This article provides an overview and summary of the COBIT 5 process Manage Security, which is part of the Management – Plan (Align, Plan and Organise) domain.

The purpose of this COBIT 5 process is to define, manage and monitor an effective information security management system. The goal is to keep the impact and occurrence of security incidents to a minimum.

The following sub-governance processes are further supported by a list of control activities:

  1. Establish and maintain an information security management system (ISMS). Establish and maintain an ISMS that provides a standard approach to security management for information throughout the organisation.
  2. Define and manage an information security risk treatment plan. Maintain an information security plan that describes how information security risks are managed and aligned with the organisation strategy and enterprise architecture.
  3. Monitor and review the ISMS. Maintain and regularly communicate the need for, and benefits of, continuous information security improvement. Collect and analyse data about the ISMS, and improve its effectiveness.

For more information please contact Morland-Austin at