Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




Managing information security in all kinds of organizations in modern business environments is confronted with big challenges. Existing situation is not satisfactory. Treats of hostile attacks and grievances affecting organizations' major business aspirations seem to develop faster that implementing solutions. Reacting measures are emphasized instead of proactive approach. Business leaders are not motivated - and they have no time - to delve into complicated and very specialized information security questions. Information security experts' position and possibilities to contribute and influence in business management decisions and realizations are very limited. Very often when organizations are practicing their down-sizing plans the information security expertise is being outsourced. This development is causing superficiality or apparent solutions in managing information security.

The significance of information security is however being increased especially related to the extensive use of information technology. Competitiveness and success of the companies is based on right business related information on time. Correspondingly wrong, incorrect or even manipulated information, as well as missing information may cause serious business risks. Continuous and efficient exchange of information is a necessity between all stakeholders including customers, employees, shareholders, suppliers, business partners, and the great public.

This paper is to consider the following topics:
- Providing a sound understanding of the organizational information security conceptually and practically
- Managing information security performance in a consistent way in an organization
- Integrating information security management seamlessly into the business management system of the organization
- Understanding key issues and significance of process-based business management and its relationships to information security management
- Encouraging the use of the well-known and recognized principles and practices of business-integrated quality management in managing information security

With this approach we may avoid the difficulties in the existing practices of information security management.

Understanding organizational information security performance

The general pragmatic approach to information as a concept addresses that genuine information makes it possible to an individual or an organization to act in a new meaningful way. Information can be genuine only if it is tried and justified in real operation. Thus, information is a basis of all kinds of communities and its practical operation. Information can never be objective.

Basic concepts characterizing security of the information consist of:
- integrity - information that one is using for his/her actions is accurate
- availability - one has access to the relevant information when and so long it is needed
- confidentiality - information one is using is not manipulated by anybody else.

Additionally authenticity (information is authentic, trustworthy, or genuine) and authority (one has right to use the information) aspects are significant especially when using the means of electrical communication.

In organizational environments the information security characteristics relate to all interactions and transactions of an organization with all its stakeholders (or interested parties) (see figure 1). In fact, today all organizations operate in many kinds of networks. Information security is primarily a category of features of organization's products (goods and services) - a product being in general defined as any kind of output from the organization. Products are generated and delivered by organizations'business processes. Therefore also the organizational information security is originated in business processes although it is manifested in organization's products. Thus, it is motivated to talk about information security as an aspect in organization's overall business performance.

Mutual and multilateral transactions between an organization and its stakeholders are aimed at generating added-value to the partners. Transactions may take place between individuals or technical equipment, e.g. information systems. In addition to the intended transactions and products there are also always very likely taking place unintended events and even hostile transactions in organizations' networks.

Figure 1. Information security is valid in an organizational context. Information security is manifested in products but originated in the business processes.

In modern business environments both the number and variety of stakeholders has increased and communication between them has increased, intensified, diversified, and speeded up tremendously due to global telecom networks and services. Also organization-dedicated internal networks are tightly linked with the public networks. Large part of organizations' internal and external information is confidential at least to some stakeholders.

Managing organizational information security performance

Information security is one of the organization's managerially interested issues because it is significant and in many cases even crucial issue from the business realization and competitiveness point of view. In this sense management of information security is fully analogous to many other specialized areas important to an organization's business performance and success. These areas include:

- finances,
- quality,
- business risks,
- human resource development,
- ethics,
- information management,
- occupational health and safety factors,
- environmental protection,
- communications,
- innovations,
- etc.

In all these areas organizations it is useful for the organization to get benefits using established and recognized management approaches and practices. Also information security management may be defined according to the general definition of management as coordinated activities to direct and control an organization with regard to information security. That means that information security management is a responsibility of the business leaders.

Very similar principles and methodology may be used in all specialized management areas including information security. A well-known general model for all kinds of management is so called Deming or Shewhart cycle (see figure 2). This model describes how a consistent management consists of four consecutive activities:
- P: Planning the business activities what should be done and what results should be achieved
- D: Doing the business obligations according to the plans
- C: Checking what was done and what results achieved
- A: Acting rationally taking into account the observations and results of the checking

Figure 2. PDCA model for management (so called Deming / Shewhart model) and its application in strategic and operational business management

In organizational environments the PDCA model may and should be applied in three different scopes:
- Control: Managing daily operations in business processes in order to achieve the specified results of the doing. Normally rectifying nonconformities is carried out in connection with control.
- Prevention and operational improvements: Solving acute problems, preventing nonconformities, and finding / implementing operational step by step improvements in business processes. (For continual improvement one can also use a well-known concept "Kaizen")
- Breakthrough improvements: Innovating and implementing fundamental strategically significant changes in the way doing business

Top business leaders (senior executives) are responsible of the breakthrough improvements. Control, prevention, and small step improvement should be carried our by the responsibility of operational managers.

There are no excuses why control, prevention, small step improvements, and breakthrough improvements were not relevant also in the field of information security management. General managerial practices and means can be used but also professional information security expertise should be incorporated. This means a close and effective cooperation of business leaders and information security experts.

Integrating information security management into the business management

Information security practices in organizations have often been implemented as distinct initiatives apart from business management and primarily by information security professionals. This is not any natural approach and has been regarded even annoying. Information security in any organization is achieved effectively and efficiently only if it is realized as an organic element of organization's business strategies and operations. That is the essence of integration.

Integration requires that actual responsibility for the information security lies always with the business leaders, at the strategic level with the general manager and business area managers, and at the operational level with process owners. This responsibility cannot be delegated to security experts or externalized to outside inspectors or consultants. The task of experts such as information security directors or managers is to provide expert support, e.g. the facilitation of particular approaches and improvement topics through the utilization of suitable professional tools.

Integration implies that no distinct management system, "Information Security Management System", is created for managing information security, but the management procedures relevant to it are realized as essential parts of the overall business leadership and management system. Thus, information security management is integrally embedded with business management actions.

It is impossible to define clearly and unequivocally where the border-line of the information security management to business management goes. As a matter of fact, information security management stretches across the entire business management area, due to the fact that all decisions and measures (whether they are in fact undertaken or not) made by the top management have direct or indirect, positive or negative impact also on the realization of information security.

At employee or operator level, integration places stress on information security awareness within individuals and working teams and focused to their working tasks. However, the responsibility its development belongs to the business leaders, and security experts have an important role in training and education.

Understanding key issues and significance of process-based business management and its relationships to information security management

In integrating information security practices, it is extremely important to understand information security issues in the context of business processes. This is because, in practice (operationally), information security originates from processes, that means from process-related activities and information flows between these activities (see figure 3). Thus, information security is affected directly in real time through process arrangements, tools, and people in practical work that are affected by an appropriate and systematic process management practice.

Figure 3. An organization and its comprehensive system of business processes interfacing with the stakeholders. Information security is realized in practice in the business process activities and information flows between the activities and processes.

Strategic decisions and their implementation take place in organization's strategic management process. In order to get established remarkable information security related solutions within an organization this topic should be considered in the strategic management process in a systematic and effective way and using appropriate methodology (i.e. managerial tools).

As a whole there are a lot of recognized principles and practices how to manage business processes. Information security experts should use these possibilities for developing means to manage security of the organizational business information.

Encouraging the use of the well-known and recognized principles and practices of business-integrated quality management in managing information security

Information security management is fully analogous with the quality management that has attained a very well established and internationally standardized position already during several decades e.g. through the widely known and used ISO 9000 standards. These standardized quality management principles and practices have impact on all business areas of organizations, including information management and information security areas. The experiences gained through quality management also provide ample opportunities to learn from and utilize in the area of information security. This learning may be strengthened by using systematic benchmarking methodology.

Quality management is a very general concept that in practice means equal to the quality of management (see figure 4). Quality focus in an organization implies striving for fulfilling all needs and expectations of organization's all stakeholders (interested parties) including security aspects in operations and products. Quality focused business management is particularly based on the effective and efficient management of business processes.

Figure 4. Approaching quality of a management system according to the principles of ISO 9000 standards. Quality of a management system is defined as degree to which a set of inherent characteristics of a management system fulfils needs and expectations of organization's stakeholders. Information security management is integrated with this approach.

An important principle of quality management is that the organization should provide assurance to its customers and other stakeholders that it has all necessary abilities to realize all the relevant requirements. All these measures to inspire and strengthen customers' and other stakeholders' confidence in the organization are called quality assurance. Analogically also similar information security assurance is needed for stakeholders' confidence. Information security assurance is naturally a sub-domain of information security management.

Very recently also in the information security management context references have been made to the ISO 9000 standards. E.g. well-known standard BS 7799-2 is now applying ISO 9000 approach and framework. This standard also tries using the process approach and the PDCA cycle model. However, it has not succeeded very well in applying these principles and there is lack of clarity and a lot of shortcomings in the standard text.


Business related importance of information security and simultaneously also the related threats are continually increasing. Requirements for a consistent organization-wide information security management and assurance have become multidimensional and more difficult. New innovative solutions should be available. However, there has not been any practical remarkable breakthrough development in the principles, practices or tools of the information security management. Also the existing standards are at the same status.

In order to get genuine strengthened influence to the development, there should be drawn a seamless connection between the information security responsibility and related actions and business management. That is actual requirement in all kinds of organizations and should include:
- strategic management to consider organizations' performance as a whole,
- operational management of business processes, and
- positive development in information security awareness and skills of the employees.

This is the approach for an integrated information security management.


1. J Anttila, "Managing and assuring information security in integration with business management of a company" In Information security. Small systems security & information security management. Vol. 2, edited by J H P Eloff and R von Solms, (Vienna, Budapest: IFIP WG11.2 September 1998)
2. J Anttila: "Business process management, a core issue of implementation of information security" In Information security and law. Current issues of information security, edited by A Saarenpää (Rovaniemi:Laplands University 2002) (In Finnish)
3. J Anttila: "Business Integrated e-Quality - Innovative opportunity for modern advanced organizations", EOQ Conference proceedings (Harrogate UK: EOQ and IQA 2002)
4. BS 7799-2, Information security management systems. Specification with guidance for use, (London: DISC Board, The Standards Policy and Strategy Committee, 2002)
5. J Anttila and J Vakkuri: "ISO 9000 for the Creative Leader", (Helsinki: Sonera Corporation, 2001)
6. ISO 9000, Quality management standards, (Geneve: International Standardization Organization ISO 2000)
7. M Walton, "The Deming management method", (New York: The Putnam Publishing Company, 1986)
8. S Shiba, "Evolution of quality: From control to breakthrough TQM", In Quality - A critical factor in the past, present and future. Vol. 1, (Trondheim: EOQ 1997)

[This text was presented as a paper at IPICS Winter School at the University of Oulu, Finland in March 2005]