An Integrative Alignment Approach for Information Security Policy in the Context of Strategic Planning

The enterprise information security policy is derived from the strategic requirements for risk management and corporate governance. Consistent alignment between the security policy and the other corporate business policies and strategies has to be maintained if information security is to be implemented according to evolving business objectives. There are however limitations in current approaches for developing and managing the security policy to facilitate consistent strategic alignment within the business strategic planning cycle. The proposed full integrative planning approach for the enterprise information security policy conceptually demonstrates that the security policy can be presented as a business policy within the strategic management cycle. As such, this paper argues that the security policy can take on integrated strategic planning activities alongside other strategic business policies. The recommended future research includes the adoption of the proposed security policy framework to establish applicability and the development of an assessment model for both the framework and the security policy. This is to validate the framework propositions and identify elements of value as well as areas for improvement.