Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




Total information security management in a company - or in any organization whatsoever - is composed of Information Security Management (ISM) in line with the company's business objectives and of Information Security Assurance (ISA) aimed to create confidence in external parties, customers, authorities, etc. A difficulty in practical company cases has been the fact that information security practices have been viewed as distinct of business and as measures implemented especially by information security professionals. These have often been regarded as superfluous and even annoying issues. As a solution to such problems, the paper at hand puts forward the idea of integrating information security seamlessly with the business. Information security measures should not be established as an information security system distinct and separate from the business management of a company. In practice, such a system may even prove to be harmful. Information security management cannot be realized only through experts internal to the company nor merely on the basis of external assurance.

The ISO 9000 standards pertaining to quality management and quality assurance are based on a very broad international consensus, and they can also be made good use of in managing information security in companies. After all, information security is a sub-section of the concept of quality. Simultaneously one also has the opportunity to apply even more effectively various other broadly utilized quality management principles and tools concerning the continuous improvement of company performance also in the area of information security.

The necessity of integration, the harmfulness of separate management systems

Information security in a company is the end result of numerous details and subactivities. The management of all these impacting factors, so that the results of information security forward the aims of the company, is called Information Security Management (ISM). Information security management is integrally linked with Business Management (BM).
In order to be able to utilize all the impacting factors concerning the realization of information security, a comprehensive approach is required for its practical implementation. If this is not possible, the implementation will contain loopholes and the overall situation is typically contingent on its weakest links. Another danger is partial optimization, in which some factors may be overemphasized without them being able to bring about the desired results effects to the wholeness. All of these, however, always entail costs.

Information security management is fully analogous to the management of many other areas important to a company. These include, for example,
- finances,
- quality,
- business risks,
- human resource development,
- information management,
- occupational health and safety factors,
- environmental protection,
- communications,
- etc.

All these various areas have very differently established practices. For instance, in the area of financial management the last couple of decades have seen a development of widely adopted de facto principles and practices, such as budgeting and accounting practices. The systematicity of total quality management, i.e. quality management and quality assurance, has attained a very well established and internationally standardized position through the widely known and used ISO 9000 standards. In this connection, the expression 'ISO 9000 phenomenon' is even used. Because total quality management is currently perceived comprehensively, the standardized principles related to it have spread to all the business areas of organizations, including information management and information security. The experiences gained through total quality management also provide ample opportunities to learn from and utilize in the area of information security.

All the aforementioned cases concern particular areas of a company's business management. The following are relevant issues with respect to the success of a particular area of management, such as information security management:
- Integration, i.e. no distinct management system is created for a particular area, but the management procedures relevant to it are realized as integral parts of the overall business leadership and management system (see figure 1).
- Consistency, i.e. the various measures needed in the management of these different areas are mutually congruent and compatible.

Fig. 1. Consistent elements of information security management (ISM) and information security assurance (ISA) integrated with business management (BM).

Correspondingly, if distinct management approaches upheld by different organizational units (support units) and experts should originate in different areas, this will sooner or later generally entail negative effects to the whole. In this connection it is common that one hears talk about such-and-such a system, for example of an information security system or quality system. In order to avoid negative effects, it would be better to talk rather about the systematicity of information security instead of an information security system. In this case systematicity (or systematic approach) would refer to including the "flavor" of information security in actual business management practices.

If distinct management areas are allowed to become overly emphasized due to their independence and distinctness, a common consequence of this is also collisions occurring between these different areas (see figure 2), for instance in connection with prioritizing and resourcing various initiatives and projects. Such collisions concern especially two management levels of a company:
- the CEO, because his or her commitment in all areas is desired and
- business processes, because everyone wants to make an impact and be effectively taken into account in key business process operations.

Fig. 2. Collisions of specialized management areas

Fragmentary management approaches often entail inefficiency in the utilization of a company's information basis and in information-based leadership. Such a situation might even result in a chaotic situation which as such may also have negative effects on information security. A futile competitive situation between different doctrines can be avoided only if a company has a sufficiently solid leadership system of its own, one which enables it to utilize all those doctrines which have proved to be useful, based on its own deliberations.

The reason why the integration of information security management has often not taken place effectively could be the fact that a company's own leadership system has not yet taken shape to a sufficient degree, resulting in the lack of points to "grasp onto". It might also be the case that information security issues are delegated too broadly to experts, who will then create their own special systems, even by emphasizing their own position. Moreover, many concepts and basic principles of inforamtion security are foreign to business managers.

Realizing the integration of information security management

It is impossible to define clearly and unequivocally where the border-line of ISM to BM goes (see figure 1). As a matter of fact, ISM stretches across the entire BM area of operations, due to the fact that all decisions and measures (whether they are in fact undertaken or not) made by the leadership have either a direct or indirect, positive or negative impact also on the realization of ISM.

In practice, the integration of information security issues with management approaches takes place at two levels:
- The strategic level, where one makes decisions and undertakes measures concerning the entire business and considers especially the future competitiveness of the company and management of the whole.
- The operative level, where decisions and measures concerning daily management are made and undertaken.

With respect to the above, one can also talk about:
- vertical integration, which includes company-wide leadership systematics, the activities of the top leadership, and organization - especially the entirety of key business processes, resourcing, the systematicity relating to measures and indicators applied in the entire organization, measuring, and analysis, and
- horizontal integration, which includes business process activities for the realization of products (including services), i.e. marketing, sales, product development, production, delivery, etc.

The most important tasks of leadership are planning, control, and (continual step-by-step) improvement, which should all be realized in a systematic way and in accordance with a company's leadership practices. Integration of information security will not take place unless information security elements have been included into these normal leadership tasks.

In integrating information security practices, it is important to manage effectively the process systematics of the company in question. This is because, in practice (operationally), information security originates from processes, that is in process-related activities and information flows between these activities (see figure 3) as the company realizes products and its business in practice. Thus, information security is affected directly in real time through process arrangements, tools, and people in practice.

Fig. 3. Information security is realized in the activities and information flows of business processes (e.g. order/delivery process).

Real responsibility even in the management of special areas, including information security, lies always with business leaders, at the strategic level with the CEO and business area managers, and at the operational level with process owners. This responsibility cannot be delegated to experts or externalized to external inspectors or consultants. The task of experts such as information security executives or managers is to provide expert support, e.g. the facilitation of particular approaches and improvement topics through the utilization of professional tools.

It is essential with respect to the efficient realization and continual improvement of all issues and means concerning information security that in the company in focus,
- the leading principles of the issue are clear and well-known,
- effective and efficient means (approaches, procedures, methods, and tools) are available, and
- the company has an innovative corporate and leadership atmosphere and infrastructure.

Because information security issues are naturally a part of company-wide quality management (QM), one can apply the quality management principles (QMP) at the basis of the ISO 9000 standards also in connection with ISM. Quality management principles refer to a broad, versatile, and fundamental rule (practice, guidance, guideline) or understanding (belief, confidence) for the leadership and practices of a company. Its purpose is to continuously improve long-term performance by focusing on customers in balance with the needs of also other stakeholders. Eight such quality management principles have been defined in the ISO 9000 standards:

- Principle 1: Customer focus
Organizations depend upon their customers, which is why one should understand both the current and future needs of customers, meet their requirements, and strive to exceed their expectations.
- Principle 2: Leadership
The leadership creates the unity of purpose and the direction of an organization. It should also create an atmosphere in which people are fully involved in striving towards and thus strongly committed to reaching the organization's objectives.
- Principle 3: Participation of people
People - at all levels of the organization - are the core issue of the organization. Once everyone is fully involved through strong commitment, skills and capabilities are brought into use for the organization.
- Principle 4: Process-like business
Objectives and goals are reached more efficiently when interconnected resources and procedures are managed as an entity - as a process.
- Principle 5: System-based leadership approach, i.e. managing issues as a system
Recognizing, understanding, and managing a system consisting of interdependent processes in order to reach a certain objective improves an organization's effectiveness and results-orientation.
- Principle 6: Continual improvement
Continual improvement is the perpetual goal of an organization.
- Principle 7: Fact-based decisions
Effective decisions are based on analyzing information and facts.
- Principle 8: Partnership relations with suppliers
An organization and its suppliers are dependent on one another and reciprocally beneficial relations help both parties

Taking all the above principles into account also in information security management promotes the natural integration of the issue into business. One should consider in each and every company how these principles are taken into account in realizing information security.

Assuring information security in order to build confidence of external parties

The aim of information security management is to internally forward the business needs of a company. In addition to such internal motives, one often also needs measures directed at parties external to the company, such as customers or authorities, the purpose of which is to increase confidence towards the company's information security realizations. All of these are generally referred to as Information Security Assurance (ISA) analogously to Quality Assurance (QA), the principles and practices of which have been defined in detail and discussed in the ISO 9000 standards.

Fig. 4. An element for information security management (see fig. 1) aims at both company’s internal business purposes (i.e. information security management, ISM) and external customers’ confidence purposes (i.e. information security assurance, ISA).

In practical company-level realizations both ISM and ISA should be mutually compatible and consistent. This can be realized effectively in practice only if the same approaches at the basis of the ISM intended for the company's internal use are also the underpinning of ISA (see figure 4). Thus, the foundation of information security assurance consists of real procedures in business processes and it is realized through the way in which these are communicated to external parties (see figure 5).

Fig. 5. Information security assurance (ISA) is based on activities of business management.

Information security assurance can be systematically realized with the help of a special information security assurance plan (cf. the quality assurance plan defined in the ISO 10005 standard). On the basis of this, one can also draw up an information security agreement with a customer, if needed.

Evaluation and continuous improvement of information security management

It is important to be aware of, i.e. evaluate, the real information security situation of a company with respect to both information security management and assurance. As a matter of fact, information security is a fuzzy concept (see figure 6). This implies, that an overly simplified ON/OFF evaluation - implying that there either is (ON) or isn't (OFF) information security in the company - concerning information security is not a fruitful approach. Information security always has to do with levels of development and differences in degree. This also entails an essential feature of information security, which is that it is always possible to continuously improve it. Moreover, it is also always worth investing in it appropriately.

Fig. 6. Fuzziness of companys’ information security management:
- membership curve of companys’ information security maturity
- information security is a matter of degree and can be always improved

Concerning integration, it is appropriate that information security be also taken into account when assessing business performance comprehensively. With respect to improvement measures, it is appropriate that an evaluation of the degree of information security be reached. In information security assessments one can look at the entire business, which means that it is a strategic assessment, or one can examine particular processes and their parts, in which case the evaluation is more operational in nature. In both cases it is necessary that the assessments focus on both real activities and the concrete results reached through them. Through an assessment one can, and also should, bring into view the company's real
- strengths, i.e. how do we differ from others, our competitors, on the basis of factual information, and
- weaknesses, i.e. do the facts indicate something which prevents or hampers us from using our strengths in a competitive manner.

With respect to examining the results, it would be worthwhile if the measuring systematics or Balanced Scorecard (BSC) intended for business management also included ISM measures and/or indicators important to the business. After all, otherwise information security is not an important strategic issue in practical leadership.

With the help of an appropriate assessment system one can also gain a numerical assessment result (see figures 7 and 8) to indicate the company's developmental status and maturity concerning ISM. It is also appropriate that the assessment reach recommendations and initiatives pertaining to the continual improvement of the situation. The assessments, and improvement measures based on these, include knowledge of appropriate comparison targets (own goals, competitors, and the best in other industries) and learning from existing best practices, i.e. benchmarking.

Fig. 7. A comprehensive evaluation of a company’s information security management (approach/deployment and results)

Fig. 8. Scoring principles for the evaluation of information security management of a company or other organization entity

Assessments can be made by the so-called first-party (the company itself), by a second party (customer), or a third party (organization independent from the first two parties). It is crucially important that the company's own leadership self-assesses alongside business management and commences improvement measures based on such assessment. One can also present a first, second, or third party certificate on the basis of an assessment (or an audit), indicating how certain assessment criteria are met. Third party certificates have often had an overly emphasized significance. There is ample evidence especially from the field of quality management, that one cannot in reality assure quality (nor information security) on the basis of such certificates. Focusing on certificates has also easily had a decelerating or damaging effect on striving towards continual improvement in realizing performance excellence. Neither can information security assurance measures or certificates be considered as management tools for information security. However, when used correctly, certificates can also contribute to information security assurance.

Excellence of information security as an objective

When functioning in a competitive situation, the only possible goal of a company is performance excellence, because only on this basis can long-term competitiveness be realized. The goal of superiority should also be focused on information security management. In this case it is not enough to merely comply with certain external requirements.

Comprehensive information security management with performance excellence as its goal calls for the systematic development of approaches as well as their effective and efficient implementation into practice and continuous assessment, and improvement measures at various levels (see figure 8).


1. Drafts for the revised ISO 9000:2000 standards, International Standardization Organization ISO, Geneve 1998
2. Malcolm Baldrige National Quality Award, 1998 Award Criteria, National Institute for Standards and Technology, Washington 1997
3. Anttila, Juhani & Vakkuri, Jorma: Does it pay to be good? Telecom Finland Ltd, Helsinki 1997

[This text was presented as a seminar paper at the IFIP WG 11.2 & 11.2 seminar on a Donau boat in Hungary in September 1998]