Information security managers have struggled to create programs that are aligned with enterprise goals and priorities, that bring value to the enterprise, and that support the ability of management to innovate while controlling risks. What is missing is a descriptive model that business unit managers and their counterparts in information security can use to talk about information security in business, rather than technical, terms.

In 2008, ISACA entered into a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection to continue the development of its Systemic Security Management Model...