Cyber security programs, visualized
The high order view of the program element groups of an information security program.
Each element in the detailed Model below represents a key part of the program.
The model structures these elements to facilitate a program-wide focus on what to protect, how to respond and recover, and how to prioritize sustaining and improving a program. The details follow below.
The program elements of the Information Security Model Canvas, the architecture of an information security program.
The program element groups and their description follow.
Continuous Awareness
How understanding of risk and responsibility is kept present in daily work.
This reflects the ongoing ways people stay oriented to the security of the business, its systems, its information, and its operation. It may include training, reminders, guidance, visual cues, and role based expectations that keep risk and recovery part of everyday decision making.
When cyber security awareness is treated as continuous, the program does not rely on memory or annual events. People remain better positioned to recognize issues, follow controls, and respond when something goes wrong, which supports the stability and resilience of the program and the business over time.
The Business Context
This program element group brings together the information that defines how the business operates and what it depends on. It covers how work is structured, what the organization is trying to achieve, and how information security fits into that picture through objectives and strategy.
The purpose is not documentation for its own sake. It provides a shared reference point for making decisions about risk, priorities, and investment in the security program. Without this grounding, security efforts tend to drift away from business reality.
These elements are also helpful for effective, holistic consideration of change to the business, the program, or the threat landscape.
The level of detail and formality is set by the business. Some organizations capture this in a single, concise document. Others choose to separate architecture, objectives, and strategy into distinct records. What matters is that the information exists in a form that supports clear thinking and ongoing program improvement.
Business Architecture
How the business is structured and how work gets done.
This describes how the organization operates day to day. It may include the main services or products, how work flows through the business, who is responsible for what, and how systems and partners fit into that picture.
When this is clear, security planning has something concrete to align to. Protection, recovery, and investment decisions can be made in relation to how the business functions, rather than in isolation from it. This supports a program that stays relevant as the business changes.
Security Architecture
How protection and resilience are arranged across systems and services.
This describes how safeguards, technologies, and operational practices are positioned to protect the business. It may include how identity, data protection, monitoring, backup, and external services fit together, and how responsibilities are divided between internal teams and providers.
When this is understood, security can be considered as a coherent system rather than a collection of tools. Gaps, overlaps, and dependencies become visible, which supports more deliberate choices about where to invest, what to change, and how to support recovery.
Business Objectives
What the business is trying to achieve, to support how to protect it.
This reflects the outcomes the organization cares about, such as growth, reliability, regulatory standing, customer trust, or operational continuity. It may include near term priorities as well as longer term direction.
When these objectives are visible, security planning has a reference point for trade offs and priorities. Effort and investment can be weighed against what the business is trying to accomplish, which supports a program that protects what matters most rather than treating all risks as equal.
Security Strategy
How the business intends to manage information security over time.
This describes the overall approach to risk, protection, and recovery in light of the business’s objectives and operating reality. It may include how much risk the business is prepared to accept, where it chooses to invest, and how it balances prevention, detection, and recovery.
When this is clear, individual initiatives and controls can be evaluated against a common direction. This supports a program that evolves deliberately rather than reacting to events, vendor pressure, or isolated concerns.
Security Program Objectives
What the security program is intended to deliver.
This describes the specific outcomes the program is expected to support, such as reducing certain types of risk, improving recovery readiness, or meeting regulatory or contractual expectations. It may include near term targets as well as ongoing responsibilities.
When these objectives are visible, day-to-day security work has a clear purpose. Activities and controls can be aligned to defined outcomes, which supports a program that remains focused and measurable.
Program Management
How security work is organized, coordinated, and kept on track.
This covers how initiatives are planned, assigned, tracked, and reviewed over time. It may include how responsibilities are set, how progress is measured, and how changes or issues are handled.
When this is in place, security work can be carried out in a controlled and repeatable way. Priorities remain visible, commitments are managed, and the program can adapt as conditions, stakeholder input, and requirements change.
Program Description
This program element group brings together the information that describes how the security program is instantiated for a specific business. It covers the assets, risks, controls, services, and dependencies that define how information security is expressed in practice.
These elements are typically maintained through registers and inventories that reflect the organization’s systems, data, people, and partners. Together, they form the working description of the program that supports day to day operation, oversight, and improvement.
The content and structure of these elements are shaped by the business. Some organizations maintain a small number of consolidated records. Others keep more detailed or separate registers. What matters is that the program can be understood, operated, and reviewed in a way that fits the business’s scale, complexity, evidence requirements, and risk profile.
Information Assets
What information and information systems the business depends on.
This covers the data, applications, and supporting systems that enable the business to operate. It may include customer information, financial records, operational data, and the platforms that store or process them.
These are recorded in an information asset register. When this inventory is maintained, risk, protection, and recovery planning can be reference the inventory, which supports clearer prioritization and more grounded security decisions.
Information Risks
Where exposure to loss or disruption is recognized and described.
This covers situations that could affect the confidentiality, integrity, or availability of information and systems. It may include technical, operational, regulatory, and third party related sources of exposure.
These should be captured in a risk register. When risks are visible and described in relation to assets and business objectives, priorities and trade offs can be fully considered, which supports more deliberate decisions about protection and recovery.
Operations
How information security is carried out in daily work.
This covers the routines, procedures, and responsibilities that keep security functioning over time. It may include how access is granted, how changes are handled, how issues are reported, and how routine checks are performed.
These activities are reflected in operational records and procedures. When they are understood and maintained, the security program is able to function in a predictable way, which supports reliability and continuity as the business and its systems evolve.
Identity Security
How people and systems are recognized and granted access.
This covers how users, devices, and services are identified and how their access to information and systems is managed. It may include accounts, roles, authentication methods, and how access is granted, changed, or removed.
Controls
How risks are addressed in practical ways.
This covers the safeguards and practices used to reduce, detect, or respond to risk. It may include technical measures, procedures, and human activities that support protection and recovery.
These are recorded in a control register. When controls are visible and related to risks and assets, their purpose and coverage can be understood, which supports more informed decisions about what to maintain, improve, or change over time.
Communications
How business communications are protected.
This covers the systems and practices used to exchange information, such as email, messaging platforms, supply chain, and other communication channels. It may include how these services are configured, who uses them, and how sensitive information is handled.
These are reflected in service inventories and usage records. When communication channels are understood and managed, risks such as data leakage, fraud, and misuse can be considered in context, which supports more informed choices about protection and oversight.
Data Management
How information is stored, handled, and retained.
This covers how data is created, classified, shared, backed up, and disposed of over time. It may include how long information is kept, where it is stored, and how it is protected.
These practices are reflected in data inventories and handling rules. When they are understood and maintained, information can be managed in a way that supports business needs while reducing exposure from loss, misuse, or unnecessary retention.
Supply Chain
How external parties support the business and affect its risk.
This covers vendors, service providers, and partners that have access to the business’s systems, data, or operations. It may include software providers, hosting services, payment processors, and other third parties.
These relationships are reflected in supplier and dependency registers. When they are visible, the business can consider how external dependencies influence risk, continuity, and accountability, which supports more deliberate oversight and planning.
Physical Security
How physical access to systems and information is considered.
This covers how offices, devices, and other physical assets are protected. It may include building access, equipment storage, and environmental safeguards.
These are reflected in facility and asset records. When physical protections are understood and maintained, risks to systems and information from theft, damage, or unauthorized access can be considered alongside digital controls, supporting a more complete view of protection and recovery.
Recovery and Response
This group brings together the ways the business handles disruption and returns to operation. It covers both the immediate handling of incidents and the steps taken to restore services and information afterward.
The level of detail and formality varies by organization. Some businesses rely on a small number of documented procedures, while others maintain more detailed playbooks and records. What matters is that the business has a defined way to respond to events and recover in a manner that fits its risk exposure and operating needs.
Response
How the business reacts when something goes wrong.
This covers planning for how incidents are detected, assessed, and handled as they occur. It may include how issues are reported, who is involved, and how actions are coordinated to contain or limit impact.
These activities are reflected in incident records and response procedures. When response is understood and practiced, the business is better positioned to deal with events in an organized way rather than through improvised reactions.
Recovery
How the business restores normal operation after an incident.
This covers how systems, data, and services are brought back into use following disruption. It may include backups, system restoration, communication with stakeholders, and return to normal processes.
These activities are reflected in recovery plans and restoration records. When recovery is planned and maintained, the business has a clearer path back to stability, which supports continuity and confidence after an incident.
Exposures
This group brings together the factors that shape how risk arises for the business. It covers both the sources of potential harm and the conditions that allow that harm to occur.
The level of detail varies by organization. Some businesses rely on high level awareness, while others maintain more structured tracking. What matters is that threats and vulnerabilities are considered alongside assets, controls, and recovery so that the program can remain grounded in the business’s real exposure.
Threats
Sources of potential harm to the business and its information.
This covers actors, events, or conditions that could lead to loss, disruption, or misuse of systems and data. It may include criminal activity, accidents, system failures, or external events.
When threats are considered in relation to assets and operations, the business can better understand where exposure comes from and how it may change over time.
Vulnerabilities
Conditions that could allow a threat to cause harm.
This covers weaknesses in systems, processes, or practices that may be exploited or lead to failure. It may include technical gaps, procedural issues, or reliance on single points of failure.
These are reflected in vulnerability findings and assessments. When vulnerabilities are known and tracked, they provide practical insight into where the program is most exposed and where attention may be warranted.
Governance
This group brings together the structures that guide, oversee, and adjust the security program. It covers how expectations are set, how risks are managed, how changes are controlled, and how performance is observed.
The level of formality varies by organization. Some businesses rely on lightweight records and periodic review. Others use more structured governance. What matters is that the program has a way to remain directed, accountable, and responsive as the business and its risks change.
Policies
How expectations and rules are set.
This covers the statements that describe what is required, permitted, or expected in relation to information security. It may include formal policies, standards, and guidelines.
These are reflected in policy records. When expectations are documented and visible, people and partners have a clearer basis for how systems and information should be handled.
Risk Management
How exposure is evaluated and prioritized.
This covers how risks are identified, assessed, and compared in relation to the business. It may include qualitative or quantitative methods and periodic reassessment.
These are reflected in risk assessment records and the risk register. When risk management is maintained, decisions about protection, acceptance, or mitigation can be made with greater consistency.
Governance and Control
How the program is directed and kept within bounds.
This covers how authority, accountability, and oversight are exercised across the security program. It may include how decisions are made, how exceptions are handled, and how controls are approved or reviewed.
These practices are reflected in governance records and control oversight. When this is present, the program has a way to remain coherent as it grows and changes.
Change Management
How changes to systems and controls are handled.
This covers how updates, improvements, and modifications are planned and introduced. It may include how risks of change are considered and how changes are communicated.
These activities are reflected in change records. When change is managed, the program can evolve without creating unnecessary disruption or new exposure.
Metrics, Monitoring, and Review
How performance and condition are observed.
This covers how the state of the program and its controls is tracked over time. It may include metrics, logs, reports, and periodic reviews.
These are reflected in monitoring and review records. When these are maintained, the business has a clearer view of how the program is functioning and where attention may be needed.