strategy, and will show how the information security
strategy can support the enterprise in delivering its strategy.
An information security strategy can be divided into three aspects:
• supporting the business and its current and future needs

• defending against threats
• raising the profile of the information security function by integrating with and enabling the business.

Each of these aspects will contain a number of objectives, such as increasing value for money, protecting against
organised crime and repositioning the information security function as a business enabler. The strategy will also
provide a structure against which decisions concerning information security can be taken, evaluated and audited.
Each decision made should support the achievement of enterprise and information security objectives.
Visualising an information security strategy as having three distinct aspects (supporting the business, defending
against threats and raising the profile of the information security function) can help the development, alignment
and review of the information security strategy against the business strategy. Figure 7 summarises the concepts
in the ISF report.
Project 5
Project 3 Initiative B
Project 4
Project 2
Project 1 Initiative A
SUPPORT THE ORGANISATION

What do What do
we do? DEFEND AGAINST THREATS we want
to do?
RAISE THE PROFILE
Part three
ISF resource: Information Security Strategy
Figure 7: ISF framework for information security strategy
By choosing the right mix of projects, programmes and initiatives, the information security function can demonstrate
how it is aligned and how it can contribute to the enterprise’s objectives.
PREPARING STEP 3 Understand published ISG frameworks
The topic of ISG is an evolving area and academic institutions, professional bodies, enterprises and consultants have
all provided their perspectives on ISG. Having understood the context for ISG, a review of the published frameworks
will assist in deciding which framework to adopt and, if ISG is already implemented, spotting areas for enhancement.
In addition to the ISF framework for ISG described in this report, there are a number of published frameworks which
either directly address ISG or have relevance to ISG. Five such frameworks, drawn from standards setting bodies,
academia and practitioners are listed below:
• ISO/IEC 27014 Information technology – Security techniques – Governance of information security (Draft)
• IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive
Management (2nd edition)
• Da Veiga and Eloff, An Information Security Governance framework
• Carnegie Mellon, Governing for Enterprise Security (GES) Implementation Guide
• Committee of Sponsoring Organisations of the Treadway Commission (COSO), Enterprise Risk Management
framework.
Each of the above frameworks is described and compared at a high-level in Appendix B: Aligning ISF and other ISG
frameworks.

ISF framework for ISG
The ISF framework for ISG is composed of three objectives, each of which has key activities. The following diagram
illustrates the framework in detail and its relationship with ISG.
VALUE TO
STAKEHOLDERS


C2. Implement
risk assessment
A3. Enable
business
initiatives

C4. Manage supply
Part three
with enterprise security
requirements
C5. Monitor
and report
on assurance
Figure 8: The ISF framework for ISG, its objectives and activities
The objectives and activities, described in detail in Part 5: Implementing the ISF framework for ISG of this
report, have been created through the analysis of published material, the ISF 2011 Standard of Good
Practice, Member input from the workshops, case studies and project questionnaire.
The importance of each objective will vary from enterprise to enterprise. For example, a Member in the consumer
goods industry emphasised that Objective A: Deliver value to stakeholders was the most important objective, while a
Member in the financial services industry placed Objective B: Achieve strategic goals first. Within every enterprise, the
CISO should discuss and decide the relative importance of these objectives with business management and senior
management.
“ISG is a tool to explain to senior managers how and what information security is doing and how it all
fits together.”
The ISF framework for ISG and its relationship to the 2011 Standard of Good Practice
The ISF 2011 Standard of Good Practice is closely aligned with the ISO 27000 suite of information security-related
standards but provides greater breadth and depth of guidance to implement and assess an enterprise’s information
security arrangements. As such, the ISF 2011 Standard of Good Practice is a powerful tool to support implementation,
compliance and certification to International Standards Organisation (ISO) standards. The relationship between the
2011 Standard of Good Practice and the relevant ISO information security-related standard (ISO/IEC 27014 Information
technology – Security techniques – Governance of information security, described in this report) is shown in Figure 9:

Structure of the 2011 Standard of Good Practice

ISF framework
SECURITY GOVERNANCE ISO 27014 (Draft)
for ISG
SECURITY REQUIREMENTS
ISO 27001
(Information
Security
Security CONTROL FRAMEWORK
Assurance
Management
System) 7KH
6
*RRG3U WDQGDUGRI
DFWLFH
IRU,QIRUPD
WLRQ6HF
SECURITY MONITORING AND IMPROVEMENT XULW\

-XQH
ISF resource:The 2011 Standard of Good Practice for Information Security
Figure 9: How the ISF 2011 Standard of Good Practice is aligned with the ISO 27000 suite of standards
The ISF framework for ISG is aligned to the ISF 2011 Standard of Good Practice through Area SG1 – Security
Governance and, more specifically SG1.1 Security Governance Framework, which has the following principle and
Part three
objective.
Principle: A framework for information security governance should be established, and commitment demonstrated
by the organisation’s governing body.
Objective: To ensure that the organisation’s overall approach to information security supports high standards of
governance.
The ISF framework for ISG and ISO/IEC 27014
The ISO is currently developing ISO/IEC 27014 Information technology – Security techniques – Governance of information
security. The standard is currently in draft – and will change before it is finally released – but at the time of writing, the
key elements of the standard appear to be agreed.
The ISO standard could be released in late 2012.
The ISO standard, particularly sections 4 Concepts and 5 Principles and processes, are of great relevance to this work.
A summary of the most relevant sections in the current draft of ISO/IEC 27014 (September 2011) is presented here.
• Section 4.2 Objectives, which presents three objectives: strategic alignment, value delivery and assurance
• Section 4.3 Outcomes, which highlights six outcomes:
- Close alignment of information security objectives with the objectives of the enterprise overall
- Demonstration of commitment to information security from the governing body and executive management
- An improved link between executive management and the information security function
- A more agile approach to decision making about information risks
- Consistent protection of information assets across the enterprise
- Greater effectiveness and efficiency in providing continued security operations.

• Section 5.2 Principles, which lists six principles:

- Establish enterprise-wide security
- Adopt a risk-based approach
- Set the direction of investment decisions
- Ensure conformance with internal and external requirements
- Foster a security-positive environment
- Review performance in relation to business outcomes.
The draft of ISO/IEC 27014, the ISF 2011 Standard of Good Practice and the ISF framework for ISG are in alignment.
As a result, Members will be able to use this report to demonstrate how their ISG reflects both the forthcoming ISO
standard and the ISF 2011 Standard of Good Practice.
Draft versions of ISO/IEC 27014 have been read and commented on extensively by the ISF Global Team and
Members during its development as part of the ISF ISO Liaison project. A large number of ISF suggestions
have already been accepted and incorporated into the ISO drafts.
ISACA and the ISF have also collaborated to enhance ISO/IEC 27014 drafts.
PREPARING STEP 4 Assess ISG in the enterprise
Part three
The results from the project questionnaire and case studies indicate that over seven in ten respondents (74%)
have some form of ISG in place. Evaluation of ISG against the ISF framework for ISG will highlight gaps or areas for
improvement. If no ISG is in place, then the evaluation will assist the enterprise in planning to adopt an ISG framework.
“I can’t tell you what ISG is and what it looks like – but I know it when I see it.”
Complete the ISF Information security governance diagnostic tool
The Information security governance diagnostic tool (described in Appendix A: Information Security Governance diagnostic
tool) can be used to assess current ISG against the ISF framework for ISG. Members can use the spreadsheet-based
diagnostic tool to stimulate thought and debate about ISG and how it is implemented in their enterprise. The
diagnostic allows Members to:
• compare their ISG against the framework presented in this report

• identify gaps or areas requiring enhancement
• assess the maturity of their ISG against a five-level model
• initiate a programme to close any gaps between the required and actual status of ISG.
The diagnostic is designed as a simple, easy to complete tool, which provides a common language and terminology
and which is capable of enhancement over time via feedback and the use of metrics. It offers a fact-based analysis of
the current maturity of ISG.
The state of ISG can also be examined using the STARS model. STARS, which is an acronym standing for Start-up,
Turnaround, Realignment and Sustain success, provides a rapid way to analyse a situation and then create actions to
address the issues found.
Appendix D: STARS model describes the model in greater detail and illustrates how it can be applied to ISG.

Applying the results
The results from the diagnostic – and from the previous actions described in this part – will provide the basis for
action going forward.
The results will typically fall into three categories:
• Do nothing – this may be the case when an ISG framework is implemented and is meeting its objectives
• Adapt, modify or enhance the ISG framework – in place and working
• Implement an ISG framework – as there is nothing in place.
The results should then be discussed with senior management and, in the case of the last two categories (adapt or
implement), agreement obtained to plan for enhancing or implementing an ISG framework.
Summary
Preparing for ISG involves understanding the big picture and how information security and ISG fit into an enterprise.
An assessment of both information security and ISG will provide a solid understanding of the status of ISG and the
actions required going forward. The actions to prepare for ISG are shown in the table below.
Table 1: Summary of actions required to prepare for ISG

Part three
Action Task
Step 1: Evaluate the status of • Understand how the enterprise works and delivers value
Information security in the enterprise - explore the governance frameworks in place
• Recognise how information security is adding value to the enterprise by:
- engaging with the business units and senior management
- knowing about enterprise strategic objectives and key programmes and
projects
- identifying where information security is enabling the business and/or add or
protect value
Step 2: Review information security • Perform a gap analysis to understand how and where information security, its
strategy and objectives strategy and ISG can be enhanced
- employ tools such as benchmarking or maturity assessment
- use both qualitative and quantitative measures
• Review and if necessary update the enterprise’s information security strategy
- including forward-looking components such as horizon scanning and scenario
planning
- building in links between ISG and the strategy
- aligning the information security strategy and objectives with those of the
enterprise
Step 3: Understand published ISG • Review current frameworks
frameworks • Evaluate the utility of the ISF framework for the organisation in question relative
to framework in place or published
Step 4: Assess ISG in the enterprise • Complete the ISF Information security governance diagnostic tool (see
Appendix A: Information Security Governance diagnostic tool)
- seek input from the business, IT and information security professionals to
complete the tool
• Use the STARS model to decide which business phase ISG is in (see Appendix D:
STARS model)
• Discuss the results with senior managers and agree a way forward.
Appendix C: Prepare and plan actions: the checklist contains these actions listed in a checklist format. The
checklist is also included in the Information security governance diagnostic tool.

To assist Members in performing Preparing Step 3, Appendix B: Aligning ISF and other ISG frameworks
presents the results of a comparison of ISG frameworks.
Having shown how the preparations for ISG can be carried out, the next part highlights the actions required to
prepare for ISG implementation or enhancement.
Part three

Part 4: Planning for ISG
implementation
Overview
Having examined the ISF framework for ISG in detail, this section presents the actions required to plan for ISG
implementation and enhancement.
Just under nine out of ten questionnaire respondents (87%) indicated that the CISO will typically have the responsibility
for implementing and owning ISG in an enterprise – supported by the information security function – and would thus
be responsible for the actions described in this part.
Successful ISG implementation and enhancement is dependent on understanding the enterprise and the current
status of ISG, then building on that knowledge. Figure 10 highlights the major actions that should be carried out by
the CISO and the information security function before implementing or enhancing ISG, drawn from an analysis of
the project findings.
PLANNING Describe information security

STEP 1 governance framework
PLANNING Identify and engage

STEP 2 your stakeholders
Part four
PLANNING Define what will be measured

STEP 3 and how
PLANNING Gain approval to implement

STEP 4 information security governance
PLANNING
STEP 5 Prepare final implementation plan
Figure 10: Planning for ISG implementation: preparatory actions
The actions are presented in a sequential manner but this sequence is likely to vary from enterprise to
enterprise, depending on the status of ISG in the enterprise.
These actions are discussed on the following pages.

Part 4: Planning for ISG implementation
PLANNING STEP 1 Describe information security governance framework
Based on the results off actions Preparing SStep 3

3: Understand published ISG
SG fframeworks and Preparing SStep 4
4: A
Assess ISG
SG
in the enterprise, the ISG framework to be implemented should be defined.
When defining the ISG framework, the ISF framework for ISG can be used and adapted. The ISG framework should
be positioned in relation to the enterprise, its governance framework and its operations. Once this positioning is
described, the terms of reference for ISG and the roles and responsibilities for individuals involved in ISG should be
defined.
Finally, a clear statement of the benefits of ISG and the timeframe in which delivery will occur should be created.
PLANNING STEP 2 Identify and engage your stakeholders
IIt can b d that

be argued h every employee
l iis a stakeholder
k h ld iin iinformation
f i security
i and
d ISG
ISG. H h CISO and
However, the d the
h
information security team may not be able to form a relationship with all of them and consequently may need to
focus on smaller and better differentiated groups.
Stakeholder mapping
This is used to understand the degree to which stakeholders can exert power and influence over the ISG framework.
Stakeholder groups can include senior management, shareholders, IT, information security staff, external suppliers,
regulators and customers. Mapping examines the relative power of these stakeholders, the likelihood of them using
that power and their level of interest in the activity. When performed objectively, the analysis will indicate:
• which stakeholders have the greatest potential to positively or negatively affect ISG
• the needs and requirements of each group
• their communication and reporting needs and preferences
Part four
• whether one stakeholder group can lead other groups
• how stakeholder groups can influence each other.
Stakeholders are categorised on a map, rating their level of interest against the power they possess to exercise those
interests. In this way the stakeholders can be broadly divided into four groups; Minimise effort, Keep informed, Keep
satisfied and Manage closely, as shown in Figure 11 below:
High
Keep Manage
satisfied closely
Stakeholder power
Minimise Keep
effort informed
Low
Low High
Stakeholder interest
Figure 11: Stakeholder groups map

(adopted from Gardner, J.R., Rachlin, R. and Sweeny, H.W.A., Handbook of strategic planning, John Wiley and Sons, 1986, ISBN: 978-0471881278)
Based on this analysis, decisions can be made about how to communicate with the stakeholders regarding ISG. In
some cases, the map can be used to identify how to communicate with certain groups to maintain or win their
support.
There are two main benefits gained by performing stakeholder mapping:
1. those performing the mapping will have a clearer picture of the categories of stakeholders and be able to identify
groups most likely to affect and be affected by enterprise decisions and ISG
2. Efforts can be prioritised to maximise the effectiveness of the stakeholders’ interest and power through
communication leveraging their interests.
Managing and communicating to stakeholders
The following table illustrates how to communicate with the four stakeholder types.
Table 2: Stakeholder descriptions and communications
Stakeholder group Stakeholder group description Typical communications

Minimise effort Pose little threat to the activity due to Little or no effort should be focused on this group and
a lack of both interest and power any communication could be handled generically such as
through email lists or the company newsletter
Keep informed Have high interest but little power to Typically, regular push communication, such as quarterly
exercise control briefings or webcasts, will be suitable to inform them
Keep satisfied Can either support or disrupt the Should be informed on a regular basis; communications
activity in question. However, may should seek to minimise their involvement. Again, push
be unwilling or unable to wield this communication, such as monthly briefings, webcasts and
power tailored emails should be used. Some time should be
invested listening to this group and understanding what
they need
Manage closely This group’s support is vital for ISG Regular face-to-face meetings and rich communication
Part four
(such as presentations, videos and printed material)

will be required. Significant time should be spent
understanding their drivers, needs, view of success and,
where possible and appropriate, matching activities to
them
“Your customers can wield significant influence. If they don’t like how you handle their information,
they can stop using your business.”
The stakeholder mapping can be used as input into an ISG communications plan.
Examine whether an ISG board should be created
Whilst the CISO is typically responsible and accountable for delivery, an ISG board can provide valuable guidance,
links to other areas of the business and assistance in evaluating the success of information security governance.
‘ISG board’ was the most commonly used term to refer to a body appointed to oversee ISG in an
enterprise. Other terms included ‘ISG committee’ and ‘ISG oversight panel’.
The ISG board can be given a range of responsibilities and authorities, which the CISO should define and agree with
senior management. The list on the following page highlights the most common of these, grouped according to the
ISF framework for ISG:

A. Deliver value to stakeholders

- identify areas where security activities can enable or support one or more business initiatives
- ensure that security activities are perceived as adding value
- manage resources to maximise efficiency and effectiveness
- oversee implementation and enablement of change.
B. Achieve strategic goals
- ensure that information security is aligned to business strategy
- align information risk appetite to enterprise information risk.
C. Provide information risk assurance
- interpret and demonstrate conformity with legal and regulatory requirements
- benchmark risk management practices within sector and with peers
- manage and treat risk in accordance with the risk appetite, legal, regulatory and governance requirements
- report against financial and non-financial security indicators
- create and maintain a view of information risk across the enterprise
- approve and validate security standards.
“Senior management and the board sets the direction, the information security steering group (or
committee) drives it forward, and the ISG board and governance framework ensures that everything
is on course and will arrive on time.”
The proposed membership of the ISG board should include one or more senior management representatives.
Potential members of the ISG board are shown in the table below.
Table 3: Potential members of an ISG board
Typical members of an ISG board Notes

Chief Executive Officer Or delegated representative
Chief Operating Officer
Usually, only one of the most senior managers listed here will attend the ISG board
Chief Risk Officer
Part four
Chief Information Officer
Lines of business representatives Or heads of divisions, functions or business units
Chief Information Security Officer Or equivalent
Legal function representative May not be present in all organisations
Finance function representative
Compliance function representative
Marketing function representative
Programme Management Office
representative
Human Resources representative Also known as personnel or talent management
“It may be difficult to get the CEO or CFO or other senior members to attend. One, they don’t get
what we do; two, they’re busy and we’re not on their agenda; and three, there isn’t always a legislative
driver.”
The ISG board may communicate with other functions or committees such as compliance, legal and HR where
information or decisions need to be shared.
“You should engage with the audit committee. Remember, senior management and the CIO do not
argue with that committee; senior management simply address the identified issues.”

Internal audit and the ISG board
The role of internal audit (typically perceived as a major internal stakeholder) and whether an audit representative
should have a seat on this ISG board is a difficult question to resolve. Usually, internal audit would not be
invited to sit on this board, because internal audit may review the activities undertaken, the decisions made and
processes followed by the ISG board. However, there were conflicting views as the following quotes illustrate.
“Audit representation may be driven by materiality – if there is a big deal issue or project that may affect the company,
you may want them on your side during the fact, not afterwards.”
“Audit should be independent. Audit may test whether you have the controls to manage both the information risks and
the information security function.”
The CISO may not be able to make the decision whether to involve internal audit or not; ultimately, a senior
manager, such as the CIO or CEO, may have to make that decision. Typically, internal audit would be invited on
a case-by-case basis, using criteria such as the topic under discussion and/or the risks being discussed to assist in
making the decision. Another solution would be to appoint an independent internal auditor to the ISG board to
provide expertise and knowledge of audit; another auditor would then independently review the activities of the
ISG board.
Obtaining senior management support
The CISO should identify a member of senior management, who may be a C-level executive such as the Chief
Operating Officer, Chief Information Officer, Chief Risk Officer or Chief Executive Officer, and ask them to support
and sponsor the ISG framework. Gaining that person’s support may involve explaining the need, the benefits, value
add and the resource requirements associated with ISG. Preparing Step1 – Step 4 – described in Part 3: Preparing for
information security governance – will assist in this exercise.
Part four
PLANNING STEP 3 Define what will be measured and how
Having described the ISG framework and clearly stated its benefits and delivery timescale, the next step is to identify
and select the measures related to ISG. These measures should be identified in consultation with the business to
decide which measures are appropriate and to identify the audiences and the methods of presentation for each.
Where possible, objectives should be set using the SMART principle – in other words, they should be Specific,
Measurable, Attainable, Relevant and Time-bound.
The selection, agreement and presentation of measurements is a complex process, which this report does
not cover in detail.
Once the measurements have been selected, how they can be used – for example to drive improvements, increase
maturity or enhance benefit of ISG – should be highlighted.

PLANNING STEP 4 Gain approval to implement information security governance
Implementing ISG will require the commitment of time and financial resources. As such, the CISO should gain
approval, preferably from senior management, before starting the implementation. The following tasks will assist in
gaining approval:
• Create a business case or similar document to gain stakeholder support and approval
• Communicate the business case, information security strategy and ISG to the relevant stakeholders
• Obtain buy-in and approval from senior management for the implementation of the strategy and ISG
• Produce a high-level project plan for ISG implementation, detailing delivery milestones.
PLANNING STEP 5 Prepare final implementation plan
The project plan should be developed in detail as part of this action. The plan should indicate the resources, the steps
and the sequence in which implementation should occur. The detailed plan will provide the CISO and others working
on implementing ISG with their detailed actions. The plan may also contain review points where implementation
progress and benefit delivery can be assessed.
ISG implementation should be carried out in sequential steps, with each step creating another part of the ISG
framework. When implementing ISG, it should not be viewed as an information security-only activity and should
involve the business in all steps to ensure alignment with the business. A key message from Members was to
start small, provide quick wins with tangible outcomes for the business, and integrate activities such as reporting
information security assurance with enterprise risk management.
“Start small and try not to do everything at once. Don’t over-engineer with fancy tools – start simple
Part four
and don’t try to report too many figures.”
During implementation, the progress of the project and the successes and benefits should be communicated to
the various stakeholders on a regular basis. As resources are usually limited, a balance must be struck between the
delivery of business-as-usual information security and implementing ISG. The business case prepared in Planning Step
4 should clearly state the resources required and how they will be allocated.
“You must ensure that the business knows your focus will be elsewhere for a while as you put ISG
in place, as some work will not get done during that time. You need to manage expectations around
what will and will not get done – you can’t do it all at the same time.”
A number of Members warned that ISG implementation typically took longer than expected and that the CISO
should plan for a medium-term time horizon (for example 12 months) and perhaps longer to socialise the ISG
implementation across the enterprise.
“I wish I had known just how much time it takes to get everything sorted, for example building support,
creating the framework and getting the right people in place.”

Summary
Based on Member experiences, five actions to prepare for ISG implementation or enhancement have been identified.
These five actions, when combined with a stepwise project plan, should lay the foundations for success.
Table 4: Summary actions required to plan for ISG implementation
Action Task
Step 1: Describe information security• Identify, link to and (where possible) reuse the other corporate governance
governance framework frameworks in use in the organisation
• Use and if necessary adapt the ISF framework for ISG as the blueprint for ISG in
the enterprise
• Position ISG in relation to the enterprise, its governance framework and
operations
• Set terms of reference for ISG
• Define roles and responsibilities for individuals involved in ISG
• Provide a clear statement of the benefits of ISG and the timeframe in which
delivery will occur
Step 2: Identify and engage your • Use stakeholder mapping to determine the power and influence of stakeholders
stakeholders • Develop a plan to manage and communicate with stakeholders as appropriate,
using the results of the stakeholder mapping exercise
• Obtain senior management support
• Create an ISG board
Step 3: Define what will be measured • Consult with the business to decide which measures will be used as output from
and how ISG
• Identify the audiences and the methods of presentation for each
• Highlight how the measurements will drive improvements, increase maturity or
enhance benefit
Step 4: Gain approval to implement • Create a business case or similar document to gain stakeholder support and
information security governance approval
• Market the vision for ISG to senior management
• Communicate the business case to the relevant stakeholders
Part four
• Obtain buy-in and approval from senior management for the implementation of
the strategy and ISG
• Produce a project plan for ISG implementation, detailing delivery milestones
Step 5: Prepare final implementation • Draw up detailed implementation plan, with milestones, resource requirements
plan and review points
• Review the plan and the ISG framework on a regular basis.
Appendix C: Prepare and Plan actions: the checklist contains these actions listed in a checklist format. The
checklist is also included in the Information security governance diagnostic tool.
The next part of the report examines the ISF framework for ISG in detail.

Part 5: Implementing the ISF
framework for ISG
Overview
The following parts of this report – 5a, 5b and 5c – examine the three objectives of the ISF framework for ISG and
associated activities in detail. Figure 12 summarises the information security governance framework developed by ISF.
VALUE TO
STAKEHOLDERS


C2. Implement
risk assessment
A3. Enable
business
initiatives

security
requirements
C5. Monitor
and report
on assurance
Figure 12: The ISF framework for ISG, its objectives and activities Part five
The objectives and activities have been created through the analysis of published material, the ISF 2011 Standard of
Good Practice and Member input from the workshops, case studies and project questionnaire.

Part 5a: Objective A: Deliver value to
stakeholders
Overview
Enterprises seek to use their resources in the best way possible to meet goals such as generating profit, maximising
the return on investment, using scarce skills to create new products or services, and creating value for stakeholders.
Information security, typically short of resource and needing highly specialised skills, should also seek to use the
resources it is given to best advantage. Often, information security is seen as an overhead that protects value;
however, it can also add value for an enterprise.
Objective A: Deliver value to stakeholders has four major activities, as shown in Figure 13 below:
B. ACHIEVE IN
NFORMATION RISK
VALUE TO
STAKEHOLDERS


C2. Implement
risk assessment
A3. Enable
business
initiatives

security
requirements
C5. Monitor
Part five
and report
on assurance
Figure 13: Objective A: deliver value to stakeholders – major activities
Topic: SG2.2 Stakeholder Value Delivery

Principle: The organisation should implement processes to measure the value delivered by information security
initiatives and report the results to all stakeholders.
Objective: To ensure that the information security programme delivers value to stakeholders.

Part 5a: Objective A: Deliver value to stakeholders
Each of the activities associated with this objective are described over the following pages.
A1. Improve effectiveness and efficiency
All managers are expected to deliver to budget, quality and deadlines; information security is no different. How well
these targets are met is to some extent related to two concepts: effectiveness and efficiency, described below.
Effectiveness
This is an outcome of doing the right things, ie setting the right targets to achieve an overall goal (the effect). For
information security, this is linked to the extent to which security safeguards are perceived as successfully protecting
IT systems hardware, software, data, information, and services from deliberate, accidental, or random threats to
confidentiality, integrity, or availability. This includes physical, electronic, personnel, and policy safeguards.
Improving effectiveness relies on a number of factors from improving interpersonal skills, personal attitudes and
technical competencies of staff, to the design of the organisation, the workplace and technology. For the CISO,
activities to raise effectiveness include security awareness, education and training; staff engagement; choosing solutions
for tasks such as firewall monitoring to release skilled individuals to work on business projects; and redesigning security
processes. To underpin effectiveness initiatives, the CISO should set clear targets for people to work towards.
Measures can be developed to assess the effectiveness of projects, programmes and initiatives undertaken. These
measures can be based on, amongst others, the following goals:
• Comparison of delivery and benefits against the original rationale, plan or business case
• Contribution of information security to the enterprise – for example assisting in bringing new products or services
to market or enabling the use of collaborative or mobile solutions
• Improvement of security arrangements against policy and regulatory requirements
• Reduction in the frequency and magnitude of potential incidents in terms of impact and cost
• Reduction in reputational damage or loss of customer support due to information security lapses by an external
supplier.
These measures may be used as input into ISG reporting, discussed in Part 6: Monitoring and reporting on ISG.
Efficiency
Part five
This is the achievement of goals in an economical way, striking a balance between economy in terms of resources
(such as time, money, space or materials) and the achievement of aims and objectives.
In information security terms this can be translated into reducing the cost of security, applying the appropriate level
of controls (such as not over- or under-controlling), deploying information security people with the right mix of skills
and knowledge on a project, productivity of staff and the reuse of components, tools, methodologies, assessments
and so on. Other methods of increasing efficiency include adopting standards, as they provide a ready-made control
framework upon which policies and procedures can be based, reducing resources required to produce policies and
procedures from scratch.
Other generally accepted methods of increasing effectiveness and efficiency include using project and programme
management; setting up a programme management office; obtaining feedback; and using benchmarking to assess
efficiency.

A2. Meet stakeholder requirements
Key to satisfying the varying requirements of multiple stakeholders is a clear understanding of their requirements,
communication of those requirements to people who can meet them, and then planning and committing the required
resources. Planning Step 2: Identify and engage your stakeholders provides a number of tasks that can be used to
determine stakeholders’ requirements and their communication and reporting needs and preferences. Based on the
results from Planning Step 2, responsibilities can be allocated, commitment obtained, delivery managed and feedback
to assess satisfaction collected.
An example of meeting these requirements might be to enable the secure provision of consumer devices, or to
enable the secure use of social networking or collaborative tools for the enterprise.
A3. Enable business initiatives
Information security can play a significant role in the business by supporting services such as secure online shopping,
payment and banking, data interchange between an enterprise and service providers in its supply chain, or providing
secure services to remote branches or workers.
By adopting a risk-based, forward looking approach, the CISO and information security function can become a
strategic business enabler. They can investigate and prepare for new business requirements, new technologies, new
ways of working and draw up business-focused responses ahead of demand from the business. This forward-looking
stance will make the function more agile, quicker to respond to business requirements (or requests) and change
the perception of security from being a reactive cost centre to being a proactive business enabler. Additionally, by
understanding the trends and developments in technology (not just security technology), the CISO can propose
how to adopt technology securely and use new or current investments in security to speed or facilitate that
adoption. For example, because ISG can promote a risk-based, forward-looking approach, this would be of great
assistance to enterprises preparing for tomorrow’s challenges and dealing with today’s issues such as cloud adoption,
consumerisation and the cyber environment.
Another way to enable the business is to find new ways to use current security technology for the benefit of the
enterprise. A good example of this is using hardware tokens to provide consumers with two-factor authentication
when accessing their bank accounts online. The advantage of finding new uses for current technology is that the
experience and investment already made in the technology can be built upon, reducing costs and increasing the
return on investment.
“You have to be visible and get involved in business projects. Sometimes, the best thing to do is get out
Part five
of your office and walk around. That way you’ll discover what’s going on and what needs to be done.”
A4. Integrate with enterprise processes
A major aim of ISG is to embed and integrate information security governance, processes and operations into the
business and existing structures and processes. Integration can take a number of forms, including:
• promoting consistency of information security across the enterprise and its processes
• building security in at the start of an initiative or development programme thus improving security and reducing
cost
• raising security awareness through tailored campaigns incorporated into staff induction and on-going training
• harmonising information security compliance activities across the enterprise leading to efficiencies and decreased
risk
• integrating with other risk management processes and activities.

Integration also improves efficiency, simplifies implementation and reduces the likelihood that the same issues arise
time after time.
“Our approach, our aim, is to embed security governance into the way our business builds and
operates services so it is not known as a discrete security process but part of the only way of getting
things done.”
“A key concern for me is creating and improving a security-positive culture across the business.”
Information security governance and security architecture
Security architecture can be a mechanism for translating business security requirements into security controls
which can then be applied to the IT and other infrastructure. The ISF definition of security architecture is a set of
representations that describe the function, structure and inter-relationship of the security components within
an environment.
From a technical perspective, whether the security architecture refers to a new environment to be created
(often referred to as the target state) or an existing environment (often referred to as the current state),
security architecture can have a significant role in managing and ensuring the consistency of information security
arrangements across the enterprise. This can be achieved through the use of standards and guidelines (addressing
items such as server configurations, segregation of duties and least privilege), reusable security components (such
as controls, services and technologies or code and security controls) and tools and methods (such as APIs, code
samples and solution repositories).
Some Members believe that security architecture is a key activity and component of ISG, whereas other Members
believe there is no relationship between architecture and ISG. This report takes the view that implementing
security architecture may be a strategic objective to support ISG and its objectives.
The ISF’s Security Architecture report includes a set of guidelines on how security architecture can be developed.
Related ISF deliverables Part five

Using ISF deliverables such as the 2011 Standard of Good Practice, Securing business applications and Information
security incident management – establishing an information security incident management capability reports will provide
Members with processes that can be adopted in their enterprise, helping to raise their effectiveness and efficiency
through the adoption of good practice. The ROSI: Return in Security Investment report will assist Members to quantify
the financial benefits of projects and programmes and their associated efficiencies.
The reports Role of information security in the enterprise and Managing a security function can be used to initiate the
debate with stakeholders about their requirements and expectations.
The Threat horizon reports can be used to as input to a forward-looking information security strategy or as an aid to
discussions with stakeholders about the direction and future plans of the information security function. Reports such
as Architectural responses to the disappearing network boundary, Securing consumer devices and Managing access in a
changing world provide Members with insight to into the developments and trends that may affect the provision of
information security in an enterprise.

One area to consider is the convergence of risk, which will be key in establishing the future shape and size of
information risk functions in an organisation. The Risk convergence: Implications for information risk management report
provides insight into what is meant by risk convergence and how different types of risk can be compared. It offers
pragmatic steps that the information risk function should take right now, in order to secure its position within a
converged risk environment.
Enterprises wishing to create or enhance awareness programmes can consult the Cyber citizenship in an enterprise
environment report, while the Solving the data privacy puzzle: Achieving compliance report can be used to assess and
strengthen an enterprise’s response to the challenges of data privacy and protection.
ISF tools that can be used to support this objective are shown in the table below.
Table 5: Selected ISF tools and their suggested use in Objective A: Deliver value to stakeholders
ISF tool Suggested use

Benchmark • Compare information security investment, spending and compliance status
against peers or between enterprise units (such as countries, functions or critical
business applications) and over time
ROSI – return on security investment • Provide financial justification for information security investments
Security function diagnostic tool • Assess the perception of the information security function
• Identify gaps between what the information security function provides and what
the business wants.
Summary
Objective A: Deliver value to stakeholders takes in activities such as finding efficiencies, identifying stakeholders, enabling
business initiatives through new technology and integrating information security into enterprise processes.
The next part of the report looks at achieving strategic goals and the activities that can contribute to successful
achievement of that objective.
Part five

Part 5b: Objective B: Achieve strategic
goals
Overview
Information security should be aligned to the enterprise and its strategy. Information security strategy and ISG can be
used together to create and maintain this alignment whilst overseeing the achievement of information security goals.
The four major activities associated with this objective are shown in Figure 14.
B. ACHIEVE IN
NFORMATION RISK
VALUE TO
STAKEHOLDERS


C2. Implement
risk assessment
A3. Enable
business
initiatives

security
requirements
C5. Monitor
and report
on assurance
Part five
Figure 14: Objective B: achieve strategic goals – major activities
Topic: SG2.1 Information Security Strategy

Principle: All information security projects and initiatives should be demonstrably aligned with the organisation’s
strategic objectives.
Objective: To ensure that the information security programme contributes to the organisation’s success.

B1. Execute strategic objectives
Strategy and governance are closely linked. Connecting the information security strategy to ISG will allow for better
targeting of activities, improved reporting on the execution of the strategy and enhanced feedback to amend or
enhance the strategy itself.
“You have to decide what you are going to do first – that’s strategy. Then you need to decide how
you are going to achieve the ‘what’ and report progress – that’s governance.”
ISG will provide the direction and oversight of how well strategic objectives are being set and achieved through
reporting against project, programme or initiative milestones. ISG can also provide for regular review of both the
information security strategy and related objectives against the business strategy, to take into account any changes.
This review should include business representatives and may best be carried out by the ISG board.
“Strategy is direction: governance is a management activity.”
Strategic objectives typically have long timeframes for their delivery, compared to short-term tactical or operational
objectives. Usually, a strategic objective will be broken down into programmes and projects with a mixture of shorter
and longer-term objectives.
In information security terms, this means creating projects, programmes and initiatives to support strategic objectives.
These projects may be technical in nature, such as implementing an intrusion detection system, they may be
managerial, such as creating a social media policy, or they may be both, such as interpreting regulation or legislation
and implementing a specific solution to comply with the legal and regulatory requirements. As each project delivers
or completes, the outputs from each will build towards the achievement of the strategic objective.
The oversight provided by ISG will enable measurement of progress towards achieving the strategic objectives. As
milestones are reached and projects completed, the alignment of the information security strategy with the business
strategy should be reviewed. Such a review will assist in keeping the alignment up to date and ensure that the
decisions made reflect enterprise requirements.
B2. Set and refine information risk appetite
The risk appetite of the enterprise and its business units should be determined and understood. Understanding the
Part five
amount of risk the enterprise and its leaders are prepared to accept in order to meet their business objectives is
important, as it will shape the environment in which the strategic objectives and funding for information security are
considered. Culture – enterprise, national or regional – will also play a part, as it influences how decisions are made
and the risks individuals are prepared to take to meet their objectives.
“Our board-level executive was the Chief Legal Officer. His risk appetite was zero.”
By understanding the risk appetite of the enterprise, the CISO and business representatives can determine the
information risk appetite. Knowledge of the enterprise and information risk appetites can be used as guidance for
the initiatives, projects and programmes required to deliver the information security strategy. The information risk
appetite should be reviewed on a regular basis, to ensure it adapts to and reflects the changing risk appetite of the
enterprise.

Linking information risk appetite to information risk assessment
Translating the enterprise risk appetite into information risk terms can be achieved by creating one or more business
impact reference tables, thereby setting and quantifying the level of risk the enterprise or business unit is prepared to
take. These tables can then be used in information risk assessments to drive the selection of controls and resource
commitment to protect the environment under examination. Figure 15 illustrates the ISF Business Impact Reference
Table (BIRT), which forms the core of the ISF Information Risk Analysis Methodology (IRAM) business impact assessment.
Figure 15: The IRAM Business Impact Reference Table (BIRT)
The BIRT uses 15 business impact types and can be configured by Members to reflect unique operating or other
circumstances. Once the modifications are agreed, the BIRT can be used across the enterprise to assess the business
impact should the confidentiality, integrity or availability of an application or information be compromised. From this
assessment, an indication of the criticality of the application can be determined, which will assist in control selection.
“ISG helps keep the enterprise within its risk tolerance.” Part five
B3. Sustain buy-in and commitment
Getting and retaining the support of people across an enterprise can be challenging. Many security professionals have,
for a number of years, found it difficult to achieve continued senior management support and buy-in for information
security and related initiatives. ISG can be used to sustain buy-in and commitment through:
• demonstrating the alignment between information security strategy and enterprise strategy and the realisation of
shared objectives
• articulating business value and benefits and sequence in which they will be realised
• using the language and terminology of enterprise risk management
• reporting progress against strategic objectives in a style appropriate for senior management
• reporting regularly on the information security status of the enterprise.

The formation of an information security governance board will also assist in gaining buy-in and commitment as many
(if not all) of the representatives on the ISG board may gain insight and benefit from information security.
“ISG allows you to articulate what is needed and how it works to the business.”
“Culture is a powerful tool. If the people at the top understand information security, take it seriously,
demonstrate their commitment, get security on everyone’s agenda and in their pay packets, then you
get much more commitment from the entire enterprise.”
To sustain buy-in and commitment from senior management in the enterprise, the CISO should be visible and
communicate regularly with them. This should take the form of scheduled face-to-face or teleconference meetings,
with a plan and structure, perhaps supplemented by unstructured discussions. The CISO should be prepared to
provide a summary of achievements and support given to the business. ISG can provide the CISO with the information
needed to demonstrate to senior management that their continued support is yielding results and that information
security across the enterprise is meeting or exceeding their requirements.
The following table provides suggested actions and tasks associated with this step.
Table 6: Suggested actions to sustain buy-in and commitment
Action Tasks
Sustain senior management support Understand the business strategy and the requirements placed on information
security
Discern what the enterprise needs from information security – talk to stakeholders
Ensure the information security vision and strategy are up-to-date, forward-looking
and aligned to enterprise objectives / strategy
Produce a business plan for information security focused on business needs and
benefits
Market the vision and describe the plan to stakeholders and get their approval or
support
Demonstrate how success can support achievement of the enterprise strategy
Build and enhance credibility by helping Present executives with a programme for enabling change
the enterprise to meet its goals Detail business benefits and when they can be realised
Commit to update executives regularly
Identify and deliver quick wins
Part five
Present successes and objectives met in an appropriate style and language

Role of information security in the enterprise (RISE)
The RISE report identified the changes and developments required to move from today’s technical to tomorrow’s
enterprise focus, using the five dimensions of the ISF Managing a security function diagnostic tool. The actions to
be taken provide a series of short-term tasks (approximately two years) against which progress can be measured;
the tasks can be used as a springboard to achieve the final vision.
Three paths of information security evolution were identified in RISE: IT, business, and risk integration. Each
provides a future vision for information security. The results captured by the RISE project indicate that integration
with the business and a focus on the enterprise is the future of information security. Regardless of the path
chosen, information security in an enterprise will have to communicate, integrate, work and deliver with multiple
stakeholders, ranging from IT to HR, from senior management to system administrators. A key component of the
vision is understanding information risk.
ISG is a mechanism by which many of the aspirations identified in the RISE report (such as providing integrated
risk management, assurance, compliance solutions, consultancy and measurement of value) can be delivered.
The Insider view, another RISE deliverable, provides Members with a series of activities to deliver a change
programme to deliver the vision.
B4. Maintain security requirements
The requirements for the confidentiality, integrity and availability of information in systems, risks and environments
should be set and distributed throughout the enterprise. These requirements can take a compliance or threat-based
approach. The following paragraphs discuss the two approaches.
Approach I – Compliance-based
This approach typically uses a standard or agreed baseline to set the controls framework and controls used across
the enterprise. A compliance-based approach will typically result in the scope of the requirements being driven by:
• Policies (such as enterprise or third party policies)

• Standards (such as ISF 2011 Standard of Good Practice, ISO/IEC27001)
• Lists of controls (such as ISF 2011 Standard of Good Practice, ISO/IEC 27002) Part five
• Statutes and other regulation (such as Health Insurance Portability and Accountability Act (HIPAA), Sarbanes
Oxley, EuroSox).
The requirements will thus be limited to the scope of the standard or standards chosen and may only provide a
narrow view of security; this may lead to matters that are important to the business not being addressed. It may also
limit the scope of any audits or assessments.
Approach II – Threat-based
Information security risks typically encompass threats and vulnerabilities (including special circumstances and control
weaknesses) that can have business impact. Basing requirements on this approach can focus attention on the business
risks (such as the risk of unauthorised access to enterprise information) and the measures in place to address them
or the flow of information through and around the enterprise, and the integrity and quality of that information (such
as transaction data, standing data).

The scope of the requirements will be broad and may require input from other enterprise functions such as risk
management, IT and the board. The scope will be driven by the analysis of threats to the enterprise, its information
and the risk appetite of the enterprise. The simulations will cover people, process and technology risks and how these
risks can be treated.
Combining the approaches
Taking either an entirely compliance- or threat-based approach may not be suitable, as each can miss certain risks. A
combination approach will blend aspects of both approaches to more fully address the risks, providing the enterprise
with a comprehensive set of requirements for the confidentiality, integrity and availability of information.
To set the requirements, an analysis of the financial, operational and customer-related impacts should be taken from
the perspective of the confidentiality, integrity and availability of information. Once determined, these requirements
should be incorporated in design specifications for system or software developments, included in stage reviews and
built into business process documents.
The requirements will need to be reviewed on a regular basis, to take into account changes in the environments and
other developments.
The ISF 2011 Standard of Good Practice provides a broad and comprehensive view of security, making it less
likely that matters important to the business are ignored.
Related ISF deliverables
The reports Role of information security in the enterprise and Managing a security function can be used to define areas
of responsibility and create a profile of the information security function and how information security can support
the business.
The ISF Information security strategy report provides Members with an understanding of strategic concepts, an
overview of practice within Member organisations and a practical way to demonstrate and communicate the strategic
relevance of information security to an enterprise. The report can be used to assist in the creation of an information
security strategy.
The Information Risk Analysis Methodology (IRAM) series of reports provides Members with a complete methodology
covering business impact reference tables, business impact assessment, threat and vulnerability assessment and
Part five
control selection. The Risk convergence: Implications for information risk management report provides insight into what
is meant by risk convergence and how different types of risk can be compared. The report offers pragmatic steps
that the information risk function should take immediately, in order to secure its position within a converged risk
environment.
To help set the information security requirements, the ISF 2011 Standard of Good Practice topics SR1.3, SR1.4 and
SR1.5 can be used, as these set out the principles and objectives for setting confidentiality, integrity and availability
requirements respectively.
The Protecting information in the end user environment report is built around a practical model to help Members
understand the three main elements that affect information protection (end user, technology and location). It
presents a series of recommendations intended for the individuals responsible for information security in the end
user environment to sustain the commitment to protect information.

The Practical approaches to information classification report provides practical guidance on how to design an effective
information classification scheme and deploy it enterprise-wide, while the Information lifecycle: a new way of looking
at information risk report assists members in considering the risk to information, from its creation to destruction, and
deploying controls in proportion to that risk. These two reports will assist Members in determining and then fulfilling
information security requirements.
Finally, Guidelines for information security covers the full spectrum of information security and provides the basis for
implementing information security and the requirements across an organisation.
The ISF has two tools that can be used to help in achieving strategy as shown below.
Table 7: Selected ISF tools and their suggested use in Objective B: Achieve strategic goals

Security function diagnostic • Assess the perception of the information security function
• Identify gaps between what the information security function provides and what
the business wants
Role of information security in the • Use as a discussion piece with staff, peers, senior management and managers
enterprise rich picture about how information security can support the business and evolve
Summary
Aligning information security to the enterprise is vital. Objective B: Achieve strategic goals provides support so that the
information strategy can be realised and progress measured.
The next section will discuss Objective C: Provide information risk assurance, and the major activities that help achieve
that in an enterprise.
Part five

Part 5c: Objective C: Provide
information risk assurance
Overview
The third and final objective of ISG, to provide information risk assurance, is achieved through activities such as
the adoption of an information security assurance programme and the application of information risk management
techniques. The five major activities of Objective C: Provide information risk assurance are shown in Figure 16.
VALUE TO
STAKEHOLDERS


C2. Implement
risk assessment
A3. Enable
business
initiatives

security
requirements
C5. Monitor
and report
on assurance
Part five
Figure 16: Objective C: Provide information risk assurance – major activities
Topic: SG2.3 Information Security Assurance Programme

Principle: The organisation should adopt a consistent and structured approach to information risk management.
Objective: To provide assurance that information risk is being adequately addressed.

C1. Oversee assurance programme
Information security assurance, which the ISF has defined as providing evidence to senior management that
information risks are being managed effectively enterprise-wide, is a key output of ISG. At the highest level, security
assurance may simply be a high-level dashboard report distributed to the relevant stakeholders. For other enterprises,
particularly where IT or the information security function is outsourced, stakeholders may require more detailed
evidence of information security assurance.
ISG can promote the creation, maintenance and monitoring of a security assurance programme to collect evidence
that systems, risks and environments are being managed. At the core of a security assurance programme are one
or more security assurance processes – which can be based around the plan-do-check-act (PDCA) elements of an
information security management system (ISMS). By following these processes carefully for a particular environment
(such as a customer service department or an online banking system), an enterprise will be able to identify security
requirements, select an appropriate control framework, and validate that the control framework is operating effectively.
These security assurance processes need to be supported by a range of specialised activities (such as creating a
security policy, collecting metrics and testing) to ensure that a consistent approach is taken and that all parts of the
enterprise are covered by the security assurance programme. The way in which these components fit together is
shown in Figure 17 below.
Security
assurance Security
programme Security architecture Security
policy strategy
Security assurance process 4
Security Identify
Security assuranceImplement
process 3 Monitor and
Initiate
awareness security control evaluate
improvementsents
requirements framework controls Security
IdentifySecurity assurance
Implement
process 2 Monitor and
Initiate audit / review
security control evaluate
improvements nts
requirements framework controls
IdentifySecurity assurance process 1
Implement Monitor and
Initiate
improvements
requirements
Identify framework
Implement Monitorcontrols
and
Initiate
improvements
requirements framework controls
Security
Security assessment
testing
Security
Security
compliance
access control Security
metrics
ISF resource: Information Security Assurance
Part five
Figure 17: Components of a security assurance programme
Security assurance will also draw upon:
• assessments of compliance with statutory obligations

• the ability to demonstrate compliance on a regular and on-going basis
• the findings of both internal and external audits
• the results of risk management and treatment actions.
Finally, it is important that the overall security assurance programme is well managed. Clear lines of communication
should be established with all relevant stakeholders and aligned with the enterprise’s corporate and security
governance approach.
The assurance process illustrated above is compatible with an ISMS plan-do-check-act cycle and the four
COBIT domains: Plan and Organise, Acquire and Implement, Deliver and support, Monitor and Evaluate.

Linking information security governance and assurance
Establishing links between information security assurance and information security governance can be challenging
to achieve in practice. Previous ISF work (Information security assurance: An overview for implementing an information
security assurance programme) suggested that this challenge can be overcome by:
• implementing a coherent, integrated framework that includes key activities relating to corporate governance,
information security governance and information security assurance
• appointing owners to individual security assurance processes for particular environments, who will then jointly
act as a steering committee supporting decision-making
• identifying improvements to the overall security assurance programme to increase the visibility of information
security assurance and better align it with governance objectives.
C2. Implement risk assessment
For consistent information risk assessment and treatment, the organisation will ideally adopt a single information risk
assessment methodology across the enterprise. If this is not be possible, ISG should be used to minimise the number
of methodologies in place and ensure that the methodologies produce outputs that are relevant to the business and
can be compared or used in risk reporting.
For each methodology, guidance on the conduct of assessments, including the information risk appetite, should be
distributed across the enterprise. The information risk assessment, where possible, should have defined links to other
risk tools and methodologies in the enterprise and should produce results in a format suitable for incorporation into
operational or enterprise risk management methodologies and reporting.
After adoption, ISG will monitor how risk assessments are carried out. It will ensure that the decisions made as a
result of those assessments meet the enterprise and information risk appetites, meet statutory obligations and address
specific enterprise requirements. The information risk appetite will be one of the factors that determine whether a
risk will be accepted, avoided, transferred or mitigated, along with other factors such as compliance requirements, the
security architecture in place and the funding available for risk mitigation.
C3. Ensure compliance
A process should be established for ensuring compliance with relevant legal and regulatory requirements affecting
Part five
information security across the enterprise, such as general legislation that has security implications, information
security-specific legislation, and industry-specific regulation. The process should have a reporting component, which
identifies areas of weaknesses through assessment and audit, new legislation or regulation and provides a measure of
the risk to the enterprise.
Compliance with internal policy and standards should also be measured using a similar or identical process that
produces both qualitative and quantitative measures. Again, assessment and audit can be used to identify weaknesses
or non-compliance.
An example compliance process is shown in Figure 18 below:

Identify all Create

Discover compliance repository of
obligations compliance
obligations
Create matrix
Translate
Trans Develop Determine of obliga- Define
obligations
o blig to controls new controls
Define tions, requirements
requirements
re
equi based on required requirements, for monitoring
requirements
controls
Develop
business case Deploy Deploy
Implement
and action controls monitoring
plan
Gather Aggregate
Monitor data data
Review and Report results of Recommend

Report analyse data monitoring actions to mitigate
activities compliance risk
ISF resource: Monitoring Compliance:Workshop report
Figure 18: An information security compliance management process, from the ISF report Monitoring compliance
The ISF process provides a practical approach for managing, monitoring and demonstrating compliance with
requirements.
C4. Manage supply chain risk

Part five
The ISF report Information security for external suppliers: a common baseline highlights that external suppliers
provide a wide range of goods and services to Member enterprises. Previous ISF work indicates that over eight
out of ten Members (83%) currently outsource functions such as IT, human resources or payroll. About half of the
Members (55%) outsource business processes such as knowledge management, sales order fulfilment or component
manufacture. Lastly, over one-third (37%) outsource specific information security operations such as penetration
testing, firewall management, log monitoring or intrusion detection.
Working with external suppliers raises a number of key issues, including agreeing, validating and comparing the
information security arrangements of external suppliers. Enterprises also face the challenge of understanding where
their information is being stored, processed, transmitted or destroyed within the supply chain.
The ISF framework for ISG can be used to introduce a consistent approach specifying information security requirements
in contracts and service level agreements, and assessing potential and existing external supplier arrangements. Exit
arrangements can also be standardised. A consistent approach is more efficient and provides the enterprise with
better reporting on the risks associated with external suppliers.

This approach is shown in Figure 19 below, along with a high-level overview of the ISF common baseline for information
security in external suppliers.
A. Identifying and
classifying external
suppliers
B. Agreeing
external supplier
security
C.Validating
external supplier
security
D. Handling
termination
ISF resource: Information security for external suppliers
Figure 19: The ISF approach and common baseline for external suppliers
The approach and baseline provide a consistent method of assessing external suppliers and reducing information risk
in the supply chain.
Cloud-based services are being increasingly adopted by enterprises and by organisations in their supply chain.
Enterprises need to understand where in the supply chain cloud and other outsourced services are being used and
the specific risk associated with that use. Identifying the key risks can be achieved through risk assessment – but it
should not be limited to technical risks; management, contractual and other risks should be taken into account. Figure
20 illustrates typical risks associated with cloud services.
‘Seven deadly sins’ Cloud Security: Holistic approach for addressing the sins
Organisational sins and related problems
1. Address the 2. Adopt the ISF process for
1 IGNORANCE individual problems managing external suppliers
ACTION
2 AMBIGUITY PROBLEM
Part five
ACTION
Identifying and
ACTION classifying external
Common baseline for external suppliers
suppliers
ACTION
3 DOUBT SIN PROBLEM ACTION
ACTION
Agreeing external
ACTION supplier security
4 TRESPASS PROBLEM ACTION
ACTION
+
Validating
5 DISORDER ACTION external supplier
security
PROBLEM ACTION
ACTION
SIN
6 CONCEIT ACTION
Handling
PROBLEM ACTION termination
ACTION
7 COMPLACENCY
ISF resource: Security Cloud Computing
Figure 20: Linking the ISF approach for external suppliers to the seven deadly sins

A holistic approach, involving IT, legal, information risks in the supply chain security and business functions is key to
addressing the seven deadly sins of cloud computing.
C5. Monitor and report on assurance
This activity checks the effectiveness of the controls implemented as part of the assurance programme and assesses
whether they are working as intended. During the assessment, enterprises may need to identify controls that are not
functioning as required and suggest areas where additional controls may be needed. There are four tasks that can be
carried out as part of this activity, as shown in the following table:
Table 8: Actions to consider when monitoring and reporting on information risk assurance

Monitor important • Assess the security performance of systems associated with the environment
systems and networks • Conduct system and network monitoring activities on a regular basis, including: scanning host
systems for known vulnerabilities, checking for the existence and configuration of unauthorised
wireless networks and detecting unauthorised changes to electronic documents and configuration
files
• Employ intrusion detection mechanisms, such as host intrusion detection software (HIDS) and
network intrusion detection systems (NIDS), to ensure detection of known attack characteristics
and unusual system behaviour
• Perform regular reviews of systems and networks used in the environment (such as current levels
and type of equipment) to identify new and emerging risks
Conduct regular • Establish arrangements for monitoring information security controls, which are documented,
reviews on the approved by senior management and performed regularly
effectiveness of • Perform regular security reviews to provide assurance that security controls function as required
information security and are effective enough to reduce risk to an acceptable level
controls • Review self assessments performed by individuals responsible for running systems and networks
used in the target environment (including external suppliers)
• Perform security monitoring of the environment, using a range of techniques which typically
include: reviewing the results of monitoring activities that relate to the environment, carrying out
regular audits or reviews and reviewing security incidents (including repeat incidents)
• Review the results of monitoring activities in the environment, together with summary reports
from automated security software, to highlight threats associated with systems and networks used
in the environment
Measure the • Assess the information security status of controls using a consistent method (such as using the ISF
effectiveness of Security healthcheck)
controls • Test the controls and provide evidence that they are working effectively
• Consider commissioning a third-party review of the status of security controls
• Review risk assessments, residual risks and risk treatment decisions by considering any changes Part five
to business objectives, systems, networks and applications, threats and vulnerabilities, control
effectiveness, legal and regulatory obligations and the overall environment
• Review the scope of the security assurance process on a regular basis to ensure that the scope
remains appropriate and risks are mitigated throughout the process
Report findings to key • Present information about security assurance to key decision-makers (including senior management,
stakeholders the ISG board and relevant external bodies), to provide them with an informed view of:
- the effectiveness and efficiency of information security arrangements
- areas where improvement is required
- performance against quantitative, objective targets
- information and systems that are subject to an unacceptable level of risk
- actions required to help minimise or mitigate risk (such as understanding the information
security threat environment and encouraging business and system owners to remedy
unacceptable risks)
• Communicate using terms and a level of detail appropriate to the audience
• Present the analysis from monitoring controls:
- in a standard format (such as security dashboards, cockpits or balanced scorecards)
- adhering to terminology that has been previously defined and agreed by stakeholders
- using standard terms that go across all risk types, such as business impact.

The table is based on the ISF report Information security assurance: An overview for implementing an
information security assurance programme.
These tasks check the effectiveness of implemented controls and assesses whether they are working as intended.
Enterprises may need to identify controls that are not functioning as required and suggest areas where additional
controls may be needed.
The ISF project Information security assurance: An overview for implementing an information security assurance
programme provides an overview of information security assurance and includes high-level actions to consider when
implementing an information security assurance programme enterprise-wide. As a central part of this programme, a
repeatable security assurance process is outlined that can be applied to individual environments within an enterprise.
The ISF 2011 Standard of Good Practice provides Members with a ready-made control framework for use in a security
assurance programme covering the complete spectrum of security arrangements. The control framework will assist in
keeping business risks associated with information systems within acceptable limits. Members can adopt the standard
in whole or in part, or use it as a reference when creating or selecting their own controls.
The Information Risk Analysis Methodology (IRAM) series of reports provides Members with a complete methodology
covering business impact reference tables, business impact assessment, threat and vulnerability assessment and
control selection.
The Monitoring compliance report examines how enterprises’ compliance obligations give rise to information security
requirements which, in turn, define requirements for information security controls. To demonstrate compliance,
enterprises must conduct effective monitoring on implemented controls. The report considers what monitoring
information security compliance means in practice. It then touches on the recent emergence of process-based
compliance management approaches being adopted in leading enterprises. Security audit of business applications
provides Members with a mechanism to integrate risk considerations into an audit and reporting, further enhancing
the risk-based approach implicit in ISG.
The Information security for external suppliers: A common baseline report provides a set of common security
arrangements that can be applied to all external suppliers. This report builds on the Information security in third party
relationship management report, which includes a four-step process (identify, agree, validate and exit) for managing
multiple third parties from an information security perspective. The Securing cloud computing: addressing the seven
deadly sins report highlights the seven deadly sins – from a security perspective – that are commonly committed by
Part five
enterprises when deploying cloud services. It addresses the security of cloud services from a business standpoint,
providing detailed information on each of the sins and outlining an approach that enterprises can adopt to address
them.
The Reporting information risk report provides Members with easy-to-follow guidance on reporting information risk
efficiently and effectively in their enterprises by:
• setting out a practical framework for establishing an effective and efficient information risk reporting capability
• explaining quantitative techniques that can be used for analysing and forecasting information risks
• presenting illustrative approaches to incorporate in a risk report (such as heatmaps, risk radars and risk treatment
tables)
• providing examples of security metrics mapped to the ISF’s risk types in IRAM to help Members monitor changes
in information risk ratings.

There are seven ISF tools that can be used to support Objective C: Provide information risk assurance as shown in
Table 9.
Table 9: Selected ISF tools and their suggested use in providing information risk assurance

IRAM tools and the Risk Analyst • Manage, accept and treat information risk within risk boundaries
Workbench (RAW)
Benchmark • Measure and compare the performance of information security controls
Security healthcheck
Consumer device risk and control • Analyse the use and risks associated with consumer devices in an enterprise
diagnostic
External supplier baseline maturity • Assess the maturity of an external supplier’s baseline information security
assessment tool (BMAT) arrangements at a governance level (BMAT tells you how good the external
supplier’s arrangements are)
Third party security assessment tool • Evaluate an external supplier’s baseline information security arrangements in detail
(TPSAT) (TPSAT tells you if a control is present in the external supplier’s arrangements)
Summary
The objective of providing assurance covers a wide range of activities, from risk assessment to programme
implementation and external supplier evaluation.
Having discussed the three objectives individually, the next part of the report examines reporting associated with ISG.
Part five

Part 6: Monitoring and reporting on
ISG
Overview
A key feature of ISG is oversight and review of how information security is delivered across the enterprise. ISG
can be used to integrate information security reporting with that of other functions (such as finance or IT) so that
senior management is presented with information in a familiar style and language. Such presentation will allow better
comparison of risks, governance and compliance measurements enterprise-wide.
This section examines how the ISG framework can be used to generate reports that are evidence-based, factually
accurate, business-focused, and that demonstrate the value and benefit of both ISG and information security in
general.
Monitoring
Security data is produced (often automatically) by business and security applications, computer systems and network
devices. They are typically voluminous and very detailed, requiring processing (such as normalisation, aggregation and
analysis) before they can be interpreted and used as metrics. Security metrics are traditionally used by operational
staff, such as system administrators, network engineers and information security specialists. Security metrics add value
to the enterprise by providing the underlying data set upon which key performance indicators (KPIs) are based.
In addition to security metrics, there are other measures of relevance to the security function which can be grouped
into financial and non-financial measures.
Financial measures
Approaches such as return on investment, return on security investment and payback can be used to capture the
costs and benefits (such as savings and revenue or profit generation) associated with a security initiative. These can be
combined with expected management approaches such as delivery to budget, monthly financial comparison between
actual and budget costs, and review of expenses.
Non-financial measures
Non-financial benefits of investment in security can include:
• keeping information secure

• enabling the business to experiment or adapt new technologies or ways of working securely
• reducing the number of incidents and/or their impact
• delivering, supporting or enabling projects to time and quality
Part six
• protecting or enhancing enterprise reputation

• increasing staff morale, experience or knowledge
• complying with local laws and regulations
• increasing customer satisfaction.
Such benefits may indirectly lead to increased financial return, but are usually difficult to quantify and therefore fall
under the heading of non-financial or intangible benefits. Benefits may be presented using quantitative and qualitative
measures.

Part 6: Monitoring and reporting on ISG
Xxxxxxxxxxxxxxxxxxxxxxxxxxxx
“The real output of ISG is intangible – it’s confidence. Confidence in you, your function and what you
do. If senior management has confidence and believes in you, it’s a major step forward.”
Measuring benefits in practice
The project questionnaire indicated that respondents used a range of measures to demonstrate the benefit of
ISG. The top five measures used by Members are:
• Greater involvement of information security in business projects

• Reduction in number and/or severity of audit findings
• Increased favourable perception of information security
• Feedback from senior management
• Measured progress against strategy (such as meeting objectives and timescales).
Interestingly, measures such as return on investment or return on security investment of projects, increased staff
qualifications, and quantification of risk such as value at risk, residual risk or business impact were much less used.
The findings indicate that many respondents to the project questionnaire currently use qualitative measures to
demonstrate the benefit of ISG.
Reporting
Reporting can be used to assess the state of ISG and how much value it is delivering to the enterprise; it can also
be shared with decision-makers as part of regular reporting cycles. Such reporting typically uses key performance
indicators and key risk indicators, which are discussed in the following paragraphs.
The selection, agreement and presentation of reporting measures are complex processes, which this report
does not cover in detail.
Key performance indicators (KPIs) for information security are used to measure and report against targets associated
with information security. KPIs are typically used for reporting on business performance to senior management. They
should convey details relating to targets of particular interest to each audience, and be clear, concise and limited to
four or five in number.
“Beware of aggregation risks (for example losing important information when consolidating figures) when
creating and presenting your reporting at any level.”
In the context of ISG, KPIs can be used to:
• show that the information security function is delivering value to stakeholders

• highlight progress in achieving information security strategic goals
Part six
• demonstrate the provision of information risk assurance.
Typical drivers for using key performance indicators can be grouped into the three objectives of the ISF framework
for ISG as shown in the figure below.

$'(/I9(59$/8(72S7$.(+2/'(5S
$
$UHZHVDWLVI\LQJVWDNHKROGHUUHTXLUHPHQWV"
LI L N K OG L "
$UHZHHQKDQFLQJSURGXFWLYLW\DQGHIILFLHQF\"
+RZPDQ\EXVLQHVVLQLWLDWLYHVKDYHZHHQDEOHG
DQGVXSSRUWHG"
ISG
.3IV
%$&+I(9(S75$7(GI&G2$/S &3529I'(I1)250$7I215IS.
$SS85$1&(
+
+RZPDQ\LQIRUPDWLRQVHFXULW\UHODWHG
PDQ LQI UPDWL Q VHF ULW UHODWHG
LQLWLDWLYHVKDYHZHGHOLYHUHG" :K
:KDWLVWKHOHYHORIDGKHUHQFHWRLQWHUQDO
W L WK O O I GK W L W O
+RZDOLJQHGDUHZHWREXVLQHVVVWUDWHJ\" VWDQGDUGVDQGSROLFLHV"
+RZZHOOGRWKHHQWHUSULVHDQGLQIRUPDWLRQ +RZFRPSOLDQWDUHZHZLWKH[WHUQDO
ULVNDSSHWLWHVPDWFK" UHTXLUHPHQWV"
:KDWLVWKHVWDWXVRILQIRUPDWLRQULVNLQWKH
HQWHUSULVH"
Figure 19: Drivers for using key performance indicators
The figure highlights how KPIs can be grouped under the three objectives.
Each enterprise and information security function will have its own KPIs, along with KPIs shared with the business,
such as those concerned with financial reporting. The CISO will need to work with the audiences for KPIs to define
what is relevant and determine the manner in which KPIs should be presented.
Key risk indicators (KRIs), as defined in the ISACA Risk IT framework, are measures capable of showing that
the organization is subject to or has a high probability of being subject to a risk that exceeds the defined risk
appetite. They are thus different from KPIs, which measure how well something is being done.
“You need leading and lagging measures. In this context, key risk indicators are lead indicators, key
performance indicators are lag indicators.”
The results of internal and external audits can be also be expressed as KPIs and are usually focused around the
number of audit points raised and how quickly they are closed.
KPIs in practice
Members use a wide range of KPIs in their ISG, as revealed by the case studies and project questionnaire, including:
• degree of compliance
• protection performance (such as number of viruses stopped at the firewall, number of port scans, number of
incidents and intrusions)
• number of audit findings.
Part six
However, some Members used very different measures, such as:
• accessibility: how easy security documents were to read and then implement
• use: the degree to which security requirements, standards or guidelines were implemented as intended,
without interpretation or modification
• opinion: surveys of staff about their perception of information security.
The three examples in the second bulleted list above represent an attempt to move away from technical to more
business – and output focused – measures.

Presenting reports
Determining how to report KPIs (and other information) involves liaising with members of each audience (such
as senior management, legal, operational risk, internal audit, compliance and physical security teams, functions or
groups). Individuals in other business functions should be consulted to understand how they report their KPIs and the
type of response they receive from each recipient.
Based on this consultation, the decision about which KPIs to report should be taken. KPIs for information security can
be presented using a combination of methods, in a clear, easy to understand and concise manner. The figure below
illustrates common visual reporting methods.
Traffic Lights Dashboard

(red, amber, green)
Recorded incidents per month
250
200
150
Number
100
50
0
January
April
July
October
January
April
July
October
January
April
July
October
January
April
July
October
January
April
July
October
January
April
July
Time
Virus Hacking DOS
Balanced Scorecard Charts/trends
ISF resource: Information Security Metrics: SIG report and ISF Briefing: Key performance indicators for information security
Figure 20: Some visual methods of presenting KPIs
Each of the visual methods presented here has advantages and disadvantages. Typically, visual methods are not used
on their own, but are combined with text and tabulated data.
“ISG needs tools such as a dashboard; it also needs a control framework and measures.”
The Return on Security Investment (ROSI) - Workshop Report assists Members to understand the main issues associated
Part six
with return on security investment and its use. The report does this by providing:
• an introduction to the topic

• definitions for return on investment for security and ROSI
• a description of the business problems associated with ROSI
• an approach for using ROSI in Member organisations
• links to other ISF projects and data, which may be of use in calculating ROSI.

At the control framework level, Information security metrics: SIG report can be used to help understand the main
issues associated with the selection, use and presentation of information security metrics: and how these issues can
be overcome.
Reports which look at various aspects of reporting include Monitoring compliance, Information security assurance,
Reporting information risk and the ISF Briefing: Key performance indicators for information security. These deliverables
provide Members with practical insights on measuring and reporting the performance of information security.
Summary
Information security metrics, KRIs and KPIs, along with audience-specific presentation methods, can be used to report
on the status and successes of ISG on a regular basis.
The next section examines the future of ISG and looks at the efforts undertaken by the ISO and the ISF to reflect
information security governance in standards.
Part six

Part 7: Where next for ISG?
Overview
ISG is an evolving concept and is yet to be fully implemented across all surveyed Member and non-Member enterprises.
To assist in the further development of ISG, this section will look to the future of ISG and provide recommendations
for the next version of the ISF 2011 Standard of Good Practice and ISO/IEC 27014.
Development of ISG
The publication of ISO/IEC 27014 will provide the information security profession with a yardstick against which to
judge their ISG. It is likely that ISG in enterprises will evolve to reflect the ISO standard and that there will be calls to
further develop that standard to meet the specific requirements of industry sectors and/or countries. The practical
application of the standard will lead to feedback from individuals and enterprises to the ISO asking for changes,
additions and amendments to the text.
Once the ISO standard is released, consulting organisations will offer services around ISG, including implementation
and assurance, each with their own unique angle. The availability of the standard may also spur more academic
research into ISG.
All of these developments may lead to a vibrant future for ISG, where it becomes business as usual. As part of this
development, the ISF will be suggesting updates for the ISF 2011 Standard of Good Practice and ISO/IEC 27014.
Updating the Standard of Good Practice
With the release of the 2011 Standard of Good Practice, the ISF has moved to a yearly update cycle for this flagship
document, helping to make the content even more timely, practical and relevant to Members.
The ISG project will contribute to the 2012 update cycle, by offering the following as input:
• revise the topic titles in SG2 Security Governance Components to match Objective A: Deliver value to stakeholders,
Objective B: Achieve strategic goals and Objective C: Provide information risk assurance presented in this report
• perform a gap analysis between the ISG framework in this report and the areas and topics in SG1 and SG2
• add a section covering the creation and role of the ISG board
• incorporate the ISF framework for ISG, described in this report, into the 2011 Standard of Good Practice.
Part seven

Enhancing the draft of ISO/IEC 27014
The ISF has liaison status (category C) with the ISO SC27 steering group which is responsible for overseeing
development of the ISO 27000 suite of information security related standards. This enables the ISF to represent
Member needs and influence enhancement of existing, and development of new, ISO standards.
Based on this report, the following high-level recommendations and suggestions will be put forward to the ISO:
• change the order of the objectives to place value delivery first

• link the objectives, outcomes and principles together, so that the reader can understand how implementing one
of these will support or affect the other objectives, outcomes and principles
• review the objectives and activities identified by the ISF in this report, and where appropriate, incorporate them in
the ISO standard.
The ISF Global Team will submit detailed written comments and amendments, based on the findings of this report,
for consideration by the editors of ISO/IEC 27014 in September 2011. A copy of these comments will be made
available to Members on MX.
Future ISF work
The ISF can actively contribute to the debate and evolution of ISG, through Member input, the development and
publication of the 2011 Standard of Good Practice and work with ISO. The project implementation space on MX
can be used to start this debate and create a community of practitioners and experts to discuss and propose
enhancements to ISG.
The analysis of Benchmark data may yield new insights into the topic and suggest further enhancements to the 2011
Standard of Good Practice. Additionally, the ISF could work with its academic partners, making available research and
results from those institutions.
Concluding remarks
ISG is the direction and oversight of information security-related activities across an enterprise by senior
management. The ISF framework for information security governance has three objectives: deliver value to
stakeholders, achieve strategic goals and provide information risk assurance. The following diagram presents the
complete ISG framework presented in this report.
Part seven

VALUE TO
STAKEHOLDERS


C2. Implement
risk assessment
A3. Enable
business
initiatives

security
requirements
C5. Monitor
and report
on assurance
Figure 21: The ISF framework for ISG, objectives and activities for information security governance
The framework, the three objectives and the activities align with the major published works on ISG, including the
ISF 2011 Standard of Good Practice and the draft ISO/IEC 27014 Information technology – Security techniques –
Governance of information security.
In summary, ISG provides a way to turn the aspiration of delivering high-value enterprise-focused information security
a reality.
“ISG is perfect because it helps you set the agenda with boards.”
Part seven

Appendix A: Information security
governance diagnostic tool
Overview
Members can use the spreadsheet-based diagnostic tool to stimulate thought and debate about ISG and how it is
implemented and managed in their enterprise. The diagnostic allows Members to:
• compare their ISG against the framework presented in this report

• identify gaps or areas requiring enhancement
• assess the maturity of their ISG against a five-level model (based on the Carnegie Mellon Software Engineering
Institute Capability Maturity Model, http://www.sei.cmu.edu/cmmi/start/, described later in this appendix)
• initiate a programme to close any gaps between the required and actual status of ISG.
The diagnostic is designed as a simple, easy-to-complete tool, which provides a common language and terminology
and which is capable of enhancement over time via feedback and the use of metrics. It offers a fact-based analysis of
the current maturity of ISG in an enterprise.
The diagnostic is a Microsoft Excel-based tool with eight worksheets, listed below.
Table A1: Worksheets in the ISG diagnostic
Sheet number Sheet title Description

1a User guide Explains briefly how to complete the diagnostic
1b User guide - process Highlights the steps to complete diagnostic
2 Maturity model Describes the five-level maturity model used in this diagnostic
3 ISG assessment Probes the 13 activities that make up the ISF framework, grouped by the
three objectives
4 Results weighting Allows the user to weight the 13 activities to produce an overall score for
each objective
5a Score chart Presents the results of the assessment using a bar chart
5b Maturity radar chart Presents the results of the assessment using a radar chart
6 Assessment results template Presents the results of the assessment using a pre-formatted template
7 Preparatory actions checklist Provides a list of actions, taken from the ISG report, that Members can use
when preparing to implement ISG
8 ISG enhancement plan Provides a table to list actions required to address any gaps or enhance
ISG, based on the assessment results
The diagnostic can be completed in a reasonably short time, either electronically or on paper, as the user only has
to answer 13 questions on Sheet 3 ISG assessment and fill in four boxes on Sheet 8 Assessment results template.
Those responsible for completing the diagnostic should select the answer that best matches the enterprise’s actual
or perceived state; if two options seem appropriate, select the one closest and make a note of the reasoning behind
that selection. The process or sequence to complete the diagnostic is shown below:

Appendix A: Information security governance diagnostic tool
STEP 1: Complete sheet 3

ISG assessment (M)
STEP 2: Change weightings on

sheet 4 Results weighting (O)
STEP 3: Complete sheet 6

Assessment results template (M)
STEP 4a: Complete sheet 8 STEP 4b: Define actions using sheet 7
Preparatory actions checklist (O) ISG enhancement plan (O)
O = Optional
M = Mandatory
Figure A1: ISG diagnostic process
The following screenshots highlight the input sheet – Sheet 3 ISG assessment and the output sheet – Sheet 8
Assessment results template.
Figure A2: Screenshots of the ISG diagnostic
There is no right answer as the diagnostic does not assign a score to any of the options presented, rather
it presents a level of maturity. The optimum answer is one that is most appropriate to the enterprise and
circumstances of ISG within that organisation. Completing the diagnostic in a rigorous, objective, manner
will maximise benefit from the exercise.

Appendix A: Information security governance diagnostic tool
Information security maturity model
An information security maturity model (ISMM) is typically set out as a scale of five or six increasing levels of maturity,
supplemented by clear descriptions of capability or characteristics for each level that are demonstrated by information
security in an enterprise. An ISMM is sometimes supplemented with an assessment diagnostic, which provides a series
of tests or questions that assist an enterprise to determine its maturity.
Further information on maturity models can be found in the ISF Briefing Paper: Information security maturity
models available on the ISF’s Member Exchange (MX) system.
Table B-2 provides statements of capability across the five levels of maturity:
Table A2: Description of maturity levels
Maturity level Description

Non-existent Nothing is in place
Initial or ad hoc There are piecemeal efforts to perform activities and processes in a standard manner, often
uncoordinated. Activities and processes are not standardised or not applied consistently across the
enterprise
Repeatable Activities and processes are standardised or applied consistently across the majority of the enterprise;
some measurement and reporting may occur
Managed Activities and processes are standardised and applied consistently, monitored and measured across
the enterprise. Reporting occurs and some degree of automation may occur
Optimised Activities and processes are consistent across the enterprise. Feedback loops provide improvement
on a regular basis. Where possible, activities and processes are automated, with real-time reporting
Enhancing the diagnostic
The diagnostic presented here, while built on real-world experience and insight, represents only the first step in
providing information security and businesses with the tools that can be used to examine ISG maturity in a consistent
manner. As Members use the diagnostic, practical experience will yield new insights and ideas for improvement to
the diagnostic and the ISF framework for ISG.
The project team encourages and welcomes feedback on and suggestions for improvements to the diagnostic.
Contributions such as case studies, examples highlighting how the diagnostic has been used and completed profiles
are also invited. Input of this kind from Members will provide a rich bank of experience for other diagnostic users to
draw upon and will offer valuable insights into how the diagnostic could be developed further.
Please send your comments, contributions and suggestions to info@securityforum.org.

Appendix B: Aligning ISF and other
ISG frameworks
Overview
This appendix describes the five ISG frameworks examined in the project research and mentioned previously in this
report, namely:
• ISO/IEC 27014 Information technology – Security techniques – Governance of information security

• IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive
Management (2nd edition)
• Da Veiga and Eloff, An Information Security Governance framework
• Carnegie Mellon, Governing for Enterprise Security (GES) Implementation Guide
• Committee of Sponsoring Organisations of the Treadway Commission (COSO), Enterprise Risk Management
framework.
The appendix provides a high-level comparison with the ISF framework for ISG.
ISO/IEC 27104 Information technology – Security techniques – Governance of information security

(Draft)
(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43754)
This is described in detail in Part 3: Preparing for information security governance and, as a result, a summary is
presented in this Appendix. Sections 4 Concepts and 5 Principles and processes are of great relevance to this work and
a summary of the most relevant sections in the current draft of ISO/IEC 27014 (September 2011) is presented here.
Six principles are presented in the draft:
1. Establish enterprise-wide security

2. Adopt a risk-based approach
3. Set the direction of investment decisions
4. Ensure conformance with internal and external requirements
5. Foster a security-positive environment
6. Review performance in relation to business outcomes.
Information Security Governance: Guidance for Boards of Directors and Executive Management
(2nd edition)
(http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Governance-
Guidance-for-Boards-of-Directors-and-Executive-Management-2nd-Edition.aspx)
This report, published by the IT Governance Institute, presents five pillars of ISG:
• Strategic alignment of information security with business strategy to support enterprise objectives
• Risk management through the execution of appropriate measures to manage and mitigate risks and reduce
potential impacts on information resources to an acceptable level
• Resource management by utilising information security knowledge and infrastructure efficiently and effectively
• Performance measurement by measuring, monitoring and reporting robust and auditable information security
governance metrics to ensure that enterprise objectives are achieved
• Value delivery by optimising information security investments in support of the enterprise’s objectives.

Appendix B: Aligning ISF and other ISG frameworks
Da Veiga and Eloff: An Information Security Governance framework

(Da Veiga, A. and Eloff, J. H. P.(2007) ‘An Information Security Governance Framework’, Information Systems
Management, 24: 4, 361 — 372)
This is an academic work, which has three high–level categories: strategic; managerial and operational; and technical,
all underpinned by change management. Each of the three categories is further broken down into sub-categories and
information security components, as shown below:
Table B1: The categories, sub-categories and components of the Da Veiga and Eloff ISG framework
Category Sub-category Information security component

Strategic Leadership and Governance • Sponsorship
• Strategy
• IT Governance
• Risk assessment
• ROI/metrics/measurement
Managerial and Security management and enterprise • Program organisation
Operational • Legal and regulatory
Security policies • Policies
• Procedures
• Standards
• Guidelines
• Certification
• Best practice
Security program management • Monitoring and audit
• Compliance
User security management • User awareness
• Education and training
• Ethical conduct
• Trust
• Privacy
Technical Technology protection and operations • Asset management
• System development
• Incident management
• Technical operations
• Physical and environmental
• Business continuity
Carnegie Mellon Governing for Enterprise Security (GES) Implementation Guide

(http://www.cert.org/work/organizational_security.html)
This three-part work presents eleven characteristics of effective security governance, which are intended to answer
the question “How would I know effective security governance if I saw it?” The characteristics are:
1. An Enterprise-wide Issue
2. Leaders are Accountable
3. Viewed as a Business Requirement
4. Risk-based
5. Roles, Responsibilities, and Segregation of Duties Defined
6. Addressed and Enforced in Policy
7. Adequate Resources Committed
8. Staff Aware and Trained
9. A Development Life Cycle Requirement
10. Planned, Managed, Measurable, and Measured
11. Reviewed and Audited.

Part 3: Enterprise Security Governance Activities, provides four categories of activities that can be used to develop and
sustain an enterprise security programme: governance; integration and operations; implementation and evaluation;
and capital planning and review.
Committee of Sponsoring Organisations of the Treadway Commission (COSO) Enterprise Risk

Management
(http://www.coso.org/ERM-IntegratedFramework.htm)
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) published this framework. It
defined enterprise risk management (ERM) as a process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect
the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
The report presents objectives, ERM components and entity units (such as function, division or business unit) and
their relationship using a cube, nicknamed the ‘COSO cube’, as shown below:
Figure B2: The COSO
Comparison of frameworks
The following table compares the major published ISG frameworks with the ISG objectives and activities presented
in the report at a high-level.

Table A-2: Comparison of published ISG frameworks
Greatest Least information

information security focus
security focus
ISF framework for ISO/IEC 27014 ITGI pillars Da Veiga and Eloff Carnegie Mellon COSO cube
ISG components principles (draft) – ISG Framework Enterprise
(Objective and Security
activities) Governance
Activities
Deliver value to stakeholders
Improve Set the direction Resource Security No match identified No match identified
effectiveness and of investment management management and
efficiency decisions enterprise
Meet stakeholder Set the direction No match identified Leadership and No match identified No match identified
requirements of investment Governance
decisions
Enable business Set the direction No match identified No match identified No match identified No match identified
initiatives of investment
decisions
Integrate with Establish enterprise- Strategic alignment No match identified Governance No match identified
enterprise processes wide security
Achieve strategic goals
Execute strategic Set the direction Strategic alignment Leadership and No match identified Objective setting
objectives of investment Governance
decisions
Set and refine Adopt a risk-based Risk management No match identified No match identified Risk assessment
information risk approach
appetite Risk response
Sustain buy-in and Set the direction No match identified Leadership and Governance No match identified
commitment of investment Governance
decisions
Maintain security Review No match identified Security policies No match identified No match identified
requirements performance in
relation to business
outcomes
Provide information risk assurance
Oversee assurance Ensure No match identified No match identified No match identified No match identified
programme conformance
with internal
and external
requirements
Implement risk Adopt a risk-based Risk management Leadership and Governance Risk assessment
assessment approach Governance
Risk response
Ensure compliance Ensure No match identified Security Governance No match identified
conformance management and
with internal enterprise
and external
requirements
Manage supply Establish enterprise- No match identified Security program Integration and Compliance
chain risk wide security management operations
Monitor and report Review Value delivery Leadership and Integration and No match identified
on assurance performance in Governance operations
relation to business
outcomes Capital planning and
review
The table presents the likely coverage and comparison between the ISF framework for ISG and the draft
ISO/IEC 27014 standard. The comparison shown in the table is at a high level and may change in the future.

Appendix C: Prepare and plan actions:
the checklist
Overview
The following checklist will assist Members in their preparation and planning for ISG implementation. It is based on
the actions presented in Parts 3 and 4 of this report.
Action Task Sub-task(s) Complete?

Step 1: Evaluate the statusUnderstand how the enterprise works Value drivers for enterprise
of information security in and delivers value understood?
the enterprise Recognise how information security is Information security
adding value to the enterprise contribution identified?
Step 2: Review information Perform a gap analysis to understand Gap analysis of information
security strategy and how and where information security, security, strategy and ISG
objectives its strategy and ISG can be enhanced performed?
Review and if necessary update the Information security strategy
enterprise’s information security reviewed?
strategy Information security strategy
PREPARE
updated?
Step 3: Understand Review current frameworks Current frameworks reviewed
published ISG frameworks and examined?
Compare the in-place ISG framework Comparison complete and
to other, published, frameworks gaps highlighted?
Step 4: Assess ISG in the Complete the ISF Information security Assessment complete?
enterprise governance diagnostic tool (see
Appendix A)
Use the STARS model to decide Business phase diagnosed by
which business phase ISG is in (see STARS?
Appendix D)
Discuss the results with senior Discussion held?
managers and agree a way forward Outcomes recorded?
Step 1: Describe Identify, link to and (where possible) Other governance frameworks
PLAN FOR IMPLEMENTATION
information security reuse the other governance identified?

governance framework frameworks in use Links established to those
frameworks?
Use and if necessary adapt the ISF ISF framework reviewed?
framework for ISG as the blueprint for ISF framework adopted?
ISG in the enterprise
Position ISG in relation to the ISG positioning identified?
enterprise, its governance framework
and operations
Set terms of reference for ISG ISG terms of reference set?
Define roles and responsibilities for ISG roles and responsibilities
individuals involved in ISG delineated?
Provide a clear statement of the ISG benefits plan developed?
benefits of ISG and the timeframe in
which delivery will occur

Appendix C: Prepare and plan actions: the checklist
Action Task Sub-task(s) Complete?

Step 2: Identify and engage Use stakeholder mapping to Stakeholder groups identified?
your stakeholders determine the power and influence of Stakeholder map created?
stakeholders
Develop a plan to manage and Communication plan to
communicate with stakeholders as stakeholders developed?
appropriate, using the results of the
stakeholder mapping exercise
Obtain senior management support Executive sponsor identified?
Executive sponsor actively
involved?
Create an ISG board ISG board set up?
ISG board members selected?
Terms of reference agreed?
Step 3: Define what will be Consult with the business to decide Output measures agreed with
measured and how which measures will be used as output the business?
from ISG
PLAN FOR IMPLEMENTATION
Identify the audiences and the Audiences identified for

methods of presentation for each reporting?
Audience-specific reporting
styles and language identified?
Highlight how the measurements will Feedback loops identified?
drive improvements, increase maturity
or enhance benefit Improvement process defined?
Step 4: Gain approval to Create a business case or similar Business case created?
implement information document to gain stakeholder support
security governance and approval
Market the vision for ISG to senior Vision communicated?
management Vision accepted by senior
management?
Communicate the business case to Stakeholders informed of
the relevant stakeholders business case?
Obtain buy-in and approval Senior management approval
from senior management for the obtained?
implementation of the strategy and
ISG
Produce a high-level project plan for High-level plan produced?
ISG implementation, detailing delivery Project plan produced?
milestones
Step 5: Prepare final Draw up detailed implementation Milestones in place?
implementation plan plan, with milestones, resource Resources identified and in
requirements and review points plan?
Project plan signed off?
Project plan signed off?
Review the plan and the ISG Reviews scheduled?
framework on a regular basis Reviews carried out?
Actions agreed?

Appendix D: STARS model
Overview
The STARS model is a method of examining the condition of an enterprise, business unit, function, product, service
or strategy (also known as an entity). In the model, the entity under examination can be placed in one of four business
situations:
• Start-up
• Turn-around
• Realignment
• Sustain success.
The four business situations are related to each other, as the following diagram shows:
Fail
Realignment Turnaround
Fail Succeed Succeed
Sustain Success
Succeed
Start-up
Figure D1: The STARS model, showing the relationship of the four business situations
By deploying people, management time, money and other resources, the entity can move from one business situation
to another.
The STARS Model was created by Michael Watkins and is described in his book: The First 90 days: critical
success strategies for new leaders at all levels, Harvard Business Press 2003, ISBN 978-1591391104.

Appendix D: STARS model
Using the STARS model in ISG implementation
In the majority of cases, an enterprise will have some form of ISG in place. This may not be recognised as such, or
brought together in an ISG framework. The challenge is then to recognise what is in place and how to build and
develop it to create a coherent ISG framework.
“I’ve used the STARS model to understand the situation the function is in – start-up, turnaround,
realignment and sustaining success – and then tailored my strategy, actions and communications to fit.”
When considering the implementation of ISG, the STARS model can assist the CISO in deciding the approach for
implementation. The following table summarises the four business situations and associated descriptions as well as
providing a link to ISG implementation.
Table D1: The STARS business situations and their relevance to ISG implementation
Business situation and description Relevance to ISG implementation

Start-up This is a rare situation – and may only be found in newly
created enterprises that do not have an information security
• The resources and capabilities (people, funding, function
technology and process) to get a new business, business
unit, function, product, service or strategy off the ground Communication with stakeholders and customers may be
need to be assembled and directed to achieve objectives focused on achievements, objectives met and successes
• People may have high energy levels and motivation to
succeed
Turn-around This may occur when a previous ISG implementation has
failed, or a major incident has led to significant reputational
• The business, business unit, function, product, service or damage and cost
strategy is recognized as being in trouble; it may not be
providing value to stakeholders or customers Communication may be very important in this situation, to
• Resources and capabilities will be required to steady the rebuild confidence and regain support. Successes and value
environment and then put it back on track created will receive greater attention than progress against
• People may recognise that change is necessary – and may objectives
be motivated to make the change happen
Realignment Information security strategy and ISG may have diverged from
the business strategy; or the business requirements may have
• The business, business unit, function, product, service or changed. A key task will be to identify where divergence has
strategy is drifting and disconnected from stakeholders, occurred and propose how and where to address this change
customers and other parts of the business; the value
provided may be reducing Communication will be change-oriented, highlighting new
• Resources and capabilities will be required to reinvent the initiatives, successes and value provided
business
• People may not see why change is necessary and may not
have the motivation
Sustain success This is typically the business as usual state. The challenge
here is to improve the ISG and provide further value to
• Objectives are being met and value is being delivered stakeholders and customers
• Resources and capabilities are in place
• People may be strongly motivated to succeed Communication will typically be focused on delivery against
objectives, efficiency and effectiveness. Improvements and
their contribution to the business will be highlighted
In all four business situations, the actions listed in Parts 3 and 4 and Appendix C should be carried out. The STARS
model allows the CISO to tailor the actions and communications to best fit the business and increase the likelihood
of support for and success in implementation.

For a large text version of this document please contact the Information
Security Forum on +44 (0) 207 212 5128

Founded in 1989, the Information Security Forum is an
independent, not-for-profit association of leading organisations
from around the world. It is dedicated to investigating, clarifying
and resolving key issues in information security and developing
best practice methodologies, processes and solutions that meet
the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth

knowledge and practical experience drawn from within their
organisations and developed through an extensive research
and work program.The ISF provides a confidential forum and
framework, which ensures that Members adopt leading-edge
information security strategies and solutions. And by working
together, Members avoid the major expenditure required to
reach the same goals on their own.
For further information contact:
Tel: +44 (0)20 7213 1745

Fax: +44(0)20 7213 4813
Email: info@securityforum.org
Web: www.securityforum.org
Reference: ISF 11 09 02 Copyright © 2011 Information Security Forum Limited.

All rights reserved.

Information Security Governance Raising The Game - Full Report-1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Governance Raising The Game - Full Report-1

Uploaded by

Copyright:

Available Formats

Information Security

Tel: +44 (0)20 7213 1745

Review and quality assurance

Member quote Project related material available on MX

Information Security Governance • Information Security Forum www.securityforum.org

INFORMATION SECURITY GOVERNANCE

A1. Improve B1. Execute C1. Oversee

A2. Meet B2. Set and refine

A4. Integrate B4. Maintain

www.securityforum.org Information Security Forum • Information Security Governance

Part one: Introduction

Part two: Understanding information security governance

Part three: Preparing for information security governance

Part four: Planning for ISG implementation

Part five: Implementing the ISF framework for ISG

Information Security Governance • Information Security Forum www.securityforum.org

Part five: Implementing the ISF framework for ISG (continued)

Part six: Monitoring and reporting on ISG

Part seven: Where next for ISG?

Appendix A: Information security governance diagnostic tool 56

Appendix B: Aligning ISF and other ISG frameworks 59

Appendix C: Prepare and plan actions: the checklist 63

Appendix D: STARS model 65

www.securityforum.org Information Security Forum • Information Security Governance

TOOLS & METHODS Technology

Figure 1: The ISF Security Model

Information Security Governance • Information Security Forum www.securityforum.org

About this report

Purpose of the report

Who should read this report

There are two main audiences for this report:

Other related ISF reports and tools

www.securityforum.org Information Security Forum • Information Security Governance 1

A. DELIVER VALUE TO STAKEHOLDERS B. ACHIEVE STRATEGIC G

A1. Improve effectiveness and efficiency

A2. Meet stakeholder requirements B2. Set and refine information

A3. Enable business initiatives B3. Sustain buy-in and commi

A4. Integrate with enterprise processes B4. Maintain security requirem

2 Information Security Governance • Information Security Forum www.securityforum.org

GOALS C. PROVIDE INFORMATION RISK ASSURANCE

n risk appetite C2. Implement risk assessment

tment C3. Ensure compliance

ments C4. Manage supply chain risk

C5. Monitor and report on assurance

www.securityforum.org Information Security Forum • Information Security Governance 3

Basis for the report

The material used to produce this work was drawn from:

• examination of 13 case studies, drawn from both Members and others

4 Information Security Governance • Information Security Forum www.securityforum.org

What is information security governance?

Relationship to the ISF 2011 Standard of Good Practice

Area SG1 – Security Governance

Why is information security governance needed?

www.securityforum.org Information Security Forum • Information Security Governance 5

How does it relate to other governance frameworks?

The direction and management of an

The direction and oversight of

Providing evidence to senior

ISF resource: Information Security Assurance

Figure 3: The relationship of corporate governance and ISG in an organisation

6 Information Security Governance • Information Security Forum www.securityforum.org

Relationship to the ISF 2011 Standard of Good Practice

Topic: SG1.2 Security Direction