ABSTRACT
A number of different evaluation methodologies, frameworks, and standards have been developed and numerous means of evaluation exist. The problem is that in general these means of evaluation are either focused on specific topics of information security or, even if they address all different facets of security, do so in a static manner and not globally. By static manner we mean that the evaluation would be performed according to methodological rules or advice, pushing the organization to follow the rules of the standards (or methodologies), rather than adapting those rules to meet its specific needs for protection. The Information Security Assurance Assessment Model (ISAAM) proposed within this book has as its primary objective to close this gap. It is a conceptual model based on a methodological approach to holistically evaluate the information security posture. It brings an approach that provides outputs from the evaluation process to inspire trust, not only in the evaluation results themselves, but also in the information security program or system that has been evaluated. It addresses assurance requirements based on the two following attributes:
• Effectiveness: the system/program under evaluation is doing the correct thing; and • Efficiency: the system/program under evaluation is doing things correctly by achiev-
ing objectives with minimum wasted effort.
