Approaches to a Security Framework
I'm going to give you a quick run down of several different standardized methodologies for reaching a security framework as relate to information security governance.
COBIT: It stands for Control Objectives for Information and related Technology. It's a set of best practices or a framework for Information Technology Management. It was created by ISACA and the IT Governance Institute (ITGI) back in the early nineties. COBIT gives us, it's a way for managers, IT users, IT supervisors, technicians and auditors, a framework of generally accepted practices, measurements and indicators to help us maximize the benefits derived to the use of information technology.
CMM – Capability Maturity Model: It's also referred to sometimes as the Software CMM or SWCMM. CMM is a process capability model that it's really based on software development processes and practices. CMM officially is not used anymore, it was retired in 1997 but it's been updated by CMMI which is Capability Maturity Model Integration and it's been used by many organizations to help them to understand the process capability maturity organization in a wide range of areas including software engineering, risk management, project management, information technology, system engineering or personal management.
Balanced Scorecard: It's a concept for measuring if activities of a company are actually meeting their objectives and determine the overall strategies and the overall mission and vision. It focus on the financial outcomes but also it looks the human issues. The balanced scorecard provides a comprehensive view of the business, not just for a financial standpoint but it also help the organization really improves the long term planning, it helps to meet their long term goals.
SABSA: The Sherwood Applied Business Security Architecture is a methodology for enterprise security architectures and service management. It basically develops risk-driven enterprise information security architectures for delivering security infrastructures solutions that support critical business initiatives. The primary characteristic is that everything has to be derived for an analysis of the business requirements of security. Therefore, it's totally security driven.
ISO 27002: It's a growing family of standards for information security published by ISO/IEC that it's also used in combination with COBIT. They are security techniques and a code of practices for information security management. It provides best practices and recommendations on information security management for those who are responsible for maintaining, implementing and invoking information security management systems or ISMS.
GAISP: The Generally Accepted Information Security Principles gave us a clear picture of the a central future of security, practices and assurances for our organization. Many people considered this as a central checklist for strategies and security plan of actions. However, this framework is now dead.
Best regards my friend and remember, if you have any question, go ahead!!