Information Security Model Canvas (ISMC)

The Information Security Model Canvas is a visual model for considering an information security program. It organizes the elements that shape how security is planned, operated, and improved.

What the ISMC shows

The ISMC presents the elements that make up a complete information security program and how they relate to one another. It is not tied to any specific technology, vendor, or compliance framework. This allows it to remain useful as systems, threats, and requirements change.

By considering the program as a system, the model supports more informed use.

How the ISMC is used

In practice, the ISMC is used to support:

• Awareness: a shared view of the entire program
• Orientation: establishing a shared view of the program, showing where specific questions or activities belong
• Examination: identifying missing elements or overlaps
• Collaboration: supporting clearer conversation between stakeholders
• Improvement: informing on how changes in one area may affect others

It provides a common frame of reference for clarity and adapting an information security program.

What the ISMC is not

The ISMC is not:

• A checklist or audit form
• A compliance or certification standard
• A maturity model
• A replacement for technical or operational controls

It is a way to see and reason about the structure of a program so that decisions about security can be made with better context.