The ICT Standard for Management consist of 5 streams and 23 functions. At the first glance, the functions seem to address all relevant concerns of both ICT and business. However, when one starts to work with the Standard, one will eventually begin to wonder whether some important functions are missing. One such seemingly missing function is information security.
So, where is security hidden in the Standard. By closely reading the Standard itself, e.g. by opening the digipaper version on the front page, we realize that Security policy is one of the TOP-10, or mandatory tools. Even closer look reveals that Security policy has two parts: first finding out the current status of information security and then defining necessary policies and guidelines.
This all well and fine, but how does one measure the maturity of information security using the 23 existing functions? There is a simple way, which has two steps.
First, perform the normal maturity analysis. Give each function a score from 0 to 5. This exercise typically takes half a day, and should be done by a representative group of both ICT and business managers.
Second, given the scores, calculate arithmetic average of the following functions:
Organization and competence development
Methods and policies
Architecture and quality assurance
Business continuity management
The result gives the maturity of information security. Given the importance of security, the average should be at least three. If the average is lower, information security risks are likely to be too high.