Security is not merely an IT or technical challenge. Ultimately, it is a business issue that must be properly addressed, managed, and controlled. Effective security depends on the coordinated interaction of people, processes, and technology (including the use of Free and Open Source Software (FOSS) tools where appropriate).
A Security Management System typically defines and governs the following key areas:
Security policy
Organisation of information security
Asset management
Human resource security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Business continuity management
Compliance with legal and regulatory requirements