System Models vs Frameworks

For years, IS risk and assurance specialists have based much of their work on Frameworks. However, last year, ISACA introduced the Business Model for Information Security (BMIS) which is intended to change the way professionals approach information security.

The difference between frameworks and models is that frameworks set out a number of elements that then need to be applied to a particular business, while models define the relationships between those elements. The relationships may not always fit exactly the model of a particular business, but a model does provide, not only a good guide, but also a head start in determining the model for a particular system. A model also enables the professional to achieve a better balance between business needs and security needs, always a delicate balance.

Use of a model rather than a framework for tackling security issues provides a more holistic view of security issues, enabling the source of issues to be identified more quickly.

For an article on models vs frameworks, please click this link. (Registration required)