Get started Bring yourself up to speed with our introductory content.

CISSP online training: Information security governance, risk management

Spotlight article: Shon Harris offers an in-depth look at the topics covered in the CISSP domain on infosec governance and risk management.

The Certified Information Systems Security Professional (CISSP) Information Security Governance and Risk Management domain is among the domains within the Common Body of Knowledge (CBK) that have changed the most over the years.

These changes reflect the maturing of the information security industry as a whole. Security management practices used to have a smaller scope that focused on developing policies and procedures, and overseeing various security technologies deployed on the network from an administrative perspective. Nowadays, security management is about developing enterprise architectures, implementing process improvement models, creating metrics, carrying out risk management, and standing up governance systems.

Security costs money, and companies must be able to rationalize and streamline this type of cost center. Security breaches can devastate companies' reputations, and not being in compliance with various laws and regulations can quickly become expensive. These are some of the driving forces that have required enterprise security management practices to become more disciplined; these changes are directly reflected on the questions that make up the CISSP exam.

Fundamentally, information security assurance is a business issue that must be addressed in the context of the enterprise business framework. This article provides an overview of today's security management practices, and offers strategies, as well as specific tools and techniques, for evaluating, controlling and implementing security across an enterprise.

We will explore the following topics:

  • Information security management systems
  • Enterprise architecture frameworks
  • Security control objectives
  • Process improvement models
  • Risk management
  • Metric systems

Information security management systems

In the late 1990s, organizations had to start the process of developing organization-wide security programs as security issues intertwined with business issues. The only security program blueprint that was available at the time was the British Standard 7799 (BS 7799), which outlined how an information security management system (ISMS) or security program was to be developed and maintained. This de facto standard was improved upon over the years by the International Organization of Standardization (ISO); today, organizations around the world use the ISO/IEC 27000 series as their roadmap to implementing an ISMS throughout a computing environment in a disciplined manner.

The ISO/IEC 27000 series of standards is made up of best practices on how to build and implement internal programs such as risk management, incident management, governance, application security, metrics, auditing and more. Organizations can become certified based on these standards to illustrate their strong security postures to customers and business partners alike. Core standards that make up the series include:

  • ISO/IEC 27001: ISMS requirements
  • ISO/IEC 27002: Code of practice for information security management
  • ISO/IEC 27003: Guideline for ISMS implementation
  • ISO/IEC 27004: Guideline for measurement and metrics framework
  • ISO/IEC 27005: Guideline for information security risk management
  • ISO/IEC 27006: Guidelines for audit and certification

This is just a small list of standards; new ones are developed, approved and added continuously.

Enterprise architecture frameworks

One of the newest developments within the practice of information security management is the integration of formal enterprise architecture frameworks. These were introduced because of the difficulty involved with mapping security methods and processes to business needs.

The ISO/IEC 27000 series is used to develop an organization-wide security program, and the enterprise architecture defines how organizations integrate that security program into business departments, processes and activities. Before the use of enterprise architectures, organizations found that their efforts in creating a security program based upon the ISO/IEC 27000 resulted in a lot of documentation (i.e., policies and procedures) and fewer actual implementations than intended. And though security emerged from the technical world, it did not integrate easily into the business world, where it was needed to directly support business drivers and requirements.

The use of an architecture model can make it easier for teams to understand how the security topics covered in various policy documents relate to business needs, thus helping with the implementation of the needed security strategies. However, architecture framework models are often complex in nature, and some security teams can become overwhelmed and "wrapped around the axle." Implementing a complex model such as an enterprise architecture can be beneficial in the long run, but must be done methodically.

In the early days, many corporations were already using a proven enterprise architecture framework (Zachman) that allowed them to understand their business from both a formal and a structural viewpoint. This framework was adapted to allow security activities, processes and strategies to be integrated into the company holistically. This resulted in the Sherwood Applied Business Security Architecture (SABSA) model, which defined business requirements from a security perspective. The model is made up of layers that capture and present strategic goals, conceptual design, practical implementation, metric development and auditing steps.

The defense departments of several different governments use their own architecture models for the same basic purposes, such as the U.S. Department of Defense architecture framework (DoDAF) and the British Ministry of Defence architecture framework (MoDAF). These architecture frameworks are focused on how to integrate information security technologies and processes into military and defense-mission support systems and processes.

Security controls objectives

Information security management systems and enterprise architecture frameworks are high-level constructs that do not deal with the actual security controls that need to be implemented to secure an environment. Before a security team can decide which controls need to be purchased and put into place, it must understand what each control is supposed to accomplish, which is referred to as a "control objective." COBIT, formerly known as the Control Objectives for Information and Related Technology, is a framework and set of control objectives developed by ISACA and the IT Governance Institute (ITGI). COBIT offers guidelines on security control procurement, installation, testing, certifying and accrediting, and also provides a framework that allows for security IT governance through the use of control objectives, implementation toolsets, performance indicators and success factors.

Note: The new version, COBIT 5, has evolved to work at a more strategic level than the earlier COBIT versions, but the overall goals are similar.

Just as the government sector has its own enterprise architecture frameworks, the U.S. government has the NIST SP 800-53 standard, which outlines a set of controls to be used to protect federal computer systems. COBIT has a focus on control objectives, and the NIST 800-53 standard has more of a focus on the controls themselves, but they both provide similar roles in their distinctive sectors (COBIT is often used in the commercial sector and the NIST standard is integrated in various government-oriented security mandates).

It is important to note that the ISO/IEC 27000 series is used to develop the conceptual structure of the security program and the enterprise architecture is used to integrate the security program construct throughout the organization. COBIT is used to help identify the controls that need to be implemented throughout the organization and provides a method to carry out governance at the IT control level.

The topics of controls and control objects are integrated into this lecture to illustrate their relationships to ISMS and enterprise architectures.

Process improvement models

Since security must be integrated into business processes in an effective manner, several different process management models have been introduced to the information security industry.

The Information Technology Infrastructure Library (ITIL) is the most popular set of best practices. It was created because of the increased dependence on technology to meet business needs. It is a customizable framework that provides goals, activities to achieve these goals, and input and output values for each process necessary to meet these outlined goals. Since security is commonly provided through technology, it has been intertwined into this framework to help ensure the security technologies a company implements meet business needs.

If an organization wants to integrate process improvement roadmaps and a governance framework based on meaningful data, then a metric and measurement system must be developed and deployed.

Six Sigma is a process improvement methodology developed by Motorola with the goal of identifying and removing defects in a company's manufacturing processes. This methodology aims to improve process quality by using statistical methods that measure operational efficiency and associated defects. The maturity of a process is represented by a sigma rating, which indicates the percentage of defects that the process contains. Some organizations use Six Sigma to improve security assurance by measuring success factors of different security controls and processes.

ITIL and Six Sigma are not as prevalent on the CISSP exam as the Capability Maturity Model Integration (CMMI), so organizations should become particularly well-acquainted with this approach. CMMI is a process improvement model that came from the engineering world, but is commonly used by organizations as a roadmap to allow for controlled, incremental improvements within their security programs. CMMI lays out five maturity levels (Initial, Repeatable, Defined, Quantitatively Managed and Optimizing) that represent the different evolutionary stages of process performance. An organization can use CMMI to develop structured steps to evolve from one maturity level to the next by continually improving its security processes.

This leads to the question: Which process improvement approach is best for an organization? Simply put, it's the one that most closely maps to what is currently being used for business purposes. If an enterprise uses ITIL successfully, security process improvement can be integrated through that framework since it is already embedded throughout the organization. If a company uses Six Sigma, it should use this for security improvement initiatives because adding a second metric system would only introduce confusion and complexity. However, if an organization does not use either, CMMI is probably the best choice, because it is flexible and provides clear-cut approaches for metric development and step-wise improvement levels.

Metric systems

If an organization wants to integrate process improvement roadmaps and a governance framework based on meaningful data, then a metric and measurement system must be developed and deployed. This system must be repeatable and reliable to allow measurement to happen in a standardized and continuous manner.

ISO/IEC 27004 is the guideline for information security management measurement and metrics framework. This standard was developed to give organizations the ability to assess the effectiveness of their information security management system; ISO/IEC 27004 also maps to the topics outlined in the ISO/IEC 27001 standard. So ISO/IEC 27001 tells you how to build and deploy an ISMS, and ISO/IEC 27004 tells you how to measure it.

The government sector commonly uses the NIST 800-55 Performance Measurement Guide for Information Security standard, which maps more closely to the controls outlined in NIST 800-35. While the ISO/IEC 27004 standard and NIST 800-55 approaches to metric development have the same basic goals, the ISO standard breaks individual metrics down into base measures, derived measures and indicator values. The NIST standard breaks metrics down into implementation, effectiveness/efficiency and impact values.

Another approach to performance measurement is the use of balanced scorecards. These traditional business strategic tools are used to present the most relevant information to management quickly and easily so they can make strategic decisions effectively and rapidly. Measurements are compared with set target values, so if performance deviates from expectations, this can be conveyed in a simplistic and straightforward manner.

Which is the best approach for an organization to use? If it has developed its information security management system based upon the ISO/IEC 27000 series, ISO/IEC 27004 is the best choice. If an organization uses NIST standards for guidelines and best practices, NIST 800-55 would be a good fit. If executives are used to balance scorecards, don't confuse them with a completely different metric system. Remember, executives are the main audience for these measurements, so leveraging values that they understand will be the most useful.

Risk management

One of the most important aspects of security management is learning how assess an organization's risk and how to judge and justify its security investment. Security risk management is one of the most talked about topics in information security, and it's the thing that is hardest to do.

Risk management includes risk analysis, risk prioritization, cost/benefit comparisons and corporate security risk mitigation strategies. The relationship of threat agents to vulnerabilities and the types of risks they can induce are also presented.

Risk analysis depends heavily on asset valuation, which can vary among organizational individuals; therefore, multi-disciplinary involvement is recommended. Either a quantitative (numerical-based) or qualitative (opinion-based) approach can be used, which can be applied by manual or automated means. A systematic, quantitative approach includes determining what enterprise requirements must be fulfilled, approaches to input gathering, determining loss potential (immediate or delayed), assigning cost/benefit quotients, adjusting for the cost of applying countermeasures, identifying potential threats, estimating threat frequency, and selecting the optimal countermeasures that will transfer or reduce risks. Alternative qualitative approaches -- including the Delphi Technique for group decision making, storyboarding, brainstorming and surveys -- give readers a well-rounded overview of risk analysis options.

As with the earlier topics discussed, both ISO and NIST offer guidelines on how to practice risk management within an organization. ISO/IEC 27005 is the international standard for the implementation of a risk management program that integrates into an information security management system, and NIST 800-30 -- a U.S. federal standard focused on IT risks -- is a risk management guide for information technology systems.

Since risk management is so critical to information security management practices, the CISSP exam has expanded its coverage to also include the following risk management approaches:

  • Facilitated Risk Analysis Process (FRAP): A focused, qualitative approach that carries out prescreening to save time and money.
  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE): A team-oriented approach that assesses organizational and IT risks through facilitated workshops.
  • AS/NZS 4360: The Australian and New Zealand business risk management assessment approach.
  • Failure Mode and Effects Analysis (FMEA): An approach that dissects a component into its basic functions to identify flaws and the effects of those flaws.
  • Fault tree analysis: An approach to map specific flaws to root causes in complex systems.


To wrap up, it is critical to remember these key points:

  • The ISO/IEC 27000 series is used to develop an information security management system.
  • Enterprise architectures are used to map the security components of an information security management system to business needs.
  • COBIT is used to define control objectives and performance improvement models to allow organizations to continue to improve their efforts.
  • A metric system allows a company to measure its performance in a quantifiable and meaningful method.
  • Risk management is used to identify vulnerabilities and calculate the probability of compromise, along with the associated business risks.

Note that all of these efforts are used to achieve the fundamental principles of security, which are the responsibility of many roles throughout an organization.

CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as (ISC)2.

Next Steps

NEXT: Continue learning about the Information Security Governance and Risk Management domain with an exclusive multimedia presentation on the AIC triad, ISMS and ISO 27000 series by Shon Harris.

RETURN to the main page of SearchSecurity's CISSP Essentials Security School.

This was last published in September 2014

Dig Deeper on CISSP certification