This article provides an overview and summary of the COBIT 5 process Manage Security Services, which is part of the Management – Run (Deliver, Service, Support) domain.

The purpose of this COBIT 5 process is to protect the organisation information and to maintain the level of information security risk acceptable in accordance with the security policy. This includes implementation of information security roles and access privileges and ongoing security monitoring. The goal is to minimise the organisation impact from operational information security vulnerabilities and incidents.

The following sub-governance processes are further supported by a list of control activities:

  1. Protect against malware. Implement preventive, detective and corrective measures – especially up-to-date security patches and virus controls to protect information systems and technology from malware (viruses, worms, spyware, spam).
  2. Manage network and connectivity security. Use security measures and procedures to protect information over all forms of connectivity.
  3. Manage endpoint security. Ensure that endpoints (laptop, desktop, server, and other mobile and network devices or software) are secured at all levels.
  4. Manage user identity and logical access. Ensure that all users have information access rights in accordance with their roles and responsibilities.
  5. Manage physical access to IT assets. Implement procedures to grant, limit and revoke access to premises, buildings and areas.
  6. Manage sensitive documents and output devices. Implement appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets.
  7. Monitor the infrastructure for security-related events. Use intrusion detection tools to monitor the infrastructure for unauthorised access.

For more information please contact Morland-Austin at