This paper demonstrates that information security is more than a technical issue, through the development of an information security responsibility framework that shows consideration for strategic and legal issues as well. It is important that information security be viewed as both a governance challenge and a management responsibility. In order to achieve this this paper addresses information security governance and the board’s participation in directing and controlling security efforts. Furthermore information security management is addressed in order to demonstrate how information security should be implemented. Once a comprehensive picture of the information security function has been established, the roles of various individuals in terms of information security are discussed and mapped out in the responsibility framework in order to demonstrate the true scope of an organizations information security function.

Key words

Corporate Governance Information Security Governance Information Security Management Responsibility Accountability 


  1. Birman, K. P., 2000, The next generation internet: Unsafe at any speed. IEEE Computer, 33(8), 54–60.Google Scholar
  2. BS 7799, 1999, BS 7799: Code of Practice for Information Security Management as a base for Certification.Google Scholar
  3. Corporate Governance Task Force, 2004, Information Security Governance: A Call To Action. Available from: Scholar
  4. Entrust, 2004, Information Security Governance (ISG): An Essential Element of Corporate Governance. Available from: Scholar
  5. Gerber, M., & von Solms, R., 2001, From risk analysis to security requirements. Computers and Security, 20(7), 577–584.CrossRefGoogle Scholar
  6. Humphreys, E. J., Moses, R. H., & Plate, E. A., 1998, Guide to BS7799 Risk Assessment and Management. British Standards Institution.Google Scholar
  7. IT Governance Institute, 2004, IT Strategy Committee. Available from: Scholar
  8. IT Governance Institute, 2005, Information Security Governance: Guidance for Boards of Directors and Executive Management. Available from: Scholar
  9. King Report, 2001, The King Report on Corporate Governance for South Africa. Available from: Scholar
  10. Posthumus, S., & von Solms, R., 2004, A framework for the governance of information security. Computers and Security, 23(8), 638–646.CrossRefGoogle Scholar
  11. Swindle, O., & Conner, B., 2004, The Link between Information Security and Corporate Governance. Available from:,10801,92915,00.html.Google Scholar
  12. Thompson, K., & von Solms, R., 2003, Integrating information security into corporate culture. Masters dissertation, Nelson Mandela Metropolitan University, Port Elizabeth, South Africa.Google Scholar
  13. Trillium Software, 2004, Corporate Governance and Compliance: Could Data Quality Be Your Downfall? Available from: Scholar
  14. Vericept Corporation, 2004, Preventing Identity Theft and Loss of Intellectual Property: The Importance of Information Security in Internal Controls and Corporate governance. Available from: Scholar
  15. Whitman, M. E., & Mattord, H. J., 2003, Principles of information security. In (pp. 153–190). Course Technology.Google Scholar
  16. World Bank Group, 1999, Corporate Governance: A Framework for Implementation. Available from: Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Shaun Posthumus
    • 1
  • Rossouw von Solms
    • 1
  1. 1.Nelson Mandela Metropolitan UniversitySouth Africa

Personalised recommendations