Should information security focus on asset protection, compliance, or corporate governance?
Traditionally, information security has been perceived as an activity that was built around protecting sensitive information assets – after all, this is what the first (2005) revision of ISO 27001, and its predecessor BS 7799-2, also emphasized. These standards required companies to identify all the assets, and then build the safeguards (i.e., defense) around those assets.
But, in the last decade, other ways to look at information security have emerged as well: that security is primarily a compliance job, and that security is part of an internal control, i.e., part of corporate governance. (Note: this blog post has adapted the model presented in the paper Information assurance: Strategic alignment and competitive advantage.)
So, which of these three approaches is the best to take?
Information security as a protection of information assets / IT security approach
This traditional approach of protecting the assets came from the philosophy that has existed in physical security for thousands of years – you have a physical asset, and then you build a security perimeter around it. (See also: Physical security in ISO 27001: How to protect the secure areas.)
This traditional approach was mostly taken over by IT departments who had developed their IT security technology – e.g., firewalls, anti-virus protection, intruder-detection systems, etc. – around the assets they wanted to protect. (See also: Information security or IT security?)
And this approach worked fine for physical security; however, the problem is now with cloud services, mobile devices, insiders, backdoors, hackers, etc. – it is becoming really difficult to define the security perimeter around information assets and then build the controls around them; obviously, something else is needed.
Information security as a compliance job
Since protection of sensitive corporate and/or private information is becoming a very hot issue, governments – as well as customers – are taking a more proactive approach and defining various information security requirements through laws, regulations, and contracts. (See also: How to identify ISMS requirements of interested parties in ISO 27001.)
And then companies are starting to focus on fulfilling all these requirements – in most cases, this is done through writing various policies and procedures, but this kind of “box-ticking-by-writing-documentation” approach doesn’t really resolve the main issue – how to decrease the number of security incidents by making the processes in companies more secure.
Information security as part of internal control/corporate governance
This approach is more typical for larger organizations who want to know exactly who is responsible for what, which reports are sent to whom, who has to make which decisions, etc. These kinds of organizations basically want to reduce the risk of something going wrong, although very often they do not have a formal risk management process.
This approach fits quite well with the compliance approach; however, there are many companies taking this approach without the compliance “push.” The downside of this approach might be that the communication is usually one-way – from the corporate headquarters down to every department – this way, it is very difficult to explain to the top management the real problems that are faced in the day-to-day operations when it comes to threats, vulnerabilities, or difficulties of adoption of new corporate rules.
A blended approach
Now, the question is: Which of these three approaches should be your guiding light? If you look at the latest 2013 revision of ISO 27001, then the answer is: none. Or, to be more precise, ISO 27001:2013 requires you to mix all of these approaches into a single management system based on risk approach. (See also: ISO 27001 risk assessment & treatment – 6 basic steps.)
ISO 27001:2013 requires you to perform the risk assessment and treatment, and choose the most appropriate controls for your information; it also requires you to identify all legal and regulatory requirements, and requirements from your partners and clients, and then to comply with those; finally, ISO 27001:2013 requires you to set up a management system with clearly defined roles and responsibilities, measurement, reporting, and internal audit functions.
So, what’s the point here? Don’t be misled into viewing one of these approaches as your main information security philosophy – that would be a mistake because you wouldn’t be able to protect your information properly.
Click here to download free white paper: Integration of Information Security, IT and Corporate Governance to learn how to integrate information security with other functions of the company.