Guiding Principles for Information Security Professionals

It was about time (ISC)2, ISF and ISACA got together and put on paper principles that many of us have used for a long time.

I doubt that those that still feel IT and InfoSec are “The Stewards of the One True Way” will ever read them, much less decide to actually follow them.

It is definitely good to see principle A1: Focus on the business. However, keep in mind that A1 and A3 can and will at times clash. When they do, B1 to the rescue. Compliance with relevant regulatory requirements is just another risk you need to manage. Compliance with legal requirements is only optional if you work for an organised crime organisation. ;-)