COBIT 5 for Information Security v2

COBIT 5 Product Family
Information Security
COBIT 5 content
Chapter 2. Enabler: Principles, Policies and Frameworks.
Chapter 3. Enabler: Processes
Chapter 4. Enabler: Organisational Structures
Chapter 5. Enabler: Culture, Ethics and Behaviour
Chapter 6. Enabler: Information
Chapter 7. Enabler: Services, Infrastructure and Applications
Chapter 8. Enabler: People, Skills and Competencies
Appendix A. Detailed Guidance: Principles, Policies and Frameworks Enabler
Appendix B. Detailed Guidance: Processes Enabler
Appendix C. Detailed Guidance: Organisational Structures Enabler
Appendix D. Detailed Guidance: Culture, Ethics and Behaviour Enabler
Appendix E. Detailed Guidance: Information Enabler
Appendix F. Detailed Guidance: Services, Infrastructure and Applications Enabler
Appendix G. Detailed Guidance: People, Skills and Competencies Enabler
Appendix H. Detailed Mappings
Product Family
COBIT 5 Principles
Information Security
ISACA defines information security as something that:
Ensures that within the enterprise, information is protected against
disclosure to unauthorised users (confidentiality), improper modification
(integrity) and non-access when required (availability).
Confidentiality means preserving authorised restrictions on access and disclosure, including means for
protecting privacy and proprietary information.
Integrity means guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity.
Availability means ensuring timely and reliable access to and use of information.
COBIT 5 Enablers
Enabler: Principles, Policies and Framework
2.1 Principles, Policies and Framework Model
2.2 Information Security Principles
2.3 Information Security Policies
2.4 Adapting Policies to the Enterprise’s Environment
2.5 Policy Life Cycle
Enabler: Principles, Policies and Framework
Appendix A
Appendix A
Information security policy
Access control policy
Personnel information security policy
Physical and environmental information security policy
Incident management policy
Business continuity and disaster recovery policy
Asset management policy
Rules of behaviour (acceptable use)
Information systems acquisition, software development and maintenance policy
Vendor management policy
Communications and operation management policy
Compliance policy
Risk management policy
Enabler: Process
3.1 The Process Model
3.2 Governance and Management Processes
3.3 Information Security Governance and Management Processes
3.4 Linking Processes to Other Enablers
Appendix B Process
Appendix B Process
Appendix B Process
Appendix B Process
Appendix B Process
Enabler: Organisational Structures
4.1 Organisational Structures Model
4.2 Information Security Roles and Structures
4.3 Accountability Over Information Security
Appendix C
Appendix C
Enabler: Culture, Ethics and Behaviour
5.1 Culture Model
5.2 Culture Life Cycle
5.3 Leadership and Champions
5.4 Desirable Behavior
Appendix D
Enabler: Information
6.1 Information Model
6.2 Information Types
6.3 Information Stakeholders
6.4 Information Life Cycle
Appendix E
Enabler: Services, Infrastructure and Applications
7.1 Services, Infrastructure and Applications Model.
7.2 Information Security Services, Infrastructure and Applications
Appendix F
Provide a security architecture.
Provide security awareness.
Provide secure development (development in line with security standards).
Provide security assessments.
Provide adequately secured and configured systems, in line with security
requirements and security architecture.
Provide user access and access rights in line with business requirements.
Provide adequate protection against malware, external attacks and
intrusion attempts.
Provide adequate incident response.
Provide security testing.
Provide monitoring and alert services for security-related events.
Appendix F
Appendix F
Enabler: People, Skills and Competencies
8.1 People, Skills and Competencies Model
8.2 Information Security-related Skills and Competencies
Appendix G
Appendix H
ISO/IEC 27000 series provides a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an ISMS:
• Security- and risk-related processes in the EDM, APO and DSS domains
• Various security-related activities within processes in other domains
• Monitoring and evaluating activities from the MEA domain
The ISF 2011 Standard of Good Practice for Information Security is based on the ISF
Information Security Model four main categories: information security governance,
information security requirements, control framework, and information security monitoring
and improvement.
Guide for Assessing the Information Security Controls in Federal Information
Systems and Organisations, NIST—The purpose of this guide is to provide direction
with regard to information security controls for executive agencies of the US government

similar documents