Security standards body ISACA has developed the new business model for information security.
The free model can be used in enterprises of all sizes and with any other information security framework already in place. It is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems, said ISACA.
It covers traditional information security, privacy, risk, physical security and compliance.
"Information security managers spend too much of their time reacting and applying short-term, technology-focused fixes to rapidly changing threats and regulatory and technological environments," said Jo Stewart-Rattray, chair of ISACA's security management committee.
"These solutions are deficient because many security weaknesses result from poor governance, a dysfunctional culture or untrained staff - all aspects that ISACA's new business model addresses."
Kent Anderson, a member of ISACA's security management committee, said, "This is ISACA's first step in transforming the theoretical model into a practical tool that can be used by information security practitioners to unify security initiatives with the business mission.
"The ISACA model is valuable guidance because it takes a strong business-oriented approach, focusing on people and processes rather than on technology."
The guide is available as a free download.