Comparative Analysis of Information Security Management System Standards - Sign removed

Comparative Analysis of Information Security Management System (ISMS) Standards
Comparative Analysis of Information Security Management System (ISMS) Standards:
A Management Aid
Mansoor Faridi
Fort Hays State University

Comparative Analysis of Information Security Management System (ISMS) Standards ii
A Management Aid
By
Mansoor Faridi
A capstone report submitted to
The Faculty of the Graduate School of Fort Hays State University
In partial fulfillment of the requirements for the degree of
Master of Professional Studies in Information Assurance Management
Department of Informatics
Graduate Advisor:
Prof. Kevin Shaffer, Department of Informatics
Examining Committee:
Robert Meier, PhD, Professor, Department of Informatics
Melissa Hunsicker-Walburn, JD, Department Chair, Department of Informatics
United States of America
December 7, 2015

Comparative Analysis of Information Security Management System (ISMS) Standards iii
Certification of Authorship of Dissertation Work
Submitted to: Kevin Shaffer
Student’s Name: Mansoor Faridi
Date of Submission: December 7, 2015
Purpose of Submission: Capstone report in partial fulfillment of the requirements for the
degree of Master of Professional Studies in Information
Assurance Management.
Title of Submission: Comparative Analysis of Information Security Management
Systems (ISMS) Standards: A Management Aid
Certification of Authorship: I hereby certify that I am the author of this document and that any
assistance I received in its preparation is fully acknowledged and
disclosed in the document. I have also cited all sources from
which I obtained data, ideas, or words that are copied directly or
paraphrased in the document. Sources are properly credited
according to accepted standards for professional publications. I
also certify that this paper was prepared by me for this purpose.
Student's Signature:
Mansoor Fardi

Comparative Analysis of Information Security Management System (ISMS) Standards iv
Dedication
I would like to dedicate this work to my late maternal Grandmother. I was privileged to
spend a great deal of my childhood in her company: she was the best ‘tutor’ I ever had. She
taught me many worldly disciplines, but most outstanding lessons were on the importance of
having good morals, differentiating the good from the bad, and the value of being honest in all
matters of life, regardless of circumstances. I wouldn't be the person I am today, had it not been
for her.
This humble scholastic effort is inspired by, and a tribute to, her loving memory. May she
rest in peace, and God bless her soul. Amen.
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.
Robert Frost
(From The Road Not Taken, 1916)

Comparative Analysis of Information Security Management System (ISMS) Standards v
Acknowledgements
First and foremost, I would like to thank God for His benevolence, and guiding me in all
aspects of life. I would also like to thank my wife and children who sacrificed our personal time,
allowing me to pursue this academic endeavor. I am also thankful to my parents, and their
prayers, which made this achievement possible.
I would also like to thank Irene Odell (Director, Sun Life Financial), David Rackus (Vice
President, IAS, Sun Life Financial), Allan Porter (CISO & AVP, Information Security, Sun Life
Financial), Kevin Shaffer (Graduate Advisor, FHSU), and Melissa Hunsicker-Walburn (Chair,
Department of Informatics, FHSU) for providing guidance and support throughout my degree
program; and my mentor and Professor, Sir Dr. Wiktor Askanas, for supporting my application
for this graduate degree program.
I would also like to thank the following individuals for either inspiring me, supporting
me, providing great insights, allowing access to their workplace, and/or feedback on this work:
Aamir Sharif, Middle East IT Area Operations, ExxonMobil, Dubai, UAE
Prof. Ali Ghorbani, PhD, Dean & Director of InfoSec Center of eXcellence, UNB, NB, Canada
Allan Porter, CISO & AVP, Information Security, Sun Life Financial, ON, Canada
Asif Khan, Software Architect, Medavie Blue Cross, NB, Canada
Beverly Purinton, Manager, Xerox Canada, NB, Canada
Brian Wilkins, Director (Retd.), Financial Services, Department of Public Safety, NB, Canada
Caroline Wegimont-Leblanc, M.Sc. CISA, Manager-ERS, Deloitte, Paris, France
Cathy Bridge, CISSP, Senior Information Security Analyst, Sun Life Financial, ON, Canada
Charles Alexander, JD, Vice President, Xerox Corporation, NY, USA
Chris Weir, Associate Director, Ernst & Young, NB, Canada

Comparative Analysis of Information Security Management System (ISMS) Standards vi
Clarence J. Longworth, IS Security Officer, US Department of Homeland Security, FL, USA
David Rackus, Vice President, IAS, Application Services, Sun Life Financial, ON, Canada
David Goyette, LLB, Yerxa Myatt Law Office, NB, Canada
Prof. E. Stephen Grant, PhD, Associate Dean, University of New Brunswick, NB, Canada
Prof. Eben Otuteye, PhD, University of New Brunswick, NB, Canada
Prof. Elizabeth C. Ashton, JD, Department of Informatics, Fort Hays State University, KS, USA
Ghausul Alam, MBA, Head of Corporate Audit Services, Nationale-Nederlanden, Tokyo, Japan
Ghouri Muhammad, MISt, CISM, CISA, Vice President, IT Audit, BankUnited, FL, USA
Henry L. Gates, PhD, Alphonse Fletcher University Professor, Harvard University, MA, USA
Irene Odell, Director, Director, PM CoE & SDLC, Sun Life Financial, ON, Canada
Ivan Corbett, Manager, E&LG, Government of New Brunswick, NB, Canada
Prof. Jane Fritz, PhD, VP-Academic, University of New Brunswick, NB, Canada
Jason Perry, PhD, Independent Sub-Contractor, ON, Canada
Jay Holland, MBA, Business Systems Analyst, John Hancock Life Insurance Co., MA, USA
Jeff Merrick, CISA, QSA Senior Manager, Operational Advisory, Grant Thornton, NS, Canada
Jim Martin, Alliance Principal, Xerox Corporation, TX, USA
Joanna Boniecka-Grzelak, MSc, CPA, CMA, CIA, Manager, Risk Advisory, PwC, NB, Canada
Jonathan Nichols, Data Analytics Specialist, Collins Barrow, NS, Canada
Prof. Joseph Y. Abekah, PhD, Associate Dean, University of New Brunswick, NB, Canada
Joshua Dennis, P. Eng., Software Designer, Alcatel-Lucent, ON, Canada
Prof. Joshua Jones, MBA, CCIE, CISSP, Principal Security Consultant, Insight, TX, USA
Kari Popowich, PMP, MBA, CMA, Director, EPMO, Sun Life Financial, ON, Canada
Katrina Lamphier, Business Operations Manager, Xerox Corporation, TX, USA

Comparative Analysis of Information Security Management System (ISMS) Standards vii
Prof. Kevin Shaffer, Department of Informatics, Fort Hays State University, KS, USA
Leigh Ann Arab, CISA, Manager-ERS, Deloitte, NS, Canada
Lindsey A. George, Senior Software Application Engineer, Workday, CA, USA
Lori Cortina, Assistant Vice President, ePMO & TCoE, Sun Life Financial, ON, Canada
Lucy Muriithi, CPA, CIA, CISA, PMP, Senior Audit Group Manager, TD Bank, ON, Canada
Maria Garcia, CISSP, Senior Information Security Specialist, Sun Life Financial, ON, Canada
Mark A. Dolson, Director, Management Consulting - Financial Management, KPMG, PA, USA
Mark Varma, CPA, CA, CISA, Senior Manager, Deloitte-ERS, ON, Canada
Marlene Chiarotto, CPA, CA, Assistant Vice President, Manulife Financial, ON, Canada
Martin Chiasson, Vice President, Xerox Canada, NB, Canada
Mary Ellen Angelo, Global Alliance Director, Xerox Corporation, NY, USA
Mary O’Ryan, CISSP, Senior Security Governance Specialist, Sun Life Financial, ON, Canada
Matthew Follett, CA, Vice President, Crosbie Group of Companies, NL, Canada
Prof. Melissa Hunsicker-Walburn, JD, Dept. of Informatics, Fort Hays State U., KS, USA
Michael Raftus, P. Eng., PMP, Process Compliance Auditor, Sun Life Financial, ON, Canada
Miguel LeBlanc, MA, Executive Director, NB Association of Social Workers, NB, Canada
Prof. M. Abdur Rahim, PhD, Professor Emeritus, University of New Brunswick, NB, Canada
Muhammad Khizar Ahmad, MBA, CMA, CPA, Internal Auditor, Aramco, KSA
Prof. Muhammed Rashid, PhD, University of New Brunswick, NB, Canada
Noman Shahzad, P. Eng., PMP, Senior Quality Manager, Fluor, AB, Canada
Norman Daoust, Manager, Registration & Systems, University of Ottawa, ON, Canada
Prof. Pamela Ritchie, PhD, Dean, Business and Information Technology, UOIT, ON, Canada
Prof. Patricia A. Post, PhD, Faculty of Admin, University of New Brunswick, NB, Canada

Comparative Analysis of Information Security Management System (ISMS) Standards viii
Prof. Patricia Evans, PhD, Assistant Dean Outreach, University of New Brunswick, NB, Canada
Sami Porokka, Founder, High Information Systems Inc., Lappeenranta, Finland
Paul Munn, CISA, CA, Senior Systems Analyst, Bell Aliant, NB, Canada
Paul Tsang, CISSP, Senior Compliance Manager, Sun Life Financial, ON, Canada
Phil Armstrong, SVP, AS & Chief Digital Technology Officer, Sun Life Financial, ON, Canada
Prasanna Raghavan, P. Eng., PhD, Senior Packaging Engineer, Intel Corporation, AZ, USA
Prof. Przemyslaw Pochec, PhD, University of New Brunswick, NB, Canada
Prof. Robert Meier, PhD, Department of Informatics, Fort Hays State University, KS, USA
Ralph Kirkbride (late), CGA, Manager, OOC, Government of New Brunswick, NB, Canada
Sajjad Kerawalla, CA, Director, Corporate Audit Services, Manulife Financial, ON, Canada
Sami Porokka, CEO/President, Hi-IS Inc., Lappeenranta, Finland
Sandford Forman, Computer/Technology Consultant, NC, USA
Sarah Cormier, Director, Information Security Governance, Sun Life Financial, MA, USA
Shams U. Rehman, MBA, Vice President, Xerox Corporation, NY, USA
Sophy Lian, M.Sc., CISA, Internal Audit Manager, IT, SunOpta, ON, CA
Stephen Thompson, CMA, Director (Retd.), OOC, Government of New Brunswick, NB, Canada
Subhashini Kumar, CA, Finance Manager, Shannex Incorporated, NS, Canada
Prof. Susan Sands, Department of Informatics, Fort Hays State University, KS, USA
Tanveer Shaikh, PMP, Senior IT Consultant, Manulife Financial/NetSharp Inc., ON, Canada
Turkka Turunen, CEO, Admincontrol Finland Oy, Helsinki, Finland
Venu Vujjeni, Senior Developer, Wheels Inc., IL, USA
Vishi Bindra, CISSP, CISA, QSA, Director – Advisory, KMPG, MN, USA
Waseem Rajput, CA, Director, Corporate Audit Services, Manulife Financial, ON, Canada

Comparative Analysis of Information Security Management System (ISMS) Standards ix
Sir Prof. Wiktor Askanas, PhD, University of New Brunswick, NB, Canada
Prof. William Hyslop, PhD, University of New Brunswick, NB, Canada
William Middleton, Engineering Consultant, Experis, Bergen, Norway

Comparative Analysis of Information Security Management System (ISMS) Standards x
Table of Contents
Certification of Authorship of Dissertation Work ..................................................................... iii
Dedication .................................................................................................................................. iv
Acknowledgements ......................................................................................................................v
List of Tables and Figures ......................................................................................................... xii
Abstract ........................................................................................................................................1
Introduction ..................................................................................................................................2
Literature Review .........................................................................................................................3
Key drivers motivating adoption of established standards.................................................4
Key drivers behind adopting hybrid approach ..................................................................7
Executive sponsorship .......................................................................................................9
Change management .......................................................................................................11
Future research ................................................................................................................12
Research Design .........................................................................................................................13
Analysis ...........................................................................................................................14
Methodology ...................................................................................................................14
Information Security Management System (ISMS) Standards ..................................................15
International Standard Organization 27001 (ISO27001:2013) .......................................16
Payment Card Industry Data Security Standard (PCI DSS 3.0).......................................21
Control Objectives for Information and Related Technology (COBIT) 5 for Security ..27
Comparative Analysis ................................................................................................................32
Conclusions ................................................................................................................................36
Recommendations ......................................................................................................................38

Comparative Analysis of Information Security Management System (ISMS) Standards xi
References ..................................................................................................................................40
Appendices
Appendix A – Proposed Continuous Process Improvement Model
Appendix B – PCI DSS to COBIT 5 mapping
Appendix C – COBIT to ISO mapping
Appendix D – Litigation Risk Management
Appendix E – Cloud Access Control
Appendix F – Business Continuity Planning & Disaster Recovery Planning
Appendix G – Email and Payment Card Industry Encryption Challenges
Appendix H – Importance of Risk Management
Appendix I – Managing Security Incidents
Appendix J – Security Threats & Countermeasures
Appendix K – Notable PCI-Related Data Breaches
Appendix L – Collaborate to Apprehend and Prosecute
Appendix M – List of Acronyms/Terms

Comparative Analysis of Information Security Management System (ISMS) Standards xii
List of Tables and Figures
Table Page
1 ISO27001 Groups & Controls …………………………………………………… 17
2 Comparative analysis of ISO27001, PCI DSS, and COBIT ……………………. 33
3 Result of multivariate analysis of the three in-scope ISMS Standards …………... 36
Figure
1 ISO27001 certification life cycle ……………………………………………........ 18
2 Number of ISO27001 certificates issued globally ……………………………….. 19
3 PCI DSS Goals and Requirements ………………………………………………. 22
3a Continuous compliance process …………………………………………………. 23
4 PCI DSS Implementation Life Cycle ……………………………………………. 23
5 Proposed model for continuous process improvement (PCI DSS) ……………… 24
6 VISA’s PCI DSS Merchant Level Definition …………………………………… 26
7 COBIT 5 Principles ……………………………………………………………… 28
8 COBIT 5 Enterprise Enablers ……………………………………………………. 29
9 COBIT 5 Implementation Life Cycle ……………………………………………. 29
10 Summary of similarities between the three in-scope standards ………………….. 34
11 Summary of differences between the three in-scope standards ………………….. 34
12 Representation of ISMS standards in a 3D model ……………………………….. 35
13 List of conclusions common to ISMS standards ………………………………… 37
14 List of conclusions specific to ISMS standards …………………………………. 37
15 List of recommendations ………………………………………………………… 38

Comparative Analysis of Information Security Management System (ISMS) Standards 1
Abstract
Both public and private organizations are legally mandated to safeguard organizational
information, ensuring its confidentiality, integrity, and availability. This is achieved by designing
internal controls and implementing them through information security management system
(ISMS). ISMS standard cannot be chosen with a ‘one size fits all’ approach. A variety of factors
need to be compared, such as, key drivers that motivate organizations to choose and implement
either an established standard, or adopt a hybrid approach. Adopting an established standard
provides a mature framework, whereas, hybrid approach is best suited for organizations requiring
flexibility due to unique business requirements and exceptions. The three most common ISMS
standards include Payment Card Industry Data Security Standard (PCI DSS Version 3.1),
Control Objectives for Information and Related Technology (COBIT) 5 for Security, and
International Standards Organization Information Security Management System (ISO/IEC
27001:2013). PCI DSS is best suited for organizations engaged in debit/credit card transactions.
COBIT 5 for Security is the preferred standard with organizations required to maintain SOX
compliance, while ISO27001 has a universal appeal, gaining widespread popularity globally in
all types of organizations and industries. Visible executive sponsorship is critical to effective
delivery, in conjunction with a properly designed change management system to keep it up-to-
date. Upon implementation, ISMS should be complemented with assurance activities, periodic
reviews, and regular maintenance, which ultimately satisfy the organizational objective of
ensuring confidentiality, integrity, and availability of organization’s information assets.
Keywords: availability, confidentiality, cobit, comparative analysis, continuous process
improvement, information security management system, integrity, iso27001, pci dss

A Management Aid
Mansoor Faridi
Introduction
In today’s computing environment, it is paramount to have sophisticated controls in place
to safeguard organizational information while ensuring its Confidentiality, Integrity, and
Availability [emphasis added], which is achieved by implementing information security
management system (ISMS).
This capstone project presents a detailed comparative analysis of the three most popular
ISMS standards, namely as, ISO27001, PCI DSS, and COBIT 5 for Security (Note: Will be
referred to as COBIT forthwith). The three standards were compared using various comparison
criteria (See Comparative Analysis section) to determine key drivers that motivate organizations
to either choose and implement an established ISMS standard, or adopt a hybrid ISMS approach.
The Literature Review section documents the examination of a variety of scholarly
sources, including professional journal articles, books, blogs, and other online sources to
investigate key drivers that either motivate organizations to certify against established ISMS
standards or choose a hybrid approach. It also highlights the need and importance of securing
executive sponsorship and a robust change management system before embarking on this
journey. The section concludes by stressing the need to develop single universal criteria to
evaluate ISMS standards, and developing a single ISMS standard by consolidating various other
standards and industry best practices.
The Research Design section lists the scope of analysis, and the methodology followed to
perform the qualitative comparative analysis.

The Information Security Management System (ISMS) Standards section is devoted to
documenting the results of detailed examination of each ISMS standard, and subsequent analysis
of the observations obtained. This discussion extends to sponsoring organizations,
model/frameworks, global adoption trends, advantages, disadvantages, shortcomings, anomalies,
implementation lifecycle, risk management requirements, and industry suitability.
The Comparative Analysis section presents a detailed qualitative analysis of ISO27001,
PCI DSS, and COBIT standards. Each standard was analysis against certain key features, based
on which a list of similarities and differences is also presented. The section concludes by
presenting the three ISMS standards in a 3D model based on, and supported by, the results of
multivariate analysis of these three standards.
The Conclusions section summarizes the result of our observations through this research,
whereas, the Recommendations section summarizes practical points for executive management’s
consideration during planning, design, implementation, and post-implementation phases. The
section concludes by stressing the need to develop standard evaluation criteria for ISMS
standards, and investigate the possibility of developing a global ISMS standard as well.
The next section documents the examination of a variety of scholarly sources, and
highlights the need and importance of securing executive sponsorship and a robust change
management system before embarking on any such initiative.
Literature Review
This section discusses and examines the literature researched to explore key drivers that
motivate organizations to get certified against ISMS standards, and reasons why some
organizations choose to adopt a hybrid approach as opposed to pursuing full-fledged certification
against an established ISMS standard. It further elaborates on the importance of securing

executive sponsorship from the onset of planned implementation, need for change management
planning, and identifies areas warranting future research.
Key drivers motivating adoption of established standards
There are numerous factors that drive organizational decision making towards choosing
and implementing a certain ISMS standard. However, some key drivers are common to most
organizations as follows:
 Regulatory and statutory compliance: Through legislations, governments around the world
are requiring organizations to have safeguards in place, when conducting business, to ensure
confidentiality, integrity, and availability of data – specifically individual data (IT
Governance, 2013, p. 2). Some examples of these legislations are the HIPAA Act (1996)
and the FISMA Act (2002). Organizations pay particular attention to an ISMS’ ability to
help them achieve regulatory and statutory compliance while conducting business activities
(Calder, 2005, p. 38; Appendix D).
 Threat vectors: Threat landscape has evolved with independent hackers, freelance hacking
organizations, and sovereign nation states joining the ranks (Lumension, 2011, Appendix
E). These aforementioned entities pose numerous threat vectors by their illegal activities
(cyber-crimes, digital espionage, unauthorized surveillance, intelligence activities, etc…)
Organizations pay much heed to the ISMS’ ability to proactively thwart such threats,
proactively isolate future threats, and intelligently forecast threat vectors and patterns based
on automated analysis of historical information. Also the emergence of cloud computing has
introduced new threat dimensions that organizations should consider as well (Wooley, 2011;
Appendix K).

 Certification recognition: Organizations leverage international recognition associated with
certifying against well-known established ISMS standards. This adds value to the internal
processes of an organization, and also enables them to market their adherence against
stringent security standards, and rigor, demanded by these established ISMS standards (IT
Governance, 2013, p. 4; Calder, 2005, pp. 66-68).
 Enhanced reputation: Certification against established ISMS standards enhances
organizational reputation by providing a certain sense of security to client organizations vis-
à-vis confidentiality, integrity, and availability of their business critical data (Calder, 2005,
pp. 66-68).
 Assurance: Certification against established ISMS standards is often demanded from service
organizations prior to obtaining any form of service. It acts as a form of assurance for
organization’s commitment to meet its obligations to stakeholders (customers, business
partners, etc…) and to safeguard the confidentiality, integrity, and availability of data and
information responsibly (IT Governance, 2013, p. 2; Calder, 2006, pp. 66-68).
 Cultural fit: Organizational certification also help determine ‘cultural fit’ between
organizations and their vendors. It allows an organization to gauge vendor’s ability to
deliver on requirements by assessing their ability through a structured process, as laid out in
established ISMS standards. For example, organizations can assess the design and
implementation of internal controls that a vendor may employ at their service center
locations to protect an organization’s data.
 Economics: From monetary perspective, there has to be a strong business case for
organizations to seek certification. A positive Return on Investment (ROI) encourages an
organization to pursue the certification process (Calder & Watkins, 2006). The cost has to

be justified against the long-term gains and benefit associated from the very onset,
preferably during the Request for Proposal (RFP) stage.
 Integration with current standards: It is essential that ISMS is fully integrated into the
current setup of the organization. It will not work effectively if it is a separate management
system that exists outside of, and parallel to, any other management systems. A single set of
document control with one set of processes for each part of the organization, etc., that is
complementary to the current organizational system is ideal. Likewise, assurance (Calder &
Watkins, 2006, Chapter 3) and continuous improvement activities should be consolidated as
well. Operating with this dichotomy (i.e. in the shape of separate systems) will not only
demotivate an organization from proceeding with certification, but will also prove to be
costly and disruptive (Calder, 2005, p. 78). In today’s interconnected environment,
organizations can optimize value delivery by streamlining their internal processes and by
aligning their standards with other major standards and frameworks within other [emphasis
added] organizations that they do business with.
 Vendor orientation: Vendor’s approach plays a critical role when an organization is deciding
to proceed with the certification process. During an organizational assessment of ISMS,
vendor’s ability to take the differences into account and understand unique organizational
risks allows them to provide and add value to the client organization. This difference in
approach ensures that the comparison of the ISMS is not merely mechanical in nature, but
one with some thought behind it (Calder, 2013, p. 92).
 Risk management: Organizations can leverage ISMS standard to keep risk at acceptable
levels, while maintaining availability to systems and services, and maintain compliance with
relevant laws and regulation. In this project, we reviewed multiple approaches that are being

researched, such as, artificial intelligence-driven risk management (Maynard et al., 2014a),
systematic risk management (Papadaki & Polemi, 2007), and a situation awareness model
(Maynard et al., 2014b) for risk management. The aforementioned approaches remain
theories, and not mature enough for practical application purposes. Hence, we will restrict
our discussion to traditional approaches used to manage information security risks (Faridi,
2014a; Faridi 2015c).
Key drivers behind adopting hybrid approach
Following are some of the main reasons why some organizations choose to adopt a hybrid
ISMS approach, instead of full certification against an established ISMS standard:
 Strategic alignment: If the (existing or new) hybrid ISMS system aligns with corporate
objective of safeguarding data confidentiality, integrity, and availability, then organizations
refrain from investing in certifying against a different ISMS standard, albeit established in
the industry (Calder, 2013, pp. 25-27).
 Risk Appetite: An organization may choose a combination of security controls that are
congruent to its security requirements, and also map to its risk appetite. This selection of
controls is often based on the risk assessment performed, and organization’s willingness to
take on an acceptable level of risk while mitigating risks with suitable controls.
 Risk Assessment: Risk assessment may indicate the need to have a hybrid solution
addressing organizational needs, instead of a full-fledged certification against an established
ISMS standard (Landoll, 2006, pp. 27-38), which may be inflexible to satisfy unique needs.
 Risk Treatment: Management may treat the risks more effectively by mitigating, accepting,
or avoiding them altogether by implementing a hybrid ISMS, instead of implementing an
established ISMS standard (Landoll, 2006, pp. 367-375).

 Flexibility: Organizations have the flexibility to pick and choose best practices when
designing a hybrid ISMS system suiting their environment. This frees them from religiously
following structured sets of procedures, and maintaining compliance against established
ISMS standards. They also enjoy the flexibility of adapting the risk assessment framework
by tailoring it according to their needs, which enables them to design controls unique to
their environment and requirements.
 Cost/ROI: Certification is often a time-consuming exercise spread over a long period of
time. Some organizations cannot afford this type of luxury and do not feel that they will get
an immediate return back on their investment, and hence in their eyes the investment is not
justified (Calder, 2005, p. 65).
 Complexity: The complexity involved in obtaining full-fledged certification against an
established industry ISMS standard is sometimes too daunting and complex for many
organizations. Hence, they elect to adopt a hybrid model that can be implemented and
operated easily (Calder, 2013, p. 59).
 Skill-set: A hybrid approach may not require rigorous certification as a prerequisite, for staff
to implement and operate a hybrid ISMS. Staff having knowledge of their organization’s
security environment can continue to operate and may even find themselves well-trained,
while not requiring sophisticated skills required by established ISMS standards (Calder,
2013, p. 23).
 Level of Assurance: If designed and implemented appropriately, a hybrid ISMS is capable
of providing as much assurance and protection against threat vectors, as an established one.
Hence, getting certified against an established standard does not improve the likelihood of
achieving a higher level of assurance vis-à-vis information security (Calder, 2005, p. 68).

Executive sponsorship
According to Harvard Business Review, C-level sponsor is a key requirement for
delivering a successful project by creating conditions for success (Ashkenas, 2015). Likewise,
selection and implementation of effective ISMS requires executive sponsorship. This support is
paramount in ensuring that this critical initiative will succeed and reach fruition. It ensures
sufficient resources will be committed throughout the project’s lifecycle and extend beyond its
implementation (i.e. when ISMS system is operationalized). After implementation, project
normally requires routine maintenance activities on an on-going basis to adjust for changing
internal/external conditions, hence keeping them relevant.
Alvares (2015) suggested it helps set the tone at the ‘top’, while Ashkenas (2015) wrote
in support of the executive sponsorship; this drives the perception across an organization
regarding the importance of any activity and/or message relating to the sponsored project.
Continued and visible executive support in various forums (e.g. their personal participation,
periodic announcements regarding achieving milestones, rewards, etc.) will help ensure that all
participants take the project seriously, managers do not hesitate in committing their resources,
and management holds itself and staff accountable towards the success of each deliverable as
well as the overall project. Also, if there is a vendor involved in a consultative capacity,
executive management’s presence keeps the vendor on its toes while making sure that they
produce quality deliverable(s) within an agreed upon budget and time-frame.
Executive sponsorship also helps achieve clear and effective communication with all
those involved (Levy, 2012). Defining a clear scope, specific budget, firm timelines and rewards
associated with successful project completion will bolster support for the executive sponsor
within the workgroup. It is important to note that executive sponsor should only engage

departments that fall directly under his/her direct sphere of influence to obtain resources. Their
reliance on resources from business units/entities that are outside of their control may not yield
equally effective results. In reality, due to competing priorities, managers are reluctant to commit
resources when there is no direct chain of command. Furthermore, resources themselves may not
deliver as efficiently due to a lack of direct accountability and lack of clarity around the ‘ask’.
While presenting a strong case in support of executive sponsorship, Ashkenas (2015)
highlights the pitfalls of executive sponsorship if not executed correctly, “Unfortunately, many
senior executives often aren’t sure what it means to be a ‘sponsor’, and how they’re supposed to
truly enhance project outcomes. When the responsibilities and expectations are unclear, the role
becomes either a meaningless designation or creates dysfunction.” In order to manage these
challenges, Ashkenas (2015) provides recommendations, “ … before launching a new project,
the sponsor and the project leader should meet to set, clarify, and align expectations … and the
sponsor and the project leader have to be realistic about how much time and effort will be
required from the executive level.”
While executive sponsorship is a must-have, the delegation of this sponsorship at a local
level (e.g. local Business Unit Champion) does wonders. Though, this local sponsor should be at
the management level with a good amount of influence within the department/BU. Executive
sponsors can leverage this vital channel as a tool of delegation to achieve their objectives at the
grassroots level to maintain their presence, visibility, and involvement in processes where they
practically cannot get involved. It is important to note that not all tasks should be delegated by
the executive sponsor. For instance, Berube (2011) stated that delegation of communication of
vision, formation of partnerships, ownership, and creation of change strategy, cannot and should
not be delegated. A fact further echoed by Ashkenas and Khan (2014) also highlights the

importance of confronting resistance to manage change, and not reinforce the dynamics of an M-
I-A (missing in action) executive sponsor by taking the path of least resistance.
Change management
Implementing any major initiative warrants change within an organization. ISMS
implementation falls under this category, requiring and triggering a major transformational
change in order to transition people, process, and technology to a desired future state.
Organizations leverage change management (an art aided by science) in an integrated manner
with user buy-in, without which projects are doomed for failure!
According to Berube (2011), “Creating transformational change within an organization is
all about people. We do not change people; people change themselves. In essence, real change
occurs from the inside out. You can neither delegate nor “command and control” your way
through a major transformation. People must be led!”
Effective change management is greatly shaped by the quality of executive sponsorship,
managing resistance, clear articulation of strategy, goals, objectives, and structured definition of
procedures to implement this organizational change. It is critical that any change management
initiative is supplemented by a robust change management request system; as often, this is the
only vehicle for employees/users to communicate their feedback and concerns to process owners
and management. This feedback system is intended to implement corrective action, improve
processes, while eliminating redundancies and duplications (Prosci, 2014).
A well-coordinated centralized change management request system also enables faster
turnaround time for change management requests, and will greatly assist with the overall change
management effort, keeping the users motivated with a sense of involvement, as well as enabling

management to focus on other pressing concerns and priorities in managing change, instead of
managing user-resistance (Calder, 2013, pp. 27-28).
Future research
Not having standard evaluation criteria can be attributed to the evolutionary nature of the
information security paradigm, and stakeholders’ lack of willingness to cooperate amongst
themselves. However, Rannenberg (1993) argues in favor of standardization of evaluation
criteria and associated modalities, while coming up with guidelines around interpretation of
security concepts by practitioners in order to establish a common denominator and establish a
mutually agreed-upon baseline. It is important to realize that some organizations and industries
will continue to face challenges owing to their unique requirements, and will probably be well-
served by custom evaluation criteria. Future research is required to:
 Design evaluation systems that are comprehensive, and integrated to perform real-time
comparisons. This lack of standard objective evaluation criteria is noted both in established
ISMS standards and hybrid formations. The following two certifications structures were
noted to have a notable sphere of influence, albeit regional in nature.
First structure is Common Criteria with emphasis on technical security and
adopted in 25 countries globally. The second structure is IT Security Evaluation Criteria
with emphasis on managerial security and is mostly used in European countries (ISMS,
2015). The two aforementioned structures support the evaluation of ISMS standards,
however, their scope is contained and very much remain regional in nature.
Organizations interested in protecting the confidentiality, integrity, and
availability of their data either engage consulting firms to provide them with turnkey
solutions, or the more ambitious ones attempt to develop in-house proprietary solutions by

leveraging tools, templates, guidelines, standard frameworks, and best practices. In either
case, the organization may elect to get certified against an established standard, or cherry-
pick best practices to design and implement a hybrid solution, suiting their environment
and needs.
 Determine the possibility of amalgamating best practices from established standards,
creating one uniform ISMS standard, flexible enough to compensate for regional and
industrial variations (Von Solms, 1996, p. 281). Often, these standards are generic in scope,
and consequently, do not address the differences between varying security requirements of
different organizations (Siponen & Wilson, 2009). Siponen and Wilson also noted that,
“the guidelines [in these standards] were validated by appeal to common practice and
authority and that this was not a sound basis for important international information
security guidelines (p. 267)”. Siponen and Willison concluded that, “information security
management guidelines should be seen as a library of material on information security
management for practitioners (p. 267)”. This further reinforces the need to develop a
standard information security management system is evident, as information security
practitioners are inundated with a plethora of established standards that vary by industry
and geography.
After conducting an extensive literature review to obtain necessary background
information, a methodology is designed (next section) to examine and analyze each standard in
detail in a consistent manner.
Research Design

This section aims to describe the analysis applied to all three standards being compared.
This analysis will be performed as per the methodology developed to deduce some conclusive
results.
Analysis
Various literary sources were reviewed and analyzed to develop a comparison of the
three in-scope standards being compared (see Comparative Analysis section). Then a detailed
qualitative comparative analysis of each ISMS being compared was documented including the
following:
 Features
 Model efficacy
 Model structure
 Capabilities
 Limitations
 Global adoption indicators
 Industries where they are often used
 Advantages & disadvantages
 Similarities & differences
Aforementioned comparative analysis was inspired by CISSP domains and critical
information security areas (Bharani & Shukla, 2013), and is documented in the Comparative
Analysis [emphasis added] section.
Methodology

The following methodology was used for detailed comparative analysis of each standard.
This methodology enabled us to analyze all three in-scope ISMS standards with a consistent
approach.
1. Included relevant literature to illustrate how methodology is defined.
2. For each ISMS, identified in-scope items.
3. Developed taxonomy of in-scope items for further examination.
4. Performed detailed examination of each in-scope item, documenting observations.
5. Documented advantages and disadvantages for each ISMS
6. Documented similarities and differences for each ISMS
7. Tabulated the results of observations
8. Performed qualitative comparative analysis of the tabulated observations
9. Deduced and summarized conclusions that supported the following research questions:
(a) Which key drivers motivate organizations to choose and implement an established
ISMS standard, and
(b) Why some organizations choose to adopt a hybrid ISMS approach, in lieu?
10. Proposed recommendations for future research and opportunities for improvements vis-à-
vis the evaluation criteria when choosing an ISMS and the ISMS framework itself.
The next section is devoted to documenting the results of detailed examination of each
ISMS, and subsequent analysis of the observations obtained.
Information Security Management System (ISMS) Standards
An information security management system (ISMS) is a set of policies concerned with
information security management or IT related risks. The governing principle behind ISMS is
that an organization should design, implement and maintain a coherent set of policies, processes

and systems to manage risks to its information assets, thus ensuring acceptable levels of
information security risk (ISMS, 2015).
Following sub-sections describe the three in-scope ISMS standards in detail including
sponsoring organizations, model/frameworks, global adoption trends, advantages, disadvantages,
shortcomings, anomalies, risk management approaches, and suitability of each ISMS standard in
regard to their applications in various organizations and industries.
International Standard Organization 27001 (ISO27001:2013)
ISO27001 is an industry standard that belongs to a family of ISO27000 series standards
that helps keep information assets secure. The main focus of this standard is on information
security management and the objective of the standard is to aid in establishing, implementing,
maintaining, and continuously improving an information security management system (ISMS) in
an organization (Susanto, Almunawar, Tuan, 2011, p. 22). Certification to ISO27001 is possible
but not obligatory. Some organizations choose to implement the standard in order to benefit from
the best practices it contains while others decide in favor of full certification to reassure
customers and clients regarding their data security. ISO does not perform certification (ISO,
2015); organizations normally engage external vendors or their internal staff, to facilitate
certification against ISO27001 standard. Once an organization has met standard requirements,
they may apply to get official certification issued by an independent and accredited certification
body, subject to successful completion of a formal audit process (ISO/IEC 27001:2013, 2015).
ISO27001 has evolved from its initial form, and today it comprises of 14 groups with 114
controls, as shown in Table 1.
It is to be noted that ISO27001-based information security management system is
implemented in conjunction with ISO27003 and ISO27005 standards. ISO27003 guides the

design of an ISO27001-compliant ISMS, leading up to the initiation of a full-fledged ISMS
implementation. Whereas, ISO27005 provided guidelines for information security risk
management within an organization, and hence supporting implementation of information
security based on risk management approach (ISO/IEC 27005, 2011).
Table 1
ISO27001 Groups & Controls
In the case where an organization opts for a full-fledged certification, a structured
approach needs to be followed, including planning, development of tools and artifacts, and
finally the certification, as shown in Figure 1 below.
This elaborate undertaking of full-fledged certification requires securing executive
sponsorship, defining roles and responsibilities, defining scope, developing and implementing
security policy, conducting risk assessment, designing and implementing internal controls, as
well as developing risk management plans. After completing the aforementioned, the
organization undergoes a formal audit process. Once successfully completed, they can apply for
official certification, which is issued by an independent and accredited certification body.

Figure 1. ISO27001 certification life cycle
ISO27001 requires the implementation of metrics to gauge level of effectiveness, and
leverages Deming’s cyclic model of “Plan-Do-Check-Act” (PDCA) in order to continually
improve processes by identifying opportunities for improvement, and then addressing them by
implementing corrective actions (Susanto et al., 2011). In addition, it requires both internal and
external assurance activities around its processes on a periodic basis to ensure currency and
controls’ operational effectiveness (Faridi, 2014b). Figure 2 shows the number of ISO27001
certifications globally. It is evident that East Asia & Pacific, Europe and Central & South Asia
regions have a higher number of organizations certified against ISO27001 than other regions,
whereas, the number of organizations obtaining certification in North America are very few.

Figure 2. Number of ISO27001 certificates issued globally
(Source: http://www.iso27001security.com/ html/27001.html)
However, it is also noted that since 2006 there is a rising year-over-year trend amongst
North American organizations to obtain ISO27001 certification. Since 2009, there has been a
22% increase (on average) in the number of organizations that have obtaining ISO27001
certification. This rising trend (i.e. +7%) in also mirrored in the increased number of global
certifications issued until 2014 (ISO, 2014). The associated advantages (BSI, 2015) and
disadvantages (Abu Talib, Barachi, Alhosn, & Ormandjieva, 2012; Cooper, 2015) of the
ISO27001 standard are listed below:
Advantages
 Improved protection
o Supports compliance with relevant laws and regulations
o Reduces likelihood of facing prosecution and fines
o Protects organizational reputation
o Reduce third party scrutiny of organizational information security requirements
 Improved operational effectiveness
o Cost savings through reduction in security incidents

o Improves ability to recover operations and continue business as usual
o Shows commitment to information security at all levels in an organization
 Increased competitive advantage
o Can help gain status as a preferred supplier
o Provides reassurance to clients that their information is secure
o Demonstrates credibility and trust
o Confidence in organization’s information security arrangements
o Meet customer and tender requirements
 Proactive risk management (Faridi, 2014a; Faridi, 2015b)
o Better visibility of risks amongst interested stakeholders
o Risk taxonomy helps align and manage risks effectively
o Improved information security awareness (Faridi, 2015a)
o Reduces staff-related security breaches
Disadvantages
 Loss of objectivity: Organization vying for certification specify their own requirements
(against which they certify), and design their own controls. This takes the objectivity out
of the process.
 Disclosure requirement: Organizations are not required to declare the result (whether
failed or successful) of their certification attempt(s) in public domain.
 Undefined Scope: The scope of certification is not specified. It can include an entire
organization or a specific business unit within that organization. Organizations are not
required to disclose this explicitly, hence, it may mislead interested parties to believe that
entire organization is certified, whereas, that may not be the case.

 Misaligned expectations: While ISO27001 can obviously give business-to-business
relationships a competitive advantage, it is unlikely to influence business-to-consumer
relationships.
 Misconception around process: Organizations can continue to use standard’s best
practices without seeking full certification. This is due to the misconception that full-
fledged certification may be too onerous and challenging, whereas (in many cases), they
can easily certify by adding some more documentation to their current process. However,
that is not possible in all cases, and a substantial investment may be required long-term.
 Misconception around cost: Many organizations consider ISO27001 as an expensive
standard to adhere to. In fact, registering and maintenance of ISO27001 costs less than
$100/month! However, the operational cost is substantially increased if an organizational
environment hosts complex technology which may require highly skilled staff to
maintain and perhaps more than usual documentation.
Risk Management
ISO27001 standard is implemented in conjunction with ISO/IEC 27005 standard, which
supports the general concepts specified in ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information security based on a risk management approach
(ISO/IEC 27005, 2011; Appendix H).
ISO27001 has proved to be an effective ISMS standard for protecting organizational
information, however, when it comes to securing information where credit card transactions are
involved, there is one agreed-upon standard, which is the topic of the next section.
Payment Card Industry Data Security Standard (PCI DSS 3.0)

The PCI Security Standards Council offers robust and comprehensive standard, best
practices, and supporting materials to enhance payment card data security. These materials
include a framework of specifications, tools, measurements and support resources to help
organizations ensure the safe handling of cardholder information at every step. The focus of PCI
DSS is on information security relating to business transactions and smartcard use. PCI Data
Security Standard (PCI DSS 3.0) provides an actionable framework for developing a robust
payment card data security process, including prevention, detection, and appropriate reaction to
security incidents. The standard establishes 12 requirements (Figure 3) for any business that
stores, processes or transmits payment cardholder data. It is worth noting that PCI DSS is a
proprietary information security standard for organizations that handle branded credit cards
[emphasis added] from the major card schemes including Visa, MasterCard, American Express,
Discover, JCB, and China UnionPay. Private label cards – those which aren’t part of a major
card scheme – are not included in the scope of the PCI DSS (Payment Card, 2015).
Figure 3. PCI DSS Goals and Requirements
(Source: http:// www.pcisecuritystandards.org)
These requirements specify the framework for a secure payments environment; for
purposes of PCI compliance, the three-step continuous compliance process is show in Figure3a,
as follows:

Figure 3a. Continuous compliance process
Carrying out these three steps is an ongoing process for continuous compliance (Figure
3a) with the PCI DSS requirements. These steps also enable vigilant assurance of payment card
data safety (PCI, 2015; Appendices G & K). Merchants and other entities that store, process
and/or transmit cardholder data must comply with PCI DSS. Depending on an entity’s
classification or risk level (determined by the individual payment card brands), compliance
implementation processes for validating compliance and reporting to acquiring financial
institutions is illustrated in Figure 4.
Figure 4. PCI DSS Implementation Life Cycle
(Source: http:// www.pcisecuritystandards.org)
Even though PCI DSS framework requires continuous compliance, it does not have a
built-in continuous improvement process in the model. This essential process is required to keep

the framework relevant and up-to-date. Figure 5 shows a proposed continuous process
improvement model that organizations can integrate into the PCI DSS framework. This model
highlights process improvement continuum (green arrow) which helps organizations using PCI
DSS framework to improve their processes and reestablish their baseline, in addition to continue
with continuous compliance monitoring (see Appendix A).
Figure 5. Proposed model for continuous process improvement (PCI DSS)
The associated advantages and disadvantages of PCI DSS standard are listed below
(Payment Card, 2015):
Advantages
 Flexible framework: PCI Standard is a combination of specific and high-level concepts.
This affords organizations the opportunity and flexibility to work with a Qualified
Security Assessor (QSA) to determine appropriate security controls that are applicable to
their environment, with the intent of meeting PCI standard.

 Compensating controls: In case of an exception, compensating controls may be
considered for most PCI DSS requirements when an entity cannot meet a requirement
explicitly as stated, due to legitimate technical or documented business constraints, but
has sufficiently mitigated the risk associated with the requirement through
implementation of compensating controls (Beissel, 2014). In order for a compensating
control to be considered valid, it must be reviewed by a Qualified Security Assessor
(QSA). The effectiveness of a compensating control is dependent on the specifics of the
environment in which the control is implemented, the surrounding security controls, and
the configuration of the control. Entities should be aware that a particular compensating
control will not be effective in all environments (PCI, 2015, p. 24; Appendix B).
Disadvantages
 Cost: Requirements are costly to implement, as they require internal resources, as well as
a Qualified Security Assessor (QSA).
 Complexity: Requirements are complex. The PCI DSS standard is often advertised as
having 12 requirements, whereas, there are over 220 sub-requirements that add to its
complexity when it comes to planning, scoping, implementation, continuous compliance,
etc.
 Ambiguity: Some PCI DSS high level requirements are ambiguous requiring additional
guidelines for the practitioners. Silverstone (2009) eloquently captured this issue noting
that the following are not well-defined in the model:
 What exactly needs to be protected (“what ARE cryptographic keys?

 Which are appropriate to use while protecting cardholder data?”) to clarify the
intent of Section 3.5 requirement (Protect cryptographic keys used for encryption
of cardholder data against both disclosure and misuse).
 “What defines strong? Is AES strong? Is a-b cipher?
 What is even LEGAL to use?”) to clarify the ambiguity around Section 3.6
(Generation of strong cryptographic keys.)
 Subjective interpretation: PCI Standard is a combination of specific and high-level
concepts. This aspect requires skilled personnel to interpret, design, and implement
controls, which may or may not meet the original intent of the management.
 Lack of continuous process improvement: The continuous compliance aspect is built-in
to the PCI DSS model; however, the continuous process improvement aspect is missing.
This critical aspect helps address identified deficiencies via corrective actions, and to
implement opportunities for improvement.
 Ineffective compliance validation criteria: Compliance validation criteria are purely
dictated by the number of credit card transactions (VISA, 2015), which results in the
assignment of a merchant level, the level of rigor, depth, and frequency required for
compliance. Figure 6 illustrates VISA’s definition of merchant levels, number of annual
Figure 6. VISA’s PCI DSS Merchant Level Definition
(Source: http://www.visa.ca/merchant/security/account-information-security/merchant-levels.jsp)

transactions, compliance validation requirements, and how this validation is performed.
Since the level of scrutiny is dictated by the number of transactions, merchants with
lesser number of transactions may be at risk (or even with their systems compromised)
but will never be subjected to the rigor associated with merchants belonging to levels 1
and 2, resulting in sustained and prolonged exposure going absolutely unnoticed
(Appendices I & J).
Risk Management
PCI DSS Requirement 12.1.2 includes an annual process that identifies threats, and
vulnerabilities, and results in a formal risk assessment (PCI SSC, 2012, p. 3) via following
testing procedures:
(a) 12.1.2.a – Verify that an annual risk assessment process is documented that identifies
threats, vulnerabilities, and results in a formal risk assessment, and
(b) 12.1.2.b – Review risk assessment documentation to verify that the risk assessment
process is performed at least annually, impact the security of cardholder data.
Despite its shortcomings, this agreed-upon standard is a step forward, in the right
direction. PCI DSS standard remains best suited for organizations that perform credit
card transactions. COBIT is another popular industry standard used by a variety of
industries to safeguard their information assets, and is discussed in the next section.
Control Objectives for Information and Related Technology (COBIT) 5 for Security
COBIT is a comprehensive IT governance framework for management to operate at high
level. It is designed for management, senior IT professionals and auditors with an aim to bridge
the gap between business control models and IT control models. COBIT is comprised of a
globally accepted set of tools which have Business-IT alignment focused controls as opposed to

the purely IT focused controls of ISO27000 series. It is used by executives and IT professionals
to ensure that IT operations are aligned with business goals and objectives (Zhang & Le Fever,
2013). COBIT 5 was developed by consolidating and integrating the COBIT 4.1, Val IT (a
collection of management practices and techniques for evaluating and managing investment in
business change and innovation), and Risk IT (a framework launched by ISACA aiming to
integrate the management of IT risk into the overall Enterprise Risk Management) into one
single business framework (COBIT, 2012b). COBIT 5 for Security is one of the components of
COBIT 5 which provides an extended view of COBIT, explaining each component from
information security perspective. It aims to be an umbrella framework to connect to other
information security frameworks, good practices and standards. COBIT presents IT activities in
a hierarchical structure from the highest domain level to IT processes and to the lowest level of
IT activities. This is achieved by defining five key principles (Figure 7) which are further defined
by Enterprise Enablers (Figure 8).
Figure 7. COBIT 5 Principles
(Source: http://www.isaca.org/COBIT/Documents/cobit-5-for-information-security-laminate_res_eng_0612.pdf)

Figure 8. COBIT 5 Enterprise Enablers
COBIT requires the definition and implementation of metrics to gauge the level of
effectiveness in addition to continuous process improvements (Figure 7). COBIT controls are
tested by both internal and external auditors on a periodic basis to ensure currency and controls’
operational effectiveness. COBIT can also be implemented (Figure 9) in conjunction
(Sheikhpour & Modiri, 2012) with ISO27001 (Mataracioglu & Ozkan, 2011; Appendix C), to
provide additional coverage, and to better align business and IT objectives (Olzak, 2013).
Figure 9. COBIT 5 Implementation Life Cycle

According to Institute of Internal Auditors (IIA), COBIT is the most commonly used
framework by publicly traded companies in the United States. These public companies are
required to maintain compliance with the Sarbanes-Oxley Act of 2002, and COBIT is able to
deliver on that requirement (COBIT, 2015). The associated advantages (Seeburn, 2012) and
disadvantages (Zhang et. al, 2013) of COBIT 5 for Security standard are listed below:
Advantages
 Improved user experience
o Increased user satisfaction with information security arrangements and outcomes
o Improved management of costs related to the information security function
o Better understanding of information security
o Value optimization – Helps enterprises create optimal value from IT by maintaining a
balance between realizing benefits and optimizing risk levels and resource use.
o With the overall ISMS in place, controls and supporting education programs can be
added at a rate that the business can absorb (Frisken, 2015).
 Improved operational effectiveness
o Improved prevention, detection and recovery (Appendix F)
o Improved integration of information security in the enterprise
o Universal appeal – The COBIT 5 principles and enablers are generic and useful for
enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
o Centralized delivery – COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire enterprise, taking in the full
end-to-end business and functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.

 Increased competitive advantage
o Reduced impact of security incidents
o Enhanced support for innovation and competitiveness
o Reduced complexity and increased cost-effectiveness due to improved and easier
integration of information security standards.
o Greater visibility with Board of Directors (ISACA, 2015a)
 Effective risk management
o Informed risk decisions and risk awareness (ISACA, 2015a)
o COBIT employs a top-down approach to designing the IT governance initiatives,
allowing organizations to tackle the detailed controls embedment process in a
measured way and ensure that it is aligned to the risk appetite of the business
(Frisken, 2015).
o Serves as ‘middleware’ by helping bridging gap between Governance, IT, and
Assurance (Escoute, 2014).
Disadvantages
 Complexity: It is not easy to understand COBIT framework due to its technical nature,
depth, and scope of coverage.
 Generic nature: COBIT creates great difficulty for organizations to understand and use it.
Though in COBIT Management Guidelines and Implementation Guidelines it mentions
that COBIT needs to be customized to each specific environment, it does not provide
concrete methods or guidelines facilitating organizations to accomplish this.
 Intangible cost-benefit: In contrast to more mature IT standards like ISO27000 and ITIL,
the value of COBIT is hard to perceive. There are no proven statistics or studies

confirming its claimed advantages. Many executives agreed that even though it was
obvious that a COBIT program should be initiated, they preferred to focus on ITIL and
ISO27000, which had more significant values (Zhang & Le Fever, 2013). Organizations
are still dubious about COBIT and tend to go for detailed IT standards first to harvest the
low-hanging fruit. COBIT, if it is being considered at all, is more likely to come at a later
stage.
Risk Management
COBIT 5 for Risk presents two perspectives on how to use COBIT 5 in a risk context, as
follows (COBIT, 2013, p. 9):
(a) The risk function perspective focuses on what is needed to build and sustain the risk
function within an enterprise, and
(b) The risk management perspective focuses on the core risk governance and management
processes of how to optimize risk and how to identify, analyze, respond to and report on
risk on a daily basis.
This concludes our detailed examination of the three in-scope ISMS standards. The next
section presents a detailed comparison of the three in-scope ISMS standards, based on our
detailed examination of each standard in the current section.
Comparative Analysis
This section presents a detailed comparative analysis of ISO27001, PCI DSS, and COBIT
standards, highlighting the pros and cons, similarities, and differences. Table 2 lists key features
required in any information security management system, and which are also being used as
benchmarks to compare the three in-scope standards. Each feature is complemented with a

descriptive phrase and a note to fully explain the extent of each feature’s applicability to each
corresponding ISMS standard.
Based on qualitative comparative analysis of ISMS features (Table 2) against each ISMS
standard, a list of common similarities (and also specific to each standard) between the three
ISMS standards is compiled, as shown in Figure 10.
Table 2
Comparative analysis of ISO27001, PCI DSS, and COBIT

Figure 10. Summary of similarities between the three in-scope standards
In addition to similarities, some common and specific differences are shown in Figure 11.
Figure 11. Summary of differences between the three in-scope standards

Based on our examination of each ISMS features, pros and cons, a 3D model (Figure 12)
was generated which is a pictorial representation of the in-scope ISMS standards. In this figure,
the time required to implement is represented on the x-axis, the overall cost/benefit ratio is
represented on the y-axis, and the overall complexity involved in implementing each standard is
represented on the z-axis. After performing the qualitative comparative analysis, the three ISMS
standards are plotted in their respective positions.
Figure 12. Representation of ISMS standards in a 3D model
Please note that the standards plotted in Figure 12 (above) are based on the overall
qualitative multivariate analysis, as presented in Table 3; this representation is only meant to
provide a general understanding, however the representation of ISMS standards in the context of
some other organization may vary depending on the unique variables and factors analyzed that
are specific to that organization.

Table 3
Result of multivariate analysis of the three in-scope ISMS Standards
Hence, organizational decision making is largely dictated by the unique sets of
challenges, specific situations, constraints, and perhaps opportunities that can be exploited to
arrive at a different conclusion than the one presented in Figure 12.
The next section summarizes the result of our research and observations noted for the
three standards, in addition to highlighting the industries for which each standard is most suited.
Conclusions
Choosing ISMS is not a ‘One Size Fits All’ approach. The unique organizational
environment, nature of business, timelines, mission criticality, etc. should all be considered when
choosing and implementing ISMS. Conclusions listed below address our research query, as to
which key drivers motivate organizations to choose and implement an established ISMS
standard, and why some organizations choose to adopt a hybrid ISMS approach, in lieu?
Figure 13 lists both common conclusions for the three ISMS standards analyzed, and
Figure 14 lists conclusions specific to each one of the three ISMS standards.
The immediate beneficiaries of this project are all interested stakeholders that are
performing due diligence and are in the process of either choosing to adopt either an established
ISMS standard (or a hybrid approach) for their organization, or choosing an approach that will
complement their current information security environment.
This work is also beneficial for information security practitioners and academics alike, as

Figure 13. List of conclusions common to ISMS standards
Figure 14. List of conclusions specific to ISMS standards
it presents an objective comparative analysis from scholastic viewpoint, which can be
incorporated in their research and professional deliverables. It also provides some ‘food for

thought’ for practitioners who may be contributing towards initiatives to develop uniform
evaluation criteria for ISMS standards, and development of a global ISMS framework (Faridi,
2015e; Appendix L).
Recommendations
This section summarizes practical points for executive management’s consideration
during feasibility, planning, design, implementation, and post-implementation phases of
implementing an ISMS. The recommendations are listed in Figure 15, including areas that
warrant future research.
Figure 15. List of recommendations

Keeping the dynamic nature of information security paradigm, all stakeholders (i.e. users,
developers, administrators, management, etc.) must play an active role ensuring a ‘front-foot’
posture when it comes to integrating and implementing ISMS frameworks and solutions based
on these frameworks. Moreover, the most important element is the ‘human’ element, which is
encouraged by active executive sponsorship activities and sustained by a robust change
management system (Faridi, 2015d).
Lastly, regardless of the fact if an organization chooses to adopt established ISMS
standard or a hybrid approach, the final information security solution is always a challenge to
manage effectively. This challenge can be efficiently managed by considering the many
modalities and challenges holistically during the due diligence phase, and spending sufficient
amount of time and effort on the performance of risk management activities from the very onset
of such projects, and then on an ongoing basis, thereafter.

References
Abu Talib, M., El Barachi, M., Alhosn, A-K., Ormandjieva, O. (2012). Guide to ISO27001:
UAE case study. Issues in Informing Science and Information Technology, 7, 331-347.
Adi, K., Khamadja, S., Kamel, A. (2013). Designing flexible access controls models for the
cloud. University of Ottawa [unpublished manuscript]. Retrieved from
https://www.site.uottawa.ca/~luigi/papers/13_SIN.pdf
Al-Ahmad, W. & Mohammad, B. (2012). Can a single security framework address information
security risks adequately? International Journal of Digital Information and Wireless
Communications, 2(3), 222-230. Retrieved from http://sdiwc.us/digitlib/
journal_paper.php?paper=00000323.pdf
Almutairi, A., Aref, W., Basalamah, S., Ghafoor, A., Sarfraz, M. (2012). A distributed access
control architecture for cloud computing. InfoQ. Retrieved from
http://www.infoq.com/articles/distributed-access-control-architecture-for-cloud-
computing
Alvares, S. (2015). Executive sponsorship: The secret weapon of change. PCU3ED. Retrieved
from http://www.pcubed.com/bulletins/executive-sponsorship-secret-weapon-change
Ashford, W. (February 13, 2015). Data breaches up by 49% in 2014. ComputerWeekly.com.
Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches
-up-49-in-2014-exposing-more-than-a-billion-records
Ashkenas, R. (May 18, 2015). How to be an effective executive sponsor. Harvard Business
Review. Retrieved from https://hbr.org/2015/05/how-to-be-an-effective-executive-
sponsor

Ashkenas, R. & Khan, R. (May 30, 2014). You can’t delegate change management. Harvard
Business Review. Retrieved from https://hbr.org/2014/05/you-cant-delegate-change-
management
Averson, P. (1998). The Deming cycle. Balanced Scorecard Institute. Retrieved from
https://balancedscorecard.org/Resources/Articles-White-Papers/The-Deming-Cycle
Bharani, A., & Shukla, R. R. (2013). An analysis of major information security management
system standards. Pioneer Journal, 1, 109-114. Retrieved from
http://www.pioneerjournal.in/files.php?force&file=Conference/An_Analysis_of_Major_I
nformation_Security_Management_System_Standards_126701474.pdf
Beissel, S. (2014). Supporting PCI DSS 3.0 compliance with COBIT 5. COBIT Focus, 14, 1-7.
Retrieved from http://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-
Focus-Volume-1-January-2014.aspx
Berube, D. (November, 2011). Change management: Some things can’t be delegated. Life Cycle
Engineering. Retrieved from http://www.lce.com/Change_Management_Some_Things
_Cant_Be_Delegated_385-item.html
Brosseau, K., (2010). What's the difference between business continuity planning and disaster
recovery? EzeCastle Integration. Retrieved from http://www.eci.com/blog/11-whats-the-
difference-between-business-continuity-planning-and-disaster-recovery.html
BSI. (2015). Features and benefits of ISO/IEC 27001. British Standards Institute. Retrieved from
http://www.bsigroup.com/ LocalFiles/en-GB/iso-iec-27001/resources/BSI-
ISOIEC27001-Features-and-Benefits-UK-EN.pdf
Buffer Overflow. (2014). In Wikipedia. Retrieved from http://en.wikipedia.org/
wiki/Buffer_overflow
Calder, A. (2005). The case for ISO 27001. UK: IT Governance Publishing. 2nd
Edition. UK:

IT Governance Publishing.
Calder, A. & Watkins, S. (2006). International IT governance: An executive guide to ISO 17799
/ ISO 27001, UK: Kogan Page.
Calder, A. (2013). Nine steps to success: An ISO27001: 2013 implementation overview, 2nd
Edition, UK: IT Governance Publishing.
Cloud computing. (2014). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/
Cloud_computing
COBIT. (2013). COBIT for Risk. Retrieved from http://www.isaca.org/COBIT/Documents/
COBIT-5-for-Risk-Preview_res_eng_0913.pdf
COBIT. (2015, September 1). In Wikipedia. Retrieved from https://en.wikipedia.org/wiki/
COBIT
Cooper, N. (2012, June 16). Top 5 weaknesses of ISO27001 ) [Blog post]. Retrieved from
https://nathancooperblogs.wordpress.com/2012/06/16/top-5-weaknesses-of-iso27001/
Data Surer. (2015). 8 most common reasons for a data breach. [Blog] Retrieved from
http://www.datasurer.com/8-common-reasons-of-data-breach/
Disk encryption. (2014). In Wikipedia. Retrieved from http://en.wikipedia.org/
wiki/Disk_encryption
Escoute. (2014, June 16). Why am I a huge fan of COBIT? [Blog post]. Retrieved from
http://www.escoute.com/2014/06/16/why-am-i-a-huge-fan-of-cobit/
Faridi, M. (2014a). Improving organizational risk management practice. Fort Hays State
University, KS, USA. Retrieved from https://ca.linkedin.com/in/faridi
Faridi, M. (2014b). Auditing organizational information assurance governance practices. Fort
Hays State University, KS,USA. Retrieved from https://ca.linkedin.com/in/faridi
Faridi, M. (2015a, May 28). Improving effectiveness of information security awareness

programs [Blog Post]. Retrieved from https://ca.linkedin.com/in/faridi
Faridi, M. (2015b, June 11). The top 10 don'ts for effective risk management [Blog Post].
Retrieved from https://ca.linkedin.com/in/faridi
Faridi, M. (2015c, October 5). 10 best practices to pass identity and access management (IAM)
Audit! [Blog Post]. Retrieved from https://ca.linkedin.com/in/faridi
Faridi, M. (2015d, October 13). Change management: An art (aided by science) [Blog Post].
Retrieved from https://ca.linkedin.com/in/faridi
Faridi, M. (2015e). International standards to regulate aggressive cyber behaviour from a
foreign state. Fort Hays State University, KS, USA. Retrieved from
https://ca.linkedin.com/in/faridi
Full-disk encryption. (2012). In WhatIs.com. Retrieved from http://whatis.techtarget.com
/definition/full-disk-encryption-FDE
Federal Financial Institutions Examination Council. (2006). Interagency statement on pandemic
planning. Retrieved from http://www.ffiec.gov/press/pandemicguidance.pdf
Fenz, S., & Ekelhart, A. (March/April, 2011). Verification, validation, and evaluation in
information security risk management, IEEE Security & Privacy, 9(2), 58-65.
doi:10.1109/MSP.2010.117
Frisken, J. (2015). Leveraging COBIT to implement information security. COBIT Focus.
Retrieved from http://www.isaca.org/COBIT/.../leveraging-cobit-to-implement-
information-security-part-2.pdf
Gikas, C. (2010). Information systems security: A general comparison of FISMA, HIPAA, ISO
27000 and PCI-DSS standards. Retrieved from https://www.catapulttechnology.com/pdf/
Insights_Files/white_papers/Information_Security_White_Paper.pdf

Gregory, P. (2010). CISSP guide to security essentials. Boston, MA, USA: Cengage Learning.
Hardekopf, B. (January 13, 2014). The big data breaches of 2014. Forbes.com. Retrieved from
http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of
-2014/
HMSO. (1991). Information technology security evaluation criteria (ITSEC). Retrieved from
https://www.bsi.bund.de/cae/servlet/contentblob/471346/publicationFile/ 30220/ itsec-
en_pdf.pdf
How full disk encryption works. (2014). Spam laws. Retrieved from http://www.spamlaws.com/
how-full-diskencryption-works.html
IMPACT. (2015). Mission and vision. Retrieved from http://www.impact-alliance.org/
aboutus/mission-&-vision.html
ISACA. (2012a). COBIT 5 for information security. Retrieved from http://www.isaca
org/COBIT/Documents/COBIT-5-for-Information-Security-Introduction.pdf
ISACA. (2012b). COBIT document. Retrieved from http://www.isaca.org/COBIT/
Documents/Compare-with-4.1.pdf
ISACA. (2015a). COBIT 5 global impact. Retrieved from http://www.isaca.org/COBIT/
Documents/COBIT-5-Infographic_res_Eng_0914.jpg
ISACA. (2015b). COBIT 5 for information security introduction – ISACA. Retrieved from
http://www.isaca.org/COBIT/Documents/cobit-5-for-information-security
-laminate_res_eng_0612.pdf
ISMS. (2015, September 16). In Wikipedia. Retrieved from https://en.wikipedia.org/wiki/
Information_security_management_system
ISO. (2014). The ISO survey of management system standard certifications – 2014. Retrieved

from www.iso.org/iso/iso_survey_executive-summary.pdf?v2014
ISO. (2015). ISO/IEC 27001 – Information security management. Retrieved from
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
ISO/IEC 27001:2013. (2015, July 31). In Wikipedia. Retrieved from
https://en.wikipedia.org/wiki/ISO/IEC_27001:2013
ISO/IEC 27005. (2011). ISO/IEC 27001:2013 information technology — Security techniques.
Retrieved from http://www.iso27001security.com/html/27001.html
IT Governance Ltd. (February 2013). Information security & ISO 27001. Retrieved from
www.itgovernance.co.uk/files/Infosec_101v1.1.pdf
Karig, D., Lee, R., (2001). Remote denial of service attacks and countermeasures. Published
manuscript. Princeton University, NJ, USA. Retrieved from http://www.princeton.edu/
~rblee/ELE572Papers/karig01DoS.pdf?q=tilde/rblee/ELE572Papers/karig01DoS.pdf
Kesan, J., Hayes, C. (2014). Creating a 'Circle of Trust' to further digital privacy and
cybersecurity goals. University of Illinois College of Law. Retrieved from
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2135618
Landoll, D. (2006). The security risk assessment handbook (1st
ed.). Boca Raton, FL: CRC Press.
Lepofsky, R. (2014). The manager’s guide to web application security: A concise guide to the
weaker side of the web. USA: apress.
Levy, E. (November 28, 2012). Role of an executive sponsor. Inside IT. Retrieved from
https://evanjlevy.wordpress.com/2012/11/28/role-of-an-executive-sponsor/
Lewis, D. (2014, August 28). Dairy queen data breached with sprinkles. Forbes, Retrieved
From http://www.forbes.com/sites/davelewis/2014/08/28/dairy-queen-data-breached-
with-sprinkles/

Lumension. (May 2011). Best practice guide to reducing your threat exposure. Retrieved from
https://www.lumension.com/Resources/Free-Content/Best-Practice-Guide-to-Reducing-
Threat-Exposure.aspx?rpLeadSourceId=688
Mataracioglu, T. & Ozkan, S. (2011). Governing Information Security in conjunction with
COBIT and ISO 27001. International Journal of Computer Science & Information
Technology, 3(3), 288-293. Doi: 10.5121/ijcsit.2011.3321
Maynard, S., Ahmad, A., Shanks, G., & Webb, J. (2014a). Information security risk
management: An Intelligence-driven approach. Australasian Journal of Information
Systems, 18(3), 390-404. Doi:10.3127/ajis.v18i3.1096
Maynard, S., Ahmad, A., Shanks, G., & Webb, J. (2014b). A situation awareness model for
information security. Journal of Computers & Security, 18, 1-15.
Doi:10.1016/j.cose.2014.04.005
Most cybersecurity incidents in Europe remain undetected or not reported. (2012, Aug 29).
Homeland Security News Wire. Retrieved from http://www.homelandsecurit
ynewswire.com/dr20120829-most-cybersecurity-incidents-in-europe-remain-undetected-
or-not-reported
NIST. (2012). Guide for conducting risk assessments (NIST Special publication 800-300
Revision 1). Gaithersburg, MD: U.S. Department of Commerce.
Noble, T. (September 3, 1987). Most computer crime is not reported. The Age, p. 213. Retrieved
from http://news.google.com/newspapers?nid=1300&dat= 19870903&id
=3zwpAAAAIBAJ&sjid=_JIDAAAAIBAJ&pg=5405,1578070

Olzak, T. (2013, September 4). COBIT 5 for information security: The underlying principles
[Blog Post]. TechRepublic. Retrieved from http://www.techrepublic.com/blog/it-
security/cobit-5-for-information-security-the-underlying-principles/
Open Security Foundation. (2014). Data loss statistics [Data file]. Retrieved from
http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=current_year
Papadaki, K., & Polemi, D., (2007, October). Towards a systematic approach for improving
information security risk management methods. Paper presented at The 18th
Annual IEEE
International Symposium on Personal, Indoor and Mobile Communications (PIMRC’07).
Athens, Greece. Doi:10.1109/PIMRC.2007.4394150
Payment Card Industry Data Security Standard . (2014). In Wikipedia. Retrieved from
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
Payment Card Industry Data Security Standard. (2015, September 20). In Wikipedia. Retrieved
from https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
Perales, R., Correa, S. (March 13, 2014). The strategic industry conversation: Unity of effort in
action. Homeland Security.com. Retrieved from
http://www.dhs.gov/blog/2015/03/13/strategic-industry-conversation-unity-effort-action#
PCI. (2015). PCI DSS data Security standards overview. Retrieved from
https://www.pcisecuritystandards.org/security_standards/index.php
PCI SSC. (2012, November). Information supplement: PCI DSS risk assessment guidelines.
Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_
Guidelines_v1.pdf
Prosci (2014). Change management: The systems and tools for managing change. Retrieved
from http://www.change-management.com/tutorial-change-process-detailed.htm

Rannenberg, K. (1993, August 12-17). Recent development in information technology security
evaluation – The need for evaluation criteria for multilateral security. In Sizer, R.,
Yngström, L., Kaspersen, H., & Fischer-Hübner, S. IFIP TC9/WG 9.6 Working
Conference: Security and Control of Information Technology in Society, onboard M/S
Ilich and ashore at St. Petersburg, Russia (113-128). Amsterdam: North-Holland.
Rouse, M. (2015). Federal information security management act (FISMA). Retrieved from
http://searchsecurity.techtarget.com/definition/Federal-Information-Security-
Management-Act
Seeburn, K. (2012). Cobit for information security. ISACA. Retrieved from
http://www.isaca.org/chapters10/Lusaka/newsandannouncements/Documents/Cobit-
INFOSEC.pdf
Sheikhpour, R. & Modiri, N. (2012). An approach to map COBIT processes to ISO/ICE 27001
information security management controls, International Journal of Security and Its
Applications, (6)2, 13-26. Retrieved from www.sersc.org/journals/IJSIA/
vol6_no2_2012/2.pdf
Silverstone, A. (2009, April 29). Where PCI DSS falls short (and how to make it better) [Blog
post]. CSOOnline.com. Retrieved from http://arielsilverstone.com/library/pci_falls_short/
Siponen, M. & Wilson, R. (2009). Information security management standards: Problems and
solutions. Information and Management, 46, 267-270. Doi:10.1016/j.im.2008.12.007
Slater, D. (2014). Business continuity and disaster recovery planning: The Basics. CSO Online.
Retrieved from http://www.csoonline.com/article/2118605/pandemic-
preparedness/business-continuity-and-disaster-recovery-planning-the-basics.html#1
Spaulding, S. (2014). DHS launches the C³ voluntary program, A public-private partnership

to strengthen critical infrastructure cybersecurity. Homeland Security.com. Retrieved
from http://www.dhs.gov/blog/2014/02/12/dhs-launches-c%C2%B3-voluntary-program
SQL injection. (2014). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/SQL_injection
SSAE (2014). SSAE 16 Overview. SSAE. Retrieved from http://ssae16.com/SSAE16_
overview.html
Stallings, W. (2007). Standards for information security management. The Internet Protocol
Journal, 10(4). Retrieved from http://www.cisco.com/web/about/ac123/ac147
/archived_issues/ipj_10-4/104_standards.html
Susanto, H., Almunawar, M., Tuan, Y. (2011). Information security management system
standards: A comparative study of the big five. International Journal of Electrical and
Computer Sciences, 11(5), 25. Retrieved from http://www.researchgate.net/
publication/228444915
US Department of Justice. The USA patriot act. (2014) USDOJ. Retrieved from
http://www.justice.gov/archive/ll/highlights.htm
US-DOH. (2015). Health information privacy. Retrieved from http://www.hhs.gov/ocr/privacy/
VISA. (2015). Merchant levels: defined. Retrieved from http://www.visa.ca/merchant/security/
account-information-security/merchant-levels.jsp
Von Solms, R. (1996). Information security management: the second generation. Computers &
Security, 15(4), 281-288. Retrieved from http://www.is-frankfurt.de/publikationenNeu
/RecentDevelopmentinInformation.pdf
Walters, R. (October 27, 2014). Cyber attacks on U. S. companies in 2013. The Heritage
Foundation. Retrieved from http://www.heritage.org/research/reports/2014/10/cyber
-attacks-on-us-companies-in-2014

Wooley, P. (2011). Identifying cloud computing security risks. University of Oregon, OR, USA.
Retrieved from https://scholarsbank.uoregon.edu/xmlui/bitstream/
handle/1794/11393/Wooley-2011.pdf?sequence=1
Wold, G. (2007, October 6). Computer crime: The undetected disaster. Disaster Recovery
Journal, 27. Retrieved form http://www.drj.com/drj-world-archives/data-processing-
recovery/computer-crime-the-undetected-disaster.html
Wordpress. (2012). Practical information security. Retrieved from https://practicalinfosec.
wordpress.com/2012/10/08/difference-between-dr-and-bcp-and-other-stories/
Wright, S. (2011). PCI DSS: A practical guide to implementing and maintaining compliance, 3rd
Edition. UK: IT Governance Publishing.
Zhang, S. & Le Fever, H. (2013). An examination of the practicability of COBIT framework and
the proposal of a COBIT-BSC Model. Journal of Economics, Business and Management,
1(4), 391-395.

Appendix A – Proposed Continuous Process Improvement Model
PCI DSS model enables continuous compliance process (shown in the figure below)
which helps identify and remediate vulnerabilities, but falls short of continually improving the
overall processes.
In order to address this shortcoming, I have designed a model that organizations can used
to complement their PCI DSS model. This model enables organizations to establish their
baseline, and then continually improve their processes. This model is inspired by Deming’s
philosophy of ‘Plan-Do-Check-Act’

Appendix B – PCI DSS to COBIT 5 mapping
Following Figures (1-8) appear in Stefan Beissel’s article entitled Supporting PCI DSS
3.0 Compliance With COBIT 5.
(Source: http://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-Focus-
Volume-1-January-2014.aspx)

Appendix C – COBIT to ISO mapping
Following table appears in Sheikhpour & Modiri’s article entitled An Approach to Map
COBIT Processes to ISO/IEC 27001 Information Security Management Controls. Please note
that this is between COBIT 4.1 and ISO/IEC 27001, however, it is for illustrative purposes.
(Source: www.sersc.org/journals/IJSIA/vol6_no2_2012/2.pdf)

Appendix D – Litigation Risk Management
Litigation Risk Management
Mansoor Faridi
Preamble
While providing professional services to a major Canadian
corporation, the assurance activities identified a legal risk
around storing employee data at cloud-based vendor-
operated facility in the United States..
Background
The corporation aimed to have a single human resources
system for its global workforce. The solution was in the
form of consolidating all instances of its individual Human
Resources systems into one central HR system, using an
application provided by a third-party major cloud-based
vendor based in the United States. We noted that
information stored in the U.S. jurisdiction could be subject
to random access and review (without obtaining prior
permission) by Federal law enforcement authorities and
agencies, owing to the Patriot Act. According to our risk
assessment, this exposed the Canadian corporation to
unwarranted litigation in the forms of individual law suit
and/or Class Action Law Suit(s) from affected employees.
Risk Avoidance
The Canadian corporation worked with the cloud-vendor
to avoid this risk. The vendor accommodated this
corporation by hosting their Production environment and
the backup location out of their Western European location
(Note: Vendor leveraged this data center’s time-zone and
geography to service their Asian and European clientele in
this shared environment).
Lesson Learned
Ironically, in this scenario, cloud-based (Almutairi et al., 2012)
vendor had the proper access controls in place (Adi, Khamadja,
& Kamel, 2013), however, owing to U.S. law enforcement
environment (The Patriot Act), they are forced to consent (US
Department of Justice, 2014) to provide third parties’ access to
employees’ Personally Identifiable Information (PII)! Hence,
the onus was on the corporation’s management to ensure the
confidentiality of their employees’ data to avoid any litigation
risk, whatsoever.

Comparative Analysis of Information Security Management System Standards - Sign removed

Comparative Analysis of Information Security Management System Standards - Sign removed

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (11)

Similar to Comparative Analysis of Information Security Management System Standards - Sign removed

Similar to Comparative Analysis of Information Security Management System Standards - Sign removed (20)

Comparative Analysis of Information Security Management System Standards - Sign removed