Part of the Portfolio, maps to Controls, Communication, and Assurance capabilities


A comprehensive 7-article series on implementing systematic security documentation within Information Security Management Systems (ISMS). Published January 2026.

This series provides strategic and tactical guidance on security concepts as the foundation of security governance, targeting CISOs, Security Architects, and Enterprise Architects.

A security concept is simultaneously a control (ensures security is designed into systems rather than bolted on), a communication bridge (translates between business impact language and technical control language across stakeholder groups), and an assurance foundation (provides the evidence thread from business requirement to implemented control for audits and compliance).

This series reflects the methodology I use in advisory engagements to help organisations establish systematic security documentation. The articles provide the strategic and tactical foundation; engagements apply it to specific systems, teams, and risk profiles.


Articles

  1. The Foundation of Security Governance

    • What security concepts are and why they matter
    • Stakeholder perspectives and ISMS integration
    • Ownership models and early planning principles
  2. Core Components: What Makes a Security Concept Effective

    • System context, threat modelling, and risk assessment
    • Practical approach to creating threat scenarios from actors to loss events
    • How architectural choices transform threats (SaaS vs Cloud vs On-Premise)
    • Control responsibility matrices across different architectures
  3. Control Selection and Security Frameworks

    • Proportionate response and framework-based control selection
    • ISO 27001/27002, NIST CSF/800-53, IEC 62443, CIS Controls
    • Building organisational control libraries
  4. The Living Document: Lifecycle and Change Management

    • Lifecycle integration and project planning
    • Change management integration
    • Threat landscape updates and maintenance triggers
  5. Enterprise Security Capabilities: The Integration Challenge

    • Documenting IAM, SIEM, vulnerability management, and data protection integration
    • Portfolio visibility through stacked security concepts
    • Control inheritance models
  6. Access Control and Data Protection: Getting the Details Right

    • Authentication requirements, RBAC implementation patterns
    • Data classification and encryption specifications
    • Key management and monitoring requirements
  7. Implementation Guide: Templates, Tools, and Getting Started

    • Document structure templates
    • Pilot system selection and rollout planning
    • Organisational models and success patterns

Key themes

  • Security concepts follow an architecture-agnostic process but require architecture-specific analysis. They apply regardless of technology choices, but analysis must address actual architectural decisions.
  • Early planning is essential. Security concepts created at project inception enable proper resourcing and timing.
  • Proportionate response matters. Control intensity scales with system criticality and threat landscape.
  • Enterprise integration is critical. Document how systems leverage existing capabilities rather than reinventing controls.