Part of the Portfolio, maps to Controls, Communication, and Assurance capabilities
A comprehensive 7-article series on implementing systematic security documentation within Information Security Management Systems (ISMS). Published January 2026.
This series provides strategic and tactical guidance on security concepts as the foundation of security governance, targeting CISOs, Security Architects, and Enterprise Architects.
A security concept is simultaneously a control (ensures security is designed into systems rather than bolted on), a communication bridge (translates between business impact language and technical control language across stakeholder groups), and an assurance foundation (provides the evidence thread from business requirement to implemented control for audits and compliance).
Articles
-
The Foundation of Security Governance
- What security concepts are and why they matter
- Stakeholder perspectives and ISMS integration
- Ownership models and early planning principles
- Target audience: CISOs, Security Directors, Enterprise Architects
-
Core Components: What Makes a Security Concept Effective
- System context, threat modelling, and risk assessment
- Practical approach to creating threat scenarios from actors to loss events
- How architectural choices transform threats (SaaS vs Cloud vs On-Premise)
- Control responsibility matrices across different architectures
- Target audience: Security Architects, System Architects
-
Control Selection and Security Frameworks
- Proportionate response and framework-based control selection
- ISO 27001/27002, NIST CSF/800-53, IEC 62443, CIS Controls
- Building organisational control libraries
- Target audience: Security Architects, CISOs, Security Governance
-
The Living Document: Lifecycle and Change Management
- Lifecycle integration and project planning
- Change management integration
- Threat landscape updates and maintenance triggers
- Target audience: Security Architects, System Architects, Change/Project Managers
-
Enterprise Security Capabilities: The Integration Challenge
- Documenting IAM, SIEM, vulnerability management, and data protection integration
- Portfolio visibility through stacked security concepts
- Control inheritance models
- Target audience: Security Architects, Enterprise Architects, CISOs
-
Access Control and Data Protection: Getting the Details Right
- Authentication requirements, RBAC implementation patterns
- Data classification and encryption specifications
- Key management and monitoring requirements
- Target audience: Security Architects, System Architects, Technical Security Specialists
-
Implementation Guide: Templates, Tools, and Getting Started
- Document structure templates
- Pilot system selection and rollout planning
- Organisational models and success patterns
- Target audience: Security Architects, System Architects, CISOs, Security Leaders
Key themes
- Security concepts follow an architecture-agnostic process but require architecture-specific analysis. They apply regardless of technology choices, but analysis must address actual architectural decisions.
- Early planning is essential. Security concepts created at project inception enable proper resourcing and timing.
- Proportionate response matters. Control intensity scales with system criticality and threat landscape.
- Enterprise integration is critical. Document how systems leverage existing capabilities rather than reinventing controls.