A code of practice for effective information security risk management using COBIT 5

A low-level code of practice is presented in this paper to help information security (IS) risk management professionals manage enterprise IS risks effectively and efficiently using COBIT 5 framework1. The proposed code of practice is the result of the experience gained by the authors over years through working with clients in many industries implementing IS risk management using different international standards and frameworks. COBIT 5 is supposed to serve as an umbrella framework that integrates knowledge and practice of many other standards and frameworks. However, COBIT 5, like many other frameworks, lacks detailed guidelines at the low-level activities carried out during IT risk management. This code of practice is proposed to fill in this gap. The recommended guidelines and activities have been successfully used in real-world IS risk management projects.