An Adaptable Maturity Strategy for Information Security
This addresses the problem of information security governance for organizations, but it appears incremental as it builds on existing standards like ISO/IEC and COBIT.
The paper tackles the challenge of implementing and prioritizing information security measures in organizations by developing an adaptable maturity strategy, which successfully classified ISO/IEC 27001 and 27002 controls into four stages based on a survey of 157 companies and was tested in a company.
The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company