The Information Security Forum (ISF), trusted resource for executives and board members on cyber security and risk management, today announced the release of Establishing a Business-Focused Security Assurance Program, the organization’s latest report which explores how individuals responsible for providing security assurance in their organization can meet the specific needs of business stakeholders. This report equips organizations to establish and run a security assurance program that focuses on the needs of the business. This is accompished by outlining the need for change towards a business-focused approach, identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance.
Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. However, there is often a significant gap between goals and reality. Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses. Establishing a Business-Focused Security Assurance Program explains how organizations can build on existing compliance-based approaches rather than replace them.