Abstract:

Information security is, through IT governance, part of corporate governance. Corporate governance requires that there be structures and processes in place with appropriate checks and balances that enable the directors to discharge their responsibilities. To support this principle means that there must be proper checks and balances for all information security implementations. Achieving this partly requires the involvement of three key role players namely: information security professionals, ICT security auditors and regulatory officials. These three role players must ensure that the information security controls are implemented, properly checked and independently evaluated against the organisation’s strategic objectives and the regulatory requirements. In order to ensure effectiveness, the three role players must be aligned in the implementation and evaluation of information security controls.  This alignment must be based on a common framework understood and accepted by all three role players. The article presents a South African Information Security Alignment (SAISA) framework to address this.