ISACA Survey Reveals Top Six Critical Elements of a Successful Information Security Program

Rolling Meadows, IL, USA (12 January 2005)—Senior management’s commitment to information security initiatives is the top critical element for ensuring effective information security, according to a new study by ISACA. Results of the study were released today in Critical Elements of Information Security Program Success, available as a free download at

The remaining critical elements in the top six are:

· Management’s understanding of information security issues

· Information security planning prior to the implementation of new technologies

· Integration between business and information security

· Alignment of information security with the organization’s objectives

· Executive and line management’s ownership and accountability for implementing, monitoring and reporting on information security

“This study reaffirmed that information security is not just an IT problem—it is a business problem,” said Everett Johnson, CPA, international president of ISACA. “Executive and senior management need to be involved in security risk assessments and provide sufficient resources and consistent support for information security initiatives, and information security professionals need to develop a solid understanding of the business.”

The study consisted of a 10-person focus group of information security management specialists from eight countries and a 157-person survey group from Africa, the Americas, Asia, Europe and Oceania. Survey respondents included C-level executives, senior management, information security managers and staff, research directors, and consultants.

Each group was tasked with identifying the top 10 critical elements for the success of an information security program. Both groups agreed on the top six elements but differed on the remaining four.

The report includes a list of the 35 critical elements for security awareness programs developed by the focus group, from which the top six were selected, as well as suggested actions for ensuring that an organization’s information security program contains the necessary critical elements.

With more than 50,000 members in more than 140 countries, the Information Systems Audit and Control Association® (ISACA®) ( is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditorâ„? (CISA®) designation, earned by more than 44,000 professionals since inception, and the Certified Information Security Manager® (CISM®) designation, a groundbreaking credential earned by 5,500 professionals in its first three years.

Don't miss