Using the Internet, go to the International Information Systems Security Certification Consortium (ISC)2 Web site (www.isc2.org) and look for the InfoSec common body of knowledge (CBK). When you review the list of 10 areas in the CBK, is policy listed? Why do you think this is so? (Whitman, 2017, p.177)1

The (ISC)2 website states that the (ISC)² CBK is a “taxonomy – a collection of topics relevant to information security professionals around the world.” It is aimed at establishing a “common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding.”3

The domains of the CBK currently consist of Security and Risk Management, Asset Security

Security Engineering, Communication and Network Security, Identity and Access Management,

Security Assessment and Testing, Security Operations, and Software Development Security.3

The (ISC)2 webpage listing these domains defines “Security and Risk Management: to include “security policies, standards, procedures and guidelines.” 3

I think “policy” is included in the domains of InfoSec CBK due to the following reasons-

  • Information security needs to be a top-down effort to be fruitful. It needs to start with policies which reflect the culture of the organization and the importance they give to security. This can then be translated into technical and implementation safeguards.
  • The management and the c-suite executives need to take the first step in introducing and mandating information security measures in an organization. And policies are the direct communication of the management to the employees.
  • Information Security is not merely technical safeguards. A sizable and crucial portion of it is governance and strategic planning. Policies are directly linked to this.
  • Every organization has a set of similar policies (Acceptable Use Policy, Email Policy etc.) around which their information security architecture revolves. By having (ISC)2 include “policy” in their CBK, a platform is created for having a common vocabulary and framework to encourage dialog among security professionals across domains and industries, thereby fulfilling the need and purpose of the Common Body of Knowledge.