Information Security Governance: A model based on the Direct–Control Cycle

It is generally accepted that Information Security Governance is an integral part of Corporate Governance. It is therefore essential for any company to have a proper Information Security Governance program which reflects this integration with Corporate Governance. One of the core principles of Governance, and specifically Corporate Governance, is the Direct–Control Cycle which, in its simplest form, ‘prescribes’ and ‘checks’. This paper presents an Information Security Governance model based on this cycle.