Improving information security compliance - A process-oriented approach for managing organizational change

Enterprises typically have to comply with many different legal, regulatory and internal requirements. Particularly in the context of information processing, there are dedicated regulations which demand the protection of the information infrastructure. From the authors’ point of view, organizational aspects are thereby one of the most critical improvement areas. However, the related organizational change process can be challenging in order to appropriately define and anchor adequate roles within the organization. To align the organization to the specific requirements of information security (IS), it is necessary to change the current organizational state into one that better supports the IS compliance performance. A process-oriented approach for managing the organizational change to improve information security compliance is presented in this contribution. The approach uses Business Aligned Information Security Management (BAISeM) and principles that have been derived from standards like ITIL, CObIT and ISO 27001. In order to illustrate the approach, the context of IT service continuity is selected as an example.