Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Industry Organizations Issue Set of Twelve Information Security Principles

Industry Organizations Issue First Information Security Principles

Industry Organizations Issue First Information Security Principles

Three global security organizations have launched a set of information security principles designed to promote good practice in information security. The Information Security Forum (ISF), International Information Systems Security Certification Consortium (ISC)2 and ISACA have come together and developed 12 independent, non-proprietary principles that will help security practitioners respond more effectively in today’s complex, interconnected world.

The emerging role of information security in improved governance, regulatory compliance and risk assessment has prompted the need for clear, relevant guidelines.

The twelve principles the organizations say will help individuals support business objectives, manage their organizational risk and promote responsible security behavior are:

1. Focus on the business

2. Deliver quality and value to stakeholders

3. Comply with relevant legal and regulatory requirements

Advertisement. Scroll to continue reading.

4. Provide timely and accurate information on security performance

5. Evaluate current and future information threats

6. Promote continuous improvement in information security

7. Adopt a risk-based approach

8. Protect classified information

9. Concentrate on critical business applications

10. Develop systems securely

11. Act in a professional and ethical manner

12. Foster a security-positive culture

 “There are other standards and frameworks around like SOGP, COBIT and ISO27002, which are all aimed at organizations, but we were clear that we wanted these principles to be unique, practical and more like a code of conduct for individuals to adopt,” said Jason Creasey, Global Alliances Leader, ISF.

While information security has been added to many corporate agendas, the entire business—not just security practitioners—should be vigilant and responsive.

“The security profession has to break away from its roots as an IT-focused discipline. These principles are accessible to everyone working in information security whatever their qualification or affiliation. Security professionals and their stakeholders now have a common framework for truly risk-based security management that all will be able to identify with,” said John Colley, CISSP, Managing Director, EMEA, (ISC)2.

According to Manuel Aceves, CISA, CISM, CGEIT, CRISC, CISSP, FCITSM, member of ISACA’s Professional Standards Committee, “Because information security has become such an important business function, it is critical for information security professionals to develop sound business skills in addition to technical skills and knowledge. The information security principles provide a guide to help those in the security profession add value to their organizations by successfully supporting the business and promoting good practices. 

The principles are aimed at individuals working in information security, including those who develop, supply and manage security systems; influence legal or regulatory requirements for security; and educate tomorrow’s workforce. They have three categories—support the business, defend the business, and promote responsible security behavior. The principles are available for download here. 

In October, the ISACA also published the Business Model for Information Security (BMIS), an educational resource for security professionals and to provide comprehensive guidance that addresses the people, process, organization and technology aspects of information security. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem