Operating a business in a consistent fashion that is mindful of the threats surrounding it daily around the globe is a challenge that entrepreneurs and managers have dealt with for centuries. While the sophistication and the media in which these threats present themselves have changed, the impacts to the business remain. One primary objective of business is to manage risk to a point that ensures the business is able to serve its customers the next day. It is impossible to avoid all risks. If this were medieval times, raising the drawbridge would have the same impact as locking the office doors and unplugging the enterprise from the Internet. The common folk and the village would surely starve, and the business would go bankrupt.

A general theme is common throughout the world's recommended and mandated controls. The consistency of intent and the commonality of control implementations introduce an opportunity for organizations to view their information technology (IT) assets as business assets that contribute to the business processes that directly impact profit and loss.

The principles that follow represent the culmination of analysis by leaders in controls testing and certification that spanned the globe's regulations, best practices, and general frameworks and dozens of corporate attestation reports. The data have been updated over the years and are supported by fieldwork involving organizations ...