Skip to main content

Research Repository

Advanced Search

A process model for implementing information systems security governance.

Nicho, Mathew


Mathew Nicho


Purpose: The frequent and increasingly potent cyber-attacks due to lack of an optimal mix of technical as well as non-technical IT controls, has led to increased adoption of security governance controls by organizations. The paper thus seeks to construct and empirically validate an information security governance process model through the Plan-Do-Check-Act cycle model of Deming. Design/methodology/approach: This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the information security governance (ISG) domain in United Arab Emirates to validate the theoretical model. Findings: Our findings suggest the primacy of the Plan-Do-Check-Act Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27 K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle. Originality/value: The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps, and justification of these factors in the ISG implementation process.


NICHO, M. 2018. A process model for implementing information systems security governance. Information and computer security [online], 26(1), pages 10-38. Available from:

Journal Article Type Article
Acceptance Date May 12, 2017
Online Publication Date Mar 12, 2018
Publication Date Mar 31, 2018
Deposit Date May 16, 2017
Publicly Available Date Mar 12, 2018
Journal Information and Computer Security
Print ISSN 2056-4961
Electronic ISSN 2056-497X
Publisher Emerald
Peer Reviewed Peer Reviewed
Volume 26
Issue 1
Pages 10-38
Keywords Information security governance; Deming cycle; ISO 27000; COBIT
Public URL


Downloadable Citations