Effective InfoSec Strategy Driver


What is the Important Strategy Driver?

I came across the following post/question from Thor’s group:

Effective InfoSec Strategy Driver_Question

My Justification for Compliance Requirements

Strategy Drivers

A strategy is a high level, overall plan. It typically comprises a collection of initiatives to achieve long-term strategic goals, developed and scoped based on the requirements and constraints from stakeholders and the organization’s internal and external environment. So, we can say strategic goals or requirements drive a strategy.

Effectiveness of a Strategy

An effective strategy should achieve strategic goals, realize benefits, and deliver values to address requirements. Programs, supported by policies and management commitment, implement a strategy. Standards and procedures support a policy.

The Most Important Driver

A, B, C, and D can be sources of requirements and constraints that drive a strategy. If I have to choose the MOST important one, I would vote for B as senior management cares about compliance requirements the most in practice.

Compliance is a long term and broad concern. Laws, regulations, industry standards, contracts, corporate policy framework, ethics, and due diligence/due care are compliance requirements. They are subject to change, and organizations have to monitor and respond to this type of compliance risk over time. A strategy should address these concerns effectively.

Information Security Standards and Organizational Internal Standards

Information security standards, e.g. ISO 27001, do not apply to every organization, while the organization’s internal standards are supporting policies. Policies are developed to support programs that implement a strategy. So, both industrial infosec standards or internal standards play a less significant role in developing a strategy than compliance requirements.

If the question sets the context in an organization that is implementing ISMS per the information security standard, say, ISO 27001, the answer A is appropriate, because the organizational goal is to meet the requirements of the standard and pass the certification audit. In this context, the effectiveness of the InfoSec strategy can be determined by if it meets the requirements of the InfoSec standard.


Leave a Reply