ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > How to Prioritize Security Controls Implementation

How to Prioritize Security Controls Implementation

Rassoul Ghaznavi-Zadeh, CISM, COBIT Foundation, CISSP, SABSA SCF, TOGAF 9
| Published: 3/12/2018 3:01 PM | Category: Security | Permalink | Email this Post | Comments (0)

When developing an information security architecture framework in a new organization, there are a few steps that normally have to be taken to identify the business requirements, the right framework and the controls needed to mitigate/minimize business risk. In my Journal article, I explained the process of how this works.

Once the controls are identified, it is time to create projects and implement them. This might not be a big issue when dealing with a mature company that already has many of controls in place and only needs a few additions. However; this could be challenging when the number of projects and controls increase. The question is how to prioritize these projects and controls and implement the most important ones first.

To prioritize these tasks, we use a risk-based approach utilizes the enterprise risk register. When developing security architecture controls, they must have a one-to-one relation with business risk, otherwise the controls are irrelevant to the business. Using the same approach, we can identify the impact on the business if one particular control is not in place and prioritize the controls based on their business impact.

As an example, assume we have the following controls identified as needing to be implemented:

  1. Web application vulnerability management
  2. Endpoint malware protection

Assuming business-critical data are hosted on the database and accessible by the web application serving customers, the relevant risk for the first one could be “data loss” and for the second one “IT operation failure.” We can add likelihood of occurrence to this as well and calculate the overall risk.

Figure 1 shows the risk calculation for this scenario and, as you can see, web application vulnerability management takes priority based on the overall risk ranking. (Is this a surprise?)

Figure 1—Risk Calculation for Controls

Identified Control

Relevant Business Risk

Relevant Information Security Risk

Business Risk Score/Impact (1-5)

Information Security Risk Score/Likelihood (1-5)

Overall Risk Score

Web application vulnerability management

Data loss

Critical data loss




Endpoint malware protection

IT operation failure

Malware-infected clients




In summary, the previously described process would help prioritize security architecture controls. Note that when dealing with operational risk, the process might be a bit more complicated, and a risk management framework should be followed.

Read Rassoul Ghaznavi-Zadeh’s recent Journal article:
Information Security Architecture: Gap Assessment and Prioritization,” ISACA Journal, volume 2, 2018.


There are no comments yet for this post.