IT Security Governance: A Framework based on ISO 38500

ISO 38500 is an international standard for IT governance. The guidelines of ISO 38500 can also be applied at the IT security functional level in order to guide the governance of IT security. This paper proposes the use of a strategic information security management (ISM) framework to implement guidelines of ISO 38500. This approach provides several strategic advantages to the organization by 1) aligning IT security initiatives to business strategy; 2) providing a mechanism for establishing and tracking security metrics; and 3) enhancing the overall maturity of business, IT and IT security processes. The framework also leverages tools such as COBIT, the Balanced Scorecard and SSE-CMM in order to implement IT security governance and continuous improvement practices. Using extant literature, this paper identifies certain challenges and solutions with respect to the governance of IT security. For practitioners, it highlights relevant links between principles of ISO 38500 and IT governance, provides an over-arching contextual framework to drive IT security governance, and demonstrates mitigation solutions for IT security governance challenges. For academics, the paper makes theoretical contributions, by relating IT security governance to business strategy and proposing that firms develop dynamic governance capabilities (Pavlou and El Sawy, 2010) or organizational learning ladders (Ciborra and Andreu, 2010).