Mapping Information Security Standards: A Counter-Terrorism Example

Although practitioners have mapped the alignment between IT-related standards, this work has rarely been reported in the academic literature. In particular the methods used have not been made explicit, which has limited the value of any reported results. The research described in this paper demonstrates a rigorous method for mapping the alignment between two example IT security standards. The two standards were Control Objectives for Information and Related Technology (COBIT), widely used as a comprehensive IT control framework, and the Australian Government Information and Communications Technology Security Manual (ACSI 33) which sets out policies and procedures for IT security for Australian government agencies. Conceptual analysis was used to analyse the alignment between the two standards to reveal some insightful patterns of use and emphasis. As one of the security standards defines the base level ICT security for Australian government agencies, related future work using conceptual analysis has the potential to contribute to improved evaluation of the preparedness of commercial Australian organisations to protect the security of their systems from terrorist activities. This paper illustrates the value of such work within a counter-terrorist setting, where leverage for systems security compliance can be gained from voluntary adoption of a commercial standard.