The ISACA Business Model for Information Security: An Integrative and Innovative Approach

  • Rolf von Roessing


In recent years, information security management has matured into a professional discipline that covers both technical and managerial aspects in an organisational environment. Information security is increasingly dependent on business-driven parameters and interfaces to a variety of organisational units and departments. In contrast, common security models and frameworks have remained largely technical. A review of extant models ranging from [LaBe73] to more recent models shows that technical aspects are covered in great detail, while the managerial aspects of security are often neglected.Likewise, the business view on organisational security is frequently at odds with the demands of information security personnel or information technology management. In practice, senior and executive level management remain comparatively distant from technical requirements. As a result, information security is generally regarded as a cost factor rather than a benefit to the organisation.

ISACA’s Business Model for Information Security (BMIS) has been developed to address the weaknesses in existing models. It addresses information security primarily from a management perspective, by placing it in the context of a functioning, profit-oriented organisation. The model further outlines approaches and key organisational factors influencing the success or failure of security. The paper presents the BMIS in its entirety, and reflects on the individ-ual components and their significance for information security. It will be shown that the current framework for the BMIS can interface with existing models as well as common control frameworks and international standards. The paper will demonstrate that the complete integration of information security with business is an essential prerequisite to overcoming the technical restrictions and managerial disadvantages often experienced in the past. In relating some of the aspects of BMIS to typical incidents and security violations, the paper will conclude by presenting an outlook on practical BMIS use and addressing typical security risks by means of the BMIS.


Business Process Information Security Information Security Management Security Violation Information Technology Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. American Institute of Certified Public Accountants (AICPA). Top Technologies Survey 2006.Google Scholar
  2. American Institute of Certified Public Accountants (AICPA). Top Technologies Survey 2007.Google Scholar
  3. American Institute of Certified Public Accountants (AICPA). Top Technologies Survey 2008. Google Scholar
  4. Bell, D. E., L. J. LaPadula. Secure Computer Systems: Mathematical Foundations. MITRE Technica Report 2547, vol. I. []
  5. Cavusoglu, H., B. Mishra, S. Ragunathan. The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers, in Inter national Journal of Electronic Commerce, vol. 9 no. 1, 2004. 69-104.Google Scholar
  6. Colley, J., J. L. Doyle, W. Stettinius, G. Logan. Corporate Governance, in The McGraw-Hill Executive MBA Series. New York: McGraw-Hill, 2003.Google Scholar
  7. Fink, D. A Security Framework for Information Systems Outsourcing, in Information Management & Computer Security vol. 2 no. 4, 1994. 3-8.CrossRefGoogle Scholar
  8. Gonzalez, J. J., A. Sawicka. A Framework for Human Factors in Information Security. Proceedings of WSEAS 2002, Rio de Janeiro.Google Scholar
  9. ISACA. An Introduction to the Business Model for Information Security. Rolling Meadows IL: ISACA, 2006.Google Scholar
  10. ISACA. IT Control Objectives for Basel II. Rolling Meadows IL: ISACA, 2007.Google Scholar
  11. ISACA. An Introduction to the Business Model for Information Security. Rolling Meadows IL: ISACA, 2009.Google Scholar
  12. Kiely, L., T Benzel. Systemic Security Management: A new conceptual framework for understanding the issues, inviting dialogue and debate, and identifying future research needs. White Paper, Institute for Critical Information Infrastructure Protection (ICIIP), University of Southern California 2006.Google Scholar
  13. Pauchant, T., I. I. Mitroff. Transforming the Crisis-Prone Organization. San Francisco: Jossey-Bass, 1992.Google Scholar
  14. Perrow, C. Normal Accidents. New York: Basic Books, 1984.Google Scholar
  15. von Roessing, R. Quantified Risk and Business Impact: A Strategic Decision Support Model for Security and Business Continuity Management. Proceedings of ISSE 2003.Google Scholar
  16. von Roessing, R. IT-Sicherheit und Basel II: Security als operationelles Risiko [IT Security and Basel II: Security as Operational Risk]. Proceedings of D-A-CH Security 2004.Google Scholar
  17. von Roessing, R. Sicherheit und Krisenanfälligkeit - Erfolgsfaktoren und Warnindikatoren [Security and Crisis Proneness – Success Factors and Warning Indicators]. Proceedings of D-A-CH Security 2006.Google Scholar
  18. von Roessing, R. Business Resilience – Wege aus der Krisenanfälligkeit [Business Resilience – Ways Out of Crisis Proneness]. Proceedings of D-A-CH Security 2009.Google Scholar
  19. Schein, E. H. Organizational Culture and Leadership. 3rd ed, Wiley 2004.Google Scholar
  20. von Solms, S. H. Information security governance – compliance management versus operational management, in Computers & Security vol. 24, 2005. 443-447.CrossRefGoogle Scholar
  21. von Solms, S. H., R. von Solms. From information security to… business security? in Computers & Security vol. 24, 2005. 271-273.CrossRefGoogle Scholar
  22. Turner, B. A. The Organizational and Interorganizational Development of Disasters. Administrative Science Quarterly, vol. 21, September 1976.Google Scholar
  23. Turner, B. A. Man-Made Disasters. New York: Crane, Russak & Co., 1978.Google Scholar

Copyright information

© Vieweg+Teubner | GWV Fachverlage GmbH 2010

Authors and Affiliations

  • Rolf von Roessing

There are no affiliations available

Personalised recommendations