Applied Information Management

Critical Elements of an Information Security Management Strategy

In Brief: It is imperative that individuals who are responsible for information security service operations have a concise and accurate report of how they should proceed and what they should include in the development of an information security strategy. The purpose of this literature review is to provide this audience with an understanding of the critical elements of information security and how to use these elements in the development of a comprehensive information security strategy.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize risk, and maximize return on investments.

The International Standards Organization ISO-27002 Security Techniques: Code of Practice for Information Security Management handbook provides general guidelines and principles for initiating, implementing, maintaining, and improving information security in public and private organization (ISO-27002, 2005, p. 1). The reference outlines ten elements that are covered in this document, which include security policy, organizing information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, business continuity management, and compliance with legal requirements.

According to ISO-27002 (2005), an information security policy document should contain six key components, provided in Figure 1.

Six Key Information Security Policy Components
  1. A definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing
  1. A statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives
  1. A framework for setting control objectives and controls, including the structure of risk assessment and risk management
  1. A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including: compliance with legislative, regulatory, and contractual requirements security education
  1. A definition of general and specific responsibilities for information security management, including reporting information security incidents
  1. References to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules with which users should comply

Figure 1—Six Key Policy Components (ISO-27002, 2005, p. 5)

Pironti (2006) states that the establishment of an information security strategy is the cornerstone in transforming information security into a more effective and proactive activity, driven by organizational leadership, in contrast to the typical reactive model of information security driven by technologists. Harris (2006) adds that the approach taken to development of a security strategy by any given organization should be customized, because each organization has its own threats, risks, business drivers, and industry compliance requirements.


  • Federal Financial Institutions Education Council. (2006). IT Information Handbook: Information Security. Retrieved April 17, 2008 from Federal Financial Institutions Examination Council website
  • Harris, S. (2006). Risk Management: Key elements when building an information security program. Article Retrieved May 7, 2008 from
  • International Standards Organization. (2005). Information technology security techniques: Code of practice for information security management. Reference number ISO/IEC 27002:2005(E).
  • Pironti, J. (2005). Key elements of an information security program. Information Systems Control Journal, 1. Retrieved April 14, 2008 from ISACA
AIM alumnus Gary Lomprey

Research Paper Author: Gary R. Lomprey—2008 AIM Graduate

Abstract: Not only is Information Security Strategy crucial to protect information systems, but it is central to organization survival. Harris (2006) believes security strategy should be customized because each organization is unique. Literature published from 2000 to 2008 examines information systems in the context of information security. Conclusions provide discussion of six key security policy components selected from ISO-27002 (2005), spanning definitions, objectives, management goals, controls, risk assessment, policies and standards, compliance requirements, and supporting references.

Download the entire Capstone research project