IT Management Blog: my thoughts about putting the "i" in IT

Information Security Governance Model

Based upon my experience at two organisations where I recently worked, I developed an information security governance model.

The key message is that you should not only detail ISO 27001/27002 controls on the corporate level but also for each operational team (group of people with similar expertise) so that people at the work floor know what their responsibility is. In the end, they are the ones actually doing the implementation and execution of the security measures. Generally, corporate level controls are still too abstract for the people on the work floor and not all controls apply to them.

Common mistakes in security governance
  • Security is seen as something of the security officers; security officers have to design objectives for the security controls
    • Even if there were no security officers, the organization should still be in control of its security.
    • Security is too big, too widespread and relies on too many business and technical skills for security officers to cover this all; the only way to deal with it is make sure that the business and technical specialists know their responsibilities and deal with security risks.
  • Security responsibility is assigned to a single manager only (or to managers only)
    • Many security issues relate to low level, technical and sometimes very complex issues; the managers generally lack the knowledge to recognise risks or specify which control measures to take.
    • Employees do not know what their responsibilities are.
  • ISO 27001/27002 control objectives are specified on the corporate or division level only.
    • This gives insufficient guidance to the people on the work floor; you need to specify control measures in such a way that employees know what their responsibilities are.
  • Reliance on the audits or security officers for the C (check) of the PDCA.
    • Operational teams should do their own checks and team managers should use these for their Act and Plan; audits and security officers checks should be additional; team managers should be in control.

Consequences / symptoms
  • Security officers are forcing solutions onto the operational teams or are implementing solutions themselves.
  • Security officers are alerting management to risks but management does not know what to do with them and therefore forget or ignore them.
  • Unnecessary conflicts between security officers and operational teams.
  • Implementation of security controls are implemented in a rush just before an audit.
  • Audit issues have been assigned to managers but tasks have been watered down so much that at the operational level nothing happens.
  • Everyone is responsible, so no one is responsible.
  • Managers have been assigned a responsibility but have no mandate to get things done in other teams where various aspects of the measure have to be implemented. Therefore the implementation of the control stalls.
  • Issues have become so urgent that security officers get the attention of the CEO who enforces to put a control in place urgently, disrupting business and IT operations.
  • Decisions are made based upon emotion instead of rational analysis of risks.

The governance model in summary
  • Organise the PDCA cycle not only at the corporate level but also on the divisional and operational level.
  • Formulate the ISO controls for each operational team and define what their specific security responsibilities are. Let the teams do a periodic self assessment supported by security specialists.
  • Organise a periodic management review at the divisional level. The team managers bring the reports by their own teams and appropriate actions are formulated. It might be that projects need to be started and as such you probably will have a security programme of projects.
  • Because multiple teams can have a responsibility relating to a specific ISO control, someone must make sure that the sum of all those responsibilities adds up to the total what the organisation needs. The execution between teams might also need to be coordinated. For that you can group ISO controls in processes and assign a process manager to coordinate all the controls per process. One way to group the ISO controls is, is according to the ITIL processes.

I have detailed the model in a powerpoint presentation. If you are interested in the model, please contact me on and I will send this to you.