A framework for information security evaluation

R. von Solms, H. van der Haar, S. H. von Solms, W. J. Caelli

Research output: Contribution to journalArticlepeer-review

37 Citations (Scopus)


Information Security Management consists of various facets, such as Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery; these are all interrelated in some way, often causing uncertainty and confusion among top management. This paper proposes a model for Information Security Management, called an Information Security Management Model (ISM2), which puts all the various facets in context. The model consists of five different levels, defined on a security axis. ISM2 introduces the idea of international security criteria or international security standards. The rationale behind these is to enable information security evaluation according to internationally accepted criteria. Due to the lack of internationally recognized and/or accepted information security standards and criteria, this model cannot be implemented in its totality at this time. A restricted form is implemented, forming an information security evaluation tool. This tool can be used for information security management with great success within an organization.

Original languageEnglish
Pages (from-to)143-153
Number of pages11
JournalInformation and Management
Issue number3
Publication statusPublished - Mar 1994


  • Computer Security
  • Information security
  • Information security management
  • Security and protection

ASJC Scopus subject areas

  • Management Information Systems
  • Information Systems
  • Information Systems and Management


Dive into the research topics of 'A framework for information security evaluation'. Together they form a unique fingerprint.

Cite this