APO13: Managed Security

APO13 addresses information security from a governance and management perspective, ensuring that security receives appropriate organizational attention and resources. It connects security to business objectives and risk management rather than treating security as purely technical concern.

Objective and Importance

The objective is to keep cybersecurity incidents and their impacts within the organization's accepted risk tolerance levels. This objective acknowledges that perfect security is impossible and that organizations must make conscious choices about acceptable risk.

APO13 operates at the management level, setting direction and establishing frameworks that operational security activities implement. It complements DSS05, which addresses operational security services, by providing the governance foundation upon which operations build.

Key Practices

APO13.01 addresses establishing and maintaining an Information Security Management System. This practice aligns directly with ISO 27001 requirements, enabling organizations to pursue both COBIT adoption and ISO 27001 certification within a unified approach. Key activities include establishing security policy, defining ISMS scope, and assigning security roles and responsibilities.

APO13.02 covers developing and managing the security plan. This includes systematic control selection based on risk assessment, security awareness programs that address human factors, and resource allocation for security initiatives. The security plan translates policy into actionable programs.

APO13.03 ensures ongoing ISMS monitoring and review. Effectiveness measurement through metrics and key risk indicators enables data-driven security management. Internal audits verify that security controls operate as intended. Continuous improvement processes address identified weaknesses.

Integration with DSS05

APO13 and DSS05 work together as governance and operations respectively. APO13 establishes security direction, policies, and management frameworks. DSS05 implements operational security services including access management, endpoint protection, network security, and incident handling. Both are necessary for comprehensive security.

Alignment with ISO 27001

Organizations pursuing both COBIT and ISO 27001 find substantial alignment. Both require an Information Security Management System. Both adopt risk-based approaches to control selection. Control catalogs are largely compatible. Organizations can satisfy both frameworks through a single integrated implementation.