Matti Kinnunen
Aug 4, 2010
Posted in category: 2010 Member Articles

Hidden functions I: security

The ICT Standard for Management consist of 5 streams and 23 functions. At the first glance, the functions seem to address all relevant concerns of both ICT and business. However, when one starts to work with the Standard, one will eventually begin to wonder whether some important functions are missing. One such seemingly missing function is information security.

So, where is security hidden in the Standard. By closely reading the Standard itself, e.g. by opening the digipaper version on the front page, we realize that Security policy is one of the TOP-10, or mandatory tools. Even closer look reveals that Security policy has two parts: first finding out the current status of information security and then defining necessary policies and guidelines.

This all well and fine, but how does one measure the maturity of information security using the 23 existing functions? There is a simple way, which has two steps.

First, perform the normal maturity analysis. Give each function a score from 0 to 5. This exercise typically takes half a day, and should be done by a representative group of both ICT and business managers.

Second, given the scores, calculate arithmetic average of the following functions:

Organization and competence development
Methods and policies
Architecture and quality assurance
Business continuity management

The result gives the maturity of information security. Given the importance of security, the average should be at least three. If the average is lower, information security risks are likely to be too high.

Contact us Download BT Standard as PDF


Looking for answers to your questions about the BT Standard? Get in touch!