A well-structured approach is required for building information security around confidentiality (stressing the "need to know" as the guiding principle for implementing a security program), managing integrity (by focusing on the "control of privilege to create, modify, store, copy or delete information or information resources) and ensuring the availability of information (based on the "business' need" and regulatory obligations to have systems, resources and data available). 

Through the use of an integrated process based approach and directed from the governance layer, with a management system to coordinate improvements:

  • Identify the IT activities necessary for effective information security using the 37 COBIT 5 processes as a guide
  • Build capability in information security processes and related activities
  • Focus on delivering the outcomes that business expects from information security (and avoid unnecessary concepts of 'best practice').


  • There are a large number of IT processes that will have an impact on the effectiveness of information security
  • The outcome expected from information security should be based on what the business actually needs (e.g. security in a hostile environment, regulatory compliance, etc.).