New ISACA Business Model for Information Security Fills Gap

Rolling Meadows, IL, USA: Effectively managing information security is more critical than ever, yet—until now—there have been no comprehensive models to guide security professionals. To fill the gap, ISACA has developed the new Business Model for Information Security. Released recently, An Introduction to the Business Model for Information Security outlines the model and provides a case study using its guidance. The guide is available as a free download at

“Information security managers spend too much of their time reacting and applying short-term, technology-focused fixes to rapidly changing threats and regulatory and technological environments,” said Jo Stewart-Rattray, chair of ISACA’s Security Management Committee. “These solutions are deficient because many security weaknesses result from poor governance, a dysfunctional culture or untrained staff—all aspects that ISACA’s Information Security Model addresses.”

The model can be used in enterprises of all sizes and with any other information security framework already in place. It is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems. It includes traditional information security, and also privacy, and linkages to risk, physical security and compliance.

ISACA, a nonprofit association that serves more than 86,000 information security, assurance and IT governance professionals, based the model on the Systemic Security Management framework developed by the Institute for Critical Information Infrastructure Protection (ICIIP), which was formed by the Marshall School of Business of the University of Southern California (USA).

“This is ISACA’s first step in transforming the theoretical model into a practical tool that can be used by information security practitioners to unify security initiatives with the business mission,” said Kent Anderson, member of ISACA’s Security Management Committee. “The ISACA model is valuable guidance because it takes a strong business-oriented approach, focusing on people and processes rather than on technology.”

An Introduction to the Business Model for Information Security is the first in a series of publications related to the model. Later this year, ISACA will release a practitioner’s guide and an executive’s guide.

With more than 86,000 constituents in more than 160 countries, ISACA ( is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

Neil Stinchcombe, EskenziPR