FEATURE

Accountability for Information

Security Roles and
Responsibilities, Part 1
Using COBIT 5 for Information Security in ArchiMate

In recent years, information security has evolved recognizing information and related technologies as
from its traditional orientation, focused mainly on critical business assets that need to be governed
technology, to become part of the organization’s and managed in effective ways.6
strategic alignment, enhancing the need for an
aligned business/information security policy.1, 2 Information security is a business enabler that is
Information security is an important part of directly connected to stakeholder trust, either by
organizations since there is a great deal of addressing business risk or by creating value for
information to protect, and it becomes important enterprises, such as a competitive advantage.7
for the long-term competitiveness and survival of Moreover, information security plays a key role in an
organizations. Thus, the information security roles organization’s daily operations because the integrity
are defined by the security they provide to the and confidentiality of its information must be
organizations and must be able to understand the ensured and available to those who need it.8
value proposition of security initiatives, which
leads to better operational responses regarding To tackle information security-related threats and
security threats.3 solutions, it is essential for organizations to have
well-skilled information security professionals.
Organizations and their information storage Many smaller enterprises cannot justify the creation
infrastructures are vulnerable to cyberattacks and of a single post or an information security team
other threats.4 Many of these attacks are highly dedicated to its information security management.
sophisticated and designed to steal confidential
information. Therefore, enterprises that deal with a
lot of sensitive information should be prepared for
these threats because information is one of an
organization’s most valuable assets, and having the
right information at the right time can lead to
greater profitability.5 Enterprises are increasingly

Tiago Catarino
Is currently working in the Portfolio and Investment Department at INCM (Portuguese Mint and Official Printing Office). In the scope
of his professional activity, he develops specialized activities in the field of information systems architectures in several transversal
projects to the organization. His main academic interests are in the areas of enterprise architecture, enterprise engineering,
requirements engineering and enterprise governance, with emphasis on IS architecture and business process engineering.

André Vasconcelos, Ph.D.

Is an assistant professor in the Computer Science and Engineering department at Instituto Superior Técnico, University of Lisbon
(Portugal) and a researcher at Instituto de Engenharia de Sistemas e Computadores-Investigação e Desenvolvimento (INESC-ID)
(Lisbon, Portugal). He has developed strategic advice in the area of information systems and business in several organizations. In
the scope of his professional activity, he develops specialized advisory activities in the field of enterprise architecture for several
digital transformation projects. He has written more than 80 publications, and he has been involved in several international and
national research projects related to enterprise architecture, information systems evaluation and e-government, including several
European projects.

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 5 1

 These enterprises, in particular enterprises with no of desirable characteristics for each information
external compliance requirements, will often use a security professional.
general operational or financial team to house the
main information security blueprint, which can cover However, COBIT 5 for Information Security does not
technical, physical and personnel-related security and provide a specific approach to define the CISO’s role.
works quite successfully in many ways.9 Such an approach would help to bridge the gap
between the desired performance of CISOs and their
Nonetheless, organizations should have a single current roles, increasing their effectiveness and
person (or team) responsible for information completeness, which, in turn, would improve the
security—depending on the organization’s maturity maturity of information security in the organization.
level—taking control of information security policies
and management.10 This leads chief information Moreover, this framework does not provide insight on
security officers (CISOs) to take a central role in implementing the role of the CISO in organizations,
organizations, since not having someone in the such as what the CISO must do based on COBIT®
organization who is accountable for information processes. It provides a “thinking approach and
security increases the chances of a major structure,” so users must think critically when using it
security incident.11 to ensure the best use of COBIT.

Some industries place greater emphasis on the

CISO’s role than others, but once an organization THE CISO’S ROLE IS
gets to a certain size, the requirement for a
dedicated information security officer becomes too STILL VERY ORGANIZATION-
critical to avoid, and not having one can result in a SPECIFIC, SO IT CAN BE
higher risk of data loss, external attacks and
inefficient response plans. Moreover, an DIFFICULT TO APPLY ONE
organization’s risk is not proportional to its size, so FRAMEWORK TO VARIOUS
small enterprises may not have the same global
footprint as large organizations; however, small and ENTERPRISES.
mid-sized organizations face nearly the same risk.12

COBIT® 5 for Information Security is a professional Every organization has different processes,
guide that helps enterprises implement information organizational structures and services provided.
security functions. It can be instrumental in The CISO’s role is still very organization-specific, so
providing more detailed and more practical it can be difficult to apply one framework to various
guidance for information security professionals, enterprises. This difficulty occurs because it is
including the CISO role.13, 14 complicated to align organizations’ processes,
structures, goals or drivers to good practices of the
The Problem framework that are based on processes,
organizational structures or goals. The mapping of
COBIT 5 for Information Security helps security and COBIT to the organization’s business processes is
IT professionals understand, use, implement and among the many challenges that arise when
direct important information security activities. With assessing an enterprise’s process maturity level.
this guidance, security and IT professionals can
make more informed decisions, which can lead to COBIT® 5 has all the roles well defined and
more value creation for enterprises.15 responsible, accountable, consulted and informed
(RACI) charts can be created for each process,
In particular, COBIT 5 for Information Security but different organizations have different roles
recommends a set of processes that are and levels of involvement in information
instrumental in guiding the CISO’s role and provides security responsibility.
examples of information types that are common in
an information security governance and ArchiMate is the standard notation for the graphical
management context. Furthermore, it provides a list modeling of enterprise architecture (EA). Many

2 ISACA JOURNAL VOL 5 © 2019 ISACA. All rights reserved. www.isaca.org

organizations recognize the value of these
architectural models in understanding the
dependencies between their people, processes, EA ASSURES OR CREATES THE
applications, data and hardware. Using ArchiMate
NECESSARY TOOLS TO PROMOTE
helps organizations integrate their business
and IT strategies. ALIGNMENT BETWEEN THE
ORGANIZATIONAL STRUCTURES INVOLVED
The challenge to address is how an organization
can implement the CISO’s role using COBIT 5 for IN THE AS-IS PROCESS AND THE TO-BE
Information Security in ArchiMate, a challenge that,
DESIRED STATE.
by itself, raises other relevant questions regarding
its implementations, such as:

• Can organizations perform a gap analysis transparency, delivers information as a basis

between the organization’s as-is status to for control and decision-making, and enables
what is defined in COBIT 5 for Information IT governance.20
Security, regarding:
– Processes and base practices? EA is important to organizations, but what are its
– Key practices? goals? The answers are simple:
– Business functions and information types?
– Roles?
• Understanding the organization

• Developing systems, products and services

• Can ArchiMate’s notation model all the concepts
according to business goals
defined in COBIT 5 for Information Security?
• Optimizing operations
Therefore, it is important to make it clear to
organizations that the role and associated
• Optimizing organizational resources, including
people
processes (and activities), information security
functions, key practices, and information outputs • Providing alignment between all the layers of
where the CISO is included have the right person the organization, i.e., business, data, application
with the right skills to govern the enterprise’s and technology21
information security. For that, ArchiMate
architecture modeling language, an Open Group Moreover, EA can be related to a number of well-
standard, provides support for the description, known best practices and standards. Figure 1
analysis and visualization of interrelated shows the management areas relevant to EA and
architectures within and across business domains the relation between EA and some well-known
to address stakeholders’ needs.16 management practices of each area.

EA and ArchiMate EA assures or creates the necessary tools to

promote alignment between the organizational
EA is a coherent set of whole of principles, methods structures involved in the as-is process and the to-
and models that are used in the design and be desired state. To promote alignment, it is
realization of an enterprise’s organizational necessary to tailor the existing tools so that EA can
structure, business processes, information systems provide a value asset for organizations.
and infrastructure.17, 18, 19 The EA process creates

Figure 1—EA Management Areas vs. Management Practices

Strategic execution European Foundation for Quality Management (EFQM)
Quality management International Organization for Standardization (ISO) 9001
IT governance COBIT 5
IT delivery and support Information Technology Infrastructure Library (ITIL)
IT implementation Capability Maturity Model (CMM) and Capability Maturity Model Integration (CMMI)

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 5 3

 meet vision, mission and business goals and to
deliver the enterprise strategy.26
ALTHOUGH EA AND COBIT® 5 DESCRIBE
Although EA and COBIT® 5 describe areas of
AREAS OF COMMON INTEREST, THEY DO IT
common interest, they do it from different
FROM DIFFERENT PERSPECTIVES. perspectives. COBIT 5 focuses on how one
enterprise should organize the (secondary) IT
function, and EA concentrates on the (primary)
The research here focuses on ArchiMate with the business and IT structures, processes, information
business layer and motivation, migration and and technology of the enterprise.27
implementation extensions.
Figure 2 shows the proposed method’s steps for
ArchiMate provides a graphical language of EA over implementing the CISO’s role using COBIT 5 for
time (not static), and motivation and rationale. Information Security in ArchiMate.
ArchiMate is divided in three layers: business,
application and technology. This research proposes a business architecture that
clearly shows the problem for the organization and,
These three layers share a similar overall structure at the same time, reveals new possible scenarios. It
because the concepts and relationships of each also proposes a method using ArchiMate to
layer are the same, but they have different integrate COBIT 5 for Information Security with EA
granularity and nature. Every entity in each level is principles, methods and models in order to properly
categorized according to three aspects: implement the CISO’s role. ArchiMate notation
information, structure and behavior.22 provides tools that can help get the job done, but
these tools do not provide a clear path to be
ArchiMate is a good alternative compared to other followed appropriately with the identified need.
modeling languages (e.g., Unified Modeling
Language [UML]) because it is more To maximize the effectiveness of the solution, it is
understandable, less complex and supports the recommended to embed the COBIT 5 for Information
integration across the business, application and Security processes, information and organization
technology layers through various viewpoints.23 structures enablers’ rationale directly in the models of
EA. The following focuses only on the CISO’s
The business layer, which is part of the framework responsibilities in an organization; therefore, all the
provided by ArchiMate, is where the question of modeling is performed according to the level of
defining the CISO’s role is addressed. The business involvement “responsible” (R), as defined in COBIT 5
layer metamodel can be the starting point to for Information Security’s enablers.
provide the initial scope of the problem to address.
Furthermore, ArchiMate’s motivation and The research problem formulated restricts the
implementation and migration extensions are also spectrum of the architecture views’ system of
key inputs for the solution proposal that helps with interest, so the business layer, motivation, and
the COBIT 5 for Information Security modeling. migration and implementation extensions are the
only part of the research’s scope. Such modeling
Proposal follows the ArchiMate’s architecture viewpoints, as
shown in figure 3.
EA, by supporting a holistic organization view, helps
in designing the business, information and
Step 1—Model COBIT 5 for Information Security
technology architecture, and designing the IT
In this step, inputting COBIT 5 for Information
solutions.24, 25 COBIT® is a framework for the
Security results in the outputs of CISO to-be
governance and management of enterprise IT, and
business functions, process outputs, key practices
EA is defined as a framework to use in architecting
and information types.
the operating or business model and systems to

4 ISACA JOURNAL VOL 5 © 2019 ISACA. All rights reserved. www.isaca.org

 Figure 2—Proposed Method’s Steps

1. Model COBIT 5 ➜ 7. Analysis

for Information and to-be ➜
Security design

2. Model ➜
organization’s
EA

3. Information ➜
type
mapping

4. Processes ➜
output
mapping

5. Key ➜
practices
mapping

6. Role ➜
mapping

COBIT 5 for Information Security can be modeled the CISO is responsible for originating, defined in
with regard to the scope of the CISO’s role, using COBIT 5 for Information Security, will first be
ArchiMate as the modeling language. Figure 4 modeled using the ArchiMate notation. Such
shows an example of the mapping between COBIT 5 modeling is based on the Principles, Policies and
for Information Security and ArchiMate’s concepts Frameworks and the Information and
regarding the definition of the CISO’s role. The Organizational Structures enablers of COBIT 5 for
semantic matching between the definitions and Information Security.
explanations of these columns contributes to the
proposed COBIT 5 for Information Security to COBIT 5 for Information Security’s processes and
ArchiMate mapping. related practices for which the CISO is responsible
will then be modeled. Those processes and
The definition of the CISO’s role, the CISO’s practices are:
business functions and the information types that

Figure 3—Solution’s Step—ArchiMate Viewpoints

ArchiMate’s Architecture Viewpoint
Business
Organization Process Motivation Migration
Proposed Method’s Step Viewpoint Viewpoint Viewpoint Viewpoint
1. Model COBIT 5 for Information Security X X X
2. Model organization’s EA X X X
3. Business functions mapping X
4. Processes output mapping X
5. Key practices mapping X
6. Role mapping X
7. Analysis and to-be design X

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNALVOL 5 5

 Figure 4—COBIT 5 for Information Security to ArchiMate Ontological Mapping
COBIT 5 for
Information
Security ArchiMate Concept
concept COBIT 5 for Information Security Concept Description Description ArchiMate Notation
Enterprises exist to create value for their stakeholders—including A principle is defined as a
stakeholders for information security—by maintaining a balance between normative property of all
the realization of benefits and the optimization of risk and use of resources. systems in a given context,
COBIT 5 provides all of the required processes and other enablers to support or the way in which they are
Principle 1: business value creation through the use of IT. Since every enterprise has realized.
Principle 1– !
Meeting different objectives, an enterprise can customize COBIT 5 to suit its own Meeting
Stakeholder context through the goals cascade, translating high-level enterprise goals Stakeholder
Needs into manageable, specific, IT-related goals and mapping these to specific Needs
enablers, such as processes and activities.

Stakeholder needs are influenced by a number of drivers, e.g., strategy A driver is defined as
(name)
changes, a changing business and regulatory environment, and new something that creates,
Stakeholder
technologies. motivates and fuels the
driver
change in an organization.

Value creation is the main governance objective of an enterprise, achieved A goal is defined as an end
when the three underlying objectives (benefits realization, risk optimization state that a stakeholder
and resource optimization) are all balanced. intends to achieve. (name)
Stakeholder
needs Stakeholder needs drive the governance objective of value creation:
• Benefits realization
• Risk optimization
• Resource optimization
The translation of the enterprise’s mission from a statement of intention into A goal is defined as an end
performance targets and results state that a stakeholder (name)
Enterprise
intends to achieve.
goals

A statement describing a desired outcome of enterprise IT in support of A goal is defined as an end

enterprise goals. An outcome can be an artifact, a significant change of a state that a stakeholder (name)
IT-related
state or a significant capability improvement. intends to achieve.
goals

Enablers include processes, organizational structures and information, and A goal is defined as an end
for each enabler, a set of specific relevant goals can be defined in support of state that a stakeholder (name)
Enabler goals the IT-related goals. intends to achieve.

A statement describing the desired outcome of a process. An outcome A goal is defined as an end
can be an artifact, a significant change of a state or a significant capability state that a stakeholder (name)
Process goals improvement of other processes. intends to achieve.

A statement describing the desired outcome of a process, regarding A goal is defined as an end
Information- information security. An outcome can be an artifact, a significant change of a state that a stakeholder (name)
security- state or a significant capability improvement of other processes. intends to achieve.
specific goal

Generally, a collection of practices influenced by the enterprise’s policies A business process is

and procedures that takes inputs from a number of sources (including other defined as a behavior
processes), manipulates the inputs and produces outputs (e.g., products, element that groups behavior (name) ➜
services). based on an ordering of
Process
activities. It is intended
to produce a defined set
of products or business
services.

6 ISACA JOURNAL VOL 5 © 2019 ISACA. All rights reserved. www.isaca.org

 Figure 4—COBIT 5 for Information Security to ArchiMate Ontological Mapping (cont.)
COBIT 5 for
Information
Security ArchiMate Concept
concept COBIT 5 for Information Security Concept Description Description ArchiMate Notation
An activity that, when consistently performed, contributes to achieving A business process is defined
a specific process purpose. Base practices are the activities or tasks as a behavior element that
required to achieve the required outcome for the process. They are groups behavior based on
(name) ➜
Base
specified in the COBIT 5 Process Assessment Model at a high level without an ordering of activities. It is
practices
specifying how they are carried out. intended to produce a defined
set of products or business
services.
An overview of what the process does and a high-level overview of how the It is a description that
process accomplishes its purpose expresses the intent of a
representation; i.e., how it
informs the external user.
Process (name)
Meaning is defined as the
description
knowledge or expertise
present in a business object
or its representation, given a
particular context.
A description of the overall purpose of the process; the high-level A goal is defined as an end
measurable objectives of performing the process and the likely outcomes state that a stakeholder (name)
Process
of effective implementation of the process intends to achieve.
purpose

Identifying the stakeholder of information is essential to optimize the A business object is defined
development and distribution of information throughout the enterprise. as a passive element that has
Information (name)
Example of information types include: relevance from a business
types
• Information security strategy perspective.
• Information security review reports
Identifying the stakeholder of information is essential to optimize the A business function is defined
development and distribution of information throughout the enterprise. as a behavior element that (name)
Business
groups behavior based on a
function
chosen set of criteria (typically
required business resources
and/or competencies).
Anyone who has a responsibility for, an expectation from or some other A business actor is defined
interest in the enterprise, e.g., shareholders, users, government, suppliers, as an organizational entity (name)
Stakeholder customers and the public that is capable of performing
behavior.

Prescribed or expected behavior associated with a particular position or A business role is defined
status in a group or organization; a job or a position that has specific set as the responsibility for (name)
Role of expectations attached to it. performing a specific behavior
to which an actor can be
assigned.
The process work products/artifacts considered necessary to support A business object is defined
process’s operation. as a passive element that has
Inputs and (name)
relevance from a business
outputs
perspective.

• Evaluate, Direct and Monitor (EDM) EDM03.03 The modeling of the processes’ practices for
Monitor risk management which the CISO is responsible is based on the
Processes enabler.
• Align, Plan and Organize (APO) APO01.04
Communicate management objectives and
Finally, the key practices for which the CISO should
direction
be held responsible will be modeled. Such modeling
• APO12.01 Collect data is based on the Organizational Structures enabler.
As an output of this step, viewpoints created to
• APO12.06 Respond to risk

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNALVOL 5 7

 Information Security for which the CISO is
responsible, will then be modeled.
IF THERE IS NOT A CONNECTION
Finally, the organization’s current practices, which
BETWEEN THE ORGANIZATION’S
are related to the key COBIT 5 for Information
INFORMATION TYPES AND THE Security practices for which the CISO is responsible,
will be represented.
INFORMATION TYPES THAT THE CISO IS
RESPONSIBLE FOR ORIGINATING, THIS Step 1 and step 2 provide information about the
organization’s as-is state and the desired to-be state
SERVES AS A DETECTION OF
regarding the CISO’s role. Furthermore, these two
AN INFORMATION TYPES GAP. steps will be used as inputs of the remaining steps
(steps 3 to 6).

model the selected concepts from COBIT 5 for Step 3—Information Types Mapping
Information Security using ArchiMate will be the For this step, the inputs are information types,
input for the detection of an organization’s contents business functions and roles involved—as-is (step
to properly implement the CISO’s role. 2) and to-be (step 1). The output is the information
types gap analysis.
Step 2—Model Organization’s EA
The inputs for this step are the CISO to-be business In the third step, the goal is to map the
functions, processes’ outputs, key practices and organization’s information types to the information
information types, documentation, and informal that the CISO is responsible for producing. With this,
meetings. The outputs are organization as-is it will be possible to identify which information
business functions, processes’ outputs, key types are missing and who is responsible for them.
practices and information types.
If there is not a connection between the
In this step, it is essential to represent the organization’s information types and the
organization’s EA regarding the definition of the information types that the CISO is responsible for
CISO’s role. Such modeling aims to identify the originating, this serves as a detection of an
organization’s as-is status and is based on the information types gap.
preceded figures of step 1, i.e., all viewpoints
represented will have the same structure. This step Step 4—Processes Outputs Mapping
aims to represent all the information related to the The inputs are the processes’ outputs and roles
definition of the CISO’s role in COBIT 5 for involved—as-is (step 2) and to-be (step 1). The
Information Security to determine what processes’ output is the gap analysis of processes’ outputs.
outputs, business functions, information types and
key practices exist in the organization. The fourth step’s goal is to map the processes’
outputs of the organization to the COBIT 5 for
This step begins with modeling the organization’s Information Security processes for which the CISO
business functions and types of information is responsible. With this, it will be possible to
originated by them (which are related to the identify which processes’ outputs are missing and
business functions and information types of COBIT who is delivering them.
5 for Information Security for which the CISO is
responsible) using the ArchiMate notation. A missing connection between the processes’
outputs of the organization and the processes’
The organization’s processes and practices, which outputs for which the CISO is responsible to
are related to the processes of COBIT 5 for produce and/or deliver indicates a processes’
output gap.

8 ISACA JOURNAL VOL 5

Step 5—Key Practices Mapping to make a strategic decision that may be different
The inputs are key practices and roles involved—as- for every organization to fix the identified
is (step 2) and to-be (step 1). The output is a gap information security gaps.
analysis of key practices.
Conclusion
The fifth step maps the organization’s practices to
key practices defined in COBIT 5 for Information
Security for which the CISO should be responsible. With the growing emphasis on information security
With this, it will be possible to identify which key and the reputational—and sometimes monetary—
practices are missing and who in the organization is penalties that breaches cause, information security
responsible for them. teams are in the spotlight, and they have many
responsibilities when it comes to keeping the
If there is not a connection between the organization safe. COBIT 5 for Information Security
organization’s practices and the key practices for effectively details the roles and responsibilities of
which the CISO is responsible, it indicates a key the CISO and the CISO’s team, but knowing what
practice’s gap. these roles and responsibilities are is only half the
battle. Without mapping those responsibilities to
Step 6—Roles Mapping the EA, ambiguity around who is responsible for
For this step, the inputs are roles as-is (step 2) and which task may lead to information security gaps,
to-be (step 1). The output shows the roles that are potentially resulting in a breach. Using a tool such
doing the CISO’s job. as ArchiMate to map roles and responsibilities to
the organization’s structure can help ensure that
This step maps the organization’s roles to the CISO’s someone is responsible for the tasks laid out in
role defined in COBIT 5 for Information Security to COBIT 5 for Information Security.
identify who is performing the CISO’s job.
An application of this method can be found in part 2
Step 7—Analysis and To-Be Design of this article. It demonstrates the solution by
The input is the as-is approach, and the output is applying it to a government-owned organization
the solution. (field study).

This step aims to analyze the as-is state of the Endnotes

organization’s EA and design the desired to-be state 1 Vicente, M.; “Enterprise Architecture and ITIL,”
of the CISO’s role. This step requires: Instituto Superior Técnico, Portugal, 2013
• Identifying the organization’s information 2 Silva, N.; “Modeling a Process Assessment
security gaps Framework in ArchiMate,” Instituto Superior
Técnico, Portugal, 2014
• Discussing with the organization’s responsible 3 Whitten, D.; “The Chief Information Security
structures and roles to determine whether the Officer: An Analysis of the Skills Required for
responsibilities identified are appropriately Success,” Journal of Computer Information
assigned Systems, vol. 48, iss. 3, March 2008,
https://www.tandfonline.com/doi/abs/
The purpose of this step is to design the as-is state 10.1080/08874417.2008.11646017
of the organization and identify the gaps between 4 De Souza, F.; “An Information Security Blueprint,
the existent architecture and the responsibilities of Part 1,” CSO, 3 May 2010, https://www.csoon
the CISO’s role as described in COBIT 5 for line.com/article/2125095/an-information-
Information Security. Moreover, this viewpoint security-blueprint—part-1.html
allows the organization to discuss the information 5 Ibid.
security gaps detected so they can properly
implement the role of CISO. For that, it is necessary

ISACA JOURNAL VOL 5 9

 6 Cadete, G.; “Using Enterprise Architecture for 15 Op cit ISACA, COBIT 5 for Information Security
Implementing Governance With COBIT 5,” 16 Op cit Cadete
Instituto Superior Técnico, Portugal, 2015 17 Lankhorst, M.; Enterprise Architecture at Work,
7 ISACA®, COBIT® 5 for Information Security, USA, Springer, The Netherlands, 2005
2012, www.isaca.org/COBIT/Pages/ 18 Niemann, K. D.; From Enterprise Architecture to
Information-Security-Product-Page.aspx IT Governance, Springer Vieweg Verlag,
8 Olijnyk, N.; “A Quantitive Examination of the Germany, 2006
Intellectual Profile and Evolution of Information 19 Grembergen, W. V.; S. De Haes; Implementing
Security From 1965 to 2015,” Scientometrics, Information Technology Governance: Models,
vol. 105, iss. 2, p. 883-904 Practices and Cases, IGI Publishing, USA, 2007
9 Olavsrud, T.; “Five Information Security Trends 20 Op cit Lankhorst
That Will Dominate 2016,” CIO, 21 December 21 Ibid.
2015, https://www.cio.com/article/3016791/ 22 Vicente, P.; M. M. Da Silva; “A Conceptual
5-information-security-trends-that-will- Model for Integrated Governance, Risk and
dominate-2016.html Compliance,” Instituto Superior Técnico,
10 Ibid. Portugal, 2011
11 Moffatt, S.; “Security Zone: Do You Need a 23 The Open Group, “ArchiMate 2.1 Specification,”
CISO?” ComputerWeekly, October 2012, 2013
https://www.computerweekly.com/opinion/ 24 Op cit Niemann
Security-Zone-Do-You-Need-a-CISO 25 Op cit Grembergen and De Haes
12 Op cit Olavsrud 26 Op cit Lankhorst
13 Op cit ISACA 27 Ibid.
14 ISACA, COBIT® 5, USA, 2012,
www.isaca.org/COBIT/Pages/COBIT-5.aspx

10 ISACA JOURNAL VOL 5