A Systems Approach to Information Security for the Twenty-First Century Organization

A crisis resulting from disruptive events that threaten to harm the organization or its stakeholders can originate from a plethora of sources. Data breaches, unauthorized disclosures of confidential information, and data leaks, are on the news almost daily. Most guidelines and standards published by prominent International Standards Organizations hold that risk-based thinking supports public, private, and community enterprises (referred for convenience in this work by the generic term “organization”) in determining the forces that could cause their key and enabling processes to deviate from planned arrangements, to apply preventive measures to modify risk, and to take advantage of opportunities as they arise. A well-structured Information Security Management System that is developed, implemented, and maintained through sound risk-based thinking, enables the organization to take appropriate actions to address the risks and opportunities associated with its information resources, in a manner that is commensurate to the complexity of its socio-technical infrastructure and the external environmentassociated with its activities. In this work we explore the Risk Management Process that is outlined in the ISO 31000 international standard, through the requirements/guidelines defined in the ISO/IEC 27000-series of international standards. The knowledge gained is applied to develop a systems driven conceptual structure thatcan be employed by any organization operating on the complexities of an interconnected environment, for the purpose of designing, implementing, monitoring, reviewing and continually improving a structured Information Security Management System