Part Three: Standards and Frameworks
Start course

This next section in the CISM learning path covers a range of topics relating to information security and highlights the processes, techniques, and standards that can be used to protect your organization.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand how roles and responsibilities can be used in information security
  • Learn about due care and due diligence
  • Learn the principles of cybersecurity
  • Understand how to use metrics, indicators, and security-related technology
  • Learn about the security standards and frameworks to protect organizations

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field. 



We now move into Section 17 and we're going to discuss standards in frameworks. Without question, standards and frameworks provide the bases for us to develop our programs, quote, unquote, without having to reinvent the wheel, by adhering to widely accepted practices, technologies, and standards, to achieve the various security goals that we have to protect our enterprises, their people, and our information. 

So let's begin by identifying several of the organizations and standards developed by them that we typically follow these days. We begin with the Committee of Sponsoring Organizations of the Treadway Commission, abbreviated COSO. This group developed a set of standards intended to provide a control framework for external financial reporting integrity. 

Next we have the International Organization for Standardization, or the commonly known ISO. This organization, of course, functions as does NIST for the United States, and the two often work in collaboration. From the ISO, for security interests, we receive their 27000 series, of which we're most familiar with the 27001 and the 27002.

Then we have the NIST of the United States. This publishes guidance documents such as the same fashion as the ISO does in Europe. NIST has a special publication Series 800 that covers many different security topics in volumes such as 800-30, 800-39, 800-53, and the entire Federal Information Processing Standards Series.

One law that has passed in the United States was the Sarbanes-Oxley Act. This law sought to put tighter controls on publicly-traded organizations to ensure financial integrity of their information and their operations. Coming on the heels of the Enron debacle, it supports the standards published by COSO and others.

In industry-specific regulation, we have the Health Insurance Portability and Accountability Act, known as HIPAA. This law and all of its requirements deal with how to keep health information secure and private. We have two different Federal Information Security Acts, known as FISMA, the first one being passed in 2002 as a Management Act, and the second one being passed in 2014 as a Modernization Act. These organizations and the guidance that they have published serve as the standards on which we found our programs.

On this slide, we see the COBIT, which is an abbreviation for Control Objectives for Information and Related Technologies, published by ISACA, the same people that sponsor the CISM. This is an IT-focused framework created by its organization to describe how IT supports business operations, how it is to be secured, and how it can be measured and tested to assure that it is accomplishing all that it is intended to accomplish and that it is in compliance with the set of standards.

COBIT currently is in version five and has metrics for 17 clearly-defined enterprise goals. The key principles involved here you see in the diagram on the right-hand side of the screen. They begin with center top, meeting stakeholder needs and goals; two, covering the enterprise and end-to-end; three, applying a single integrated framework; four, enabling a holistic approach; and five, separating governance from management.

One point to clarify is the separation of governance from management. Management is what oversees the day-to-day operations and ensures carrying out of the mission. Therefore, those that manage are responsible for its accomplishment. The governance is done by a level higher, by those with legal and fiduciary responsibility of oversight and ensuring compliance.

For the principles of COBIT, we need enablers to ensure that they are carried out and properly maintained. These enablers, then, are factors which influence whether something will work or not. These enablers are driven by the cascade of goals from concept down through detailed execution and completion.

It is the higher-level goals that determine what different enablers should achieve, such as covered five designates several enabler categories: principles, policies, and frameworks; processes that implement; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies.

There in the graphic on the right-hand side of the slide, you see the interplay and the interrelationships of these enablers and the ways in which they work together to help achieve the goals of the enterprise and implement the five principles. Here you see the COBIT version five Process Assessment Model, also known as the COBIT 5 PAM.

You will notice that the PAM closely resembles the CMMI, as yet another variation on the theme of the Capability Maturity Model, in its current form. By modeling itself after the CMM concept, it shows an increase in organizational maturity and performance, as it moves from being not disorganized, exactly, but not as well organized as it should be, to enforcing consistency, quality of performance outcome, and routine repeatability of these processes to ensure the program is ultimately successful.

As you see in the slanted line illustrating the process dimension, there are 37 different processes and sub-processes that walk through the entire life cycle. This is an area that the CISM candidate should be familiar with in a general way, in terms of process flow and validation for successful accomplishment.

Another very common standard you see here is the ISO/IEC 27002. Currently, as of 2013, this graphic represents the 14 domains used to describe the security program. The 27002 Code of Practice, as it's known, is the implementation of the ISO 27001 Information Security Management System.

As such, it is a comprehensive, but nonetheless generic, security standard. That is, a standard that is applicable to a wide range of enterprises and business types. In this form, it is widely applicable and can be tailored to almost any operational context with success.

This slide shows some examples of the volumes, their titles, and the subjects covered in the ISO/IEC 27000 Series. There at the bottom of the screen, you can see the entire series can be found at that particular website. The CISM candidate does not need to memorize these volumes, their titles, and their contents.

The most important ones, for purposes of this course and the exam, would be the ISO 27001 ISMS and the 27002 Code of Practice, which is the 14-domain tactical guidance volume intended to implement the 27001 ISMS, as you saw on the previous slide. The CISM candidate should be familiar with the series, but not necessarily any volume in particular, for the sake of the exam, other than the volumes 27001 and two, and with these only generally.

Here we have TOGAF, The Open Group Architectural Framework. It is a life cycle process architecture framework used for designing, planning, implementing, and governing, and enterprise technology architecture. The Open Group Architectural Framework should be considered a high-level approach for designing enterprise architecture. The framework discusses this in four general areas.

We have the Business Architecture, which defines the business strategy, governance, organization, and key business processes of the organization. Applications Architecture, which provides a blueprint for the individual application systems to be deployed, the interactions among the application systems and their relationships to the core business processes of the enterprise, with the frameworks for services to be exposed to business functions for integration.

Data Architecture, which describes the structure of the organization's logical and physical data assets and the associated data management resources, and the Technical Architecture or Technological Architecture, which describes the hardware, software, and the network infrastructure needed to support the deployment of core mission-critical applications.

TOGAF is a business-driven life cycle management framework for enterprise architecture overall and it can certainly be used for information security architecture as well. The TOGAF employs a user architecture development method to drive process over nine phases, shown in the graphic on the right-hand slide.

It begins with a preliminary phase, which defines the architecture framework. We have the architecture vision phase, the business architectural phase, the information systems phase, the technology architectural phase, opportunities and solutions phase, migration planning phase, implementation governance phase, architecture change management phase, and the requirements management phase, which ensures all projects are based on business requirements. The end product is a set of artifacts that describe in varying degrees of detail exactly what and how business operates and what security controls are required.

Here we have the Capability Maturity Model Integration, or the CMMI, as it's known. This describes a framework that helps organizations start from ground zero, essentially, and move into much more mature states of management through the various processes.

Beginning very informally at level one, an organization adopting CMMI or any of the variants of CMMI, work their way through multiple levels, achieving increasing rigor, maturity, and improve the performance and quality as it moves upwards through the five total phases.

Critical steps at each level include recognition of its starting point, recognition of its ending point, and well-chosen metrics to measure each step of the way, from beginning to end. With each phase, verification of having completed all critical steps to ensure that actual completion of each phase has been accomplished is performed.

The Balanced Scorecard is a strategic planning and management system that organizations use to communicate what they're trying to accomplish; align the day-to-day work that everyone is doing with the strategy; prioritize projects, products, and services; and measure and monitor progress towards strategic targets.

The name Balanced Scorecard comes from the idea of looking at strategic measures in addition to traditional financial measures to get a more balanced view of performance. The concept of the Balanced Scorecard has evolved from beyond the simple use of perspectives, and it is now a holistic system for managing strategy.

A key benefit of using a disciplined framework is that it gives organizations a way to "connect the dots" between the various components of strategic planning and management. This means that there will be a visible connection between the projects and the programs that people are working on; the measurements being used to track success, such as KPIs; the strategic objectives of the organization is trying to accomplish; and the mission, vision, and strategy of the organization. 

The Security Balance Scorecard is a strategic planning and management system that organizations use in much the same fashion. For IT security organizations, the biggest payoff from the Balanced Scorecard comes from organizational alignment with the business units and a concrete method for demonstrating the value added by security.

The Balanced Scorecard and its creation of a shared language between IT and its business unit customers enables the emergence of a strategy-focused IT organization. The original Balanced Scorecard approach was built around four dimensions. These included the traditional financial dimension and three others: the customer dimension, the internal process dimension, and the learning and growth dimension.

In recent years, some implementers have substituted or added additional dimensions or perspectives that better reflect their overall vision and strategy or include constituencies that the original approach left out, such as employees, suppliers, and regulators. We have of course, OCTAVE. This stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, and it is a security framework for determining risk level and planning defenses against cyber assaults. The framework defines a methodology to help organizations minimize exposure to likely threats, determine the likely consequences of an attack, and deal with the attacks that do, in fact, succeed.

OCTAVE is designed to leverage the experience and expertise of people within the organization. The first step is to construct profiles of threats, based on the relative risk that they pose. The process goes on to conduct a vulnerability assessment specific to the organization. OCTAVE defines three phases: phase one, building the asset-based threat profiles; phase two, identifying infrastructure vulnerabilities; and three, developing security strategy and plans.

OCTAVE was developed in 2001 at the Carnegie Mellon University for the United States Department of Defense. The framework has gone through several evolutionary phases since that time, but the basic principles and goals have remained much the same.

Two versions exist. OCTAVE-S, a simplified methodology for smaller organizations that have flat structures, and OCTAVE Allegro, a more comprehensive version for larger organizations or those with multiple hierarchies. Criticisms of OCTAVE have cited its complexity and the fact that it does not produce a detailed, quantitative analysis of security exposure.

The Information Technology Infrastructure Library, or ITIL, as it's known, is often associated with service-oriented architecture, or SOA. The ITIL is set out in five distinct phases: service strategy, service design, service transition, service operations, and service evolution. The final phase being for continuous improvement over all five phases. While not a specific security-oriented architecture, this framework provides for security to be put into each of the phases as necessary. 

We've come to the end of our current module and we're going to take a short break and then carry on through our final module in this portion of the CISM Training Seminar.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.