Press Release


 ISACA Issues New Comprehensive Business Model for Information Security 

  Arabic | French | German | Portuguese | Spanish

 Rolling Meadows, IL, USA (6 October 2010)—Information security breaches continue to plague enterprises worldwide, despite the use of the latest technology. Solving these issues requires more than just gadgets and software. To provide information security professionals with comprehensive guidance that addresses the people, process, organization and technology aspects of information security, ISACA issued today the results of two years of research and expert review:  the Business Model for Information Security (BMIS), available as a free download from  

BMIS can be used in enterprises of all sizes and is compatible with other information security frameworks already in place. It is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems. It encompasses traditional information security and privacy, and provides links to risk, physical security and compliance.

“Too much time is being spent on providing reactive, short-term, technology-focused solutions to constantly changing environments,” said Jo Stewart-Rattray, CISA, CISM, CGEIT, director of information security at RSM Bird Cameron and a member of ISACA’s Knowledge Board. “This type of fix is short-sighted. It does not prevent security weaknesses resulting from poor governance, a dysfunctional culture or untrained staff—all aspects addressed by this new model.”

ISACA, a nonprofit association that serves more than 95,000 information security, assurance and IT governance professionals, based the model on the Systemic Security Management framework developed by the Institute for Critical Information Infrastructure Protection (ICIIP) at the University of Southern California (USA).

“ISACA has transformed the theoretical model into a practical tool that security practitioners can use to connect security projects with business strategy,” said Rolf von Roessing, CISA, CISM, CGEIT, international vice president of ISACA. “The Business Model for Information Security takes a business-oriented approach, focusing on people and processes in addition to technology.”

BMIS is available as a free download to ISACA members at Non-members can purchase print or PDF editions from the ISACA Bookstore. A free introductory guide is available to all as a free download at



With 95,000 constituents in 160 countries, ISACA ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations.

ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter:



Kristen Kessinger, +1.847.660.5512,

Joanne Duffer, +1.847.660.5564,