Information Security: Using COBIT 5 for Information Security 

Please first review the Academic Guidelines for using this material:


Student Book

  • Chapter 1. The Purpose of This Document is to provide high-quality educational material that can be integrated into courses on information systems, management control or assurance services. It provides an overview of COBIT 5 for Information Security principles and be used effectively by students with little or no business experience.
  • Chapter 2. Information Security Defined provides a definition and overview of both the concept of information and techniques used to protect information. Concepts for chapter 2 were assembled from COBIT 5 for Information Security.
  • Chapter 3. Information Security Management presents major components of a comprehensive information security management program compiled from COBIT 5 for Information Security.
  • Chapter 4. Implementing Information Security Initiatives explains the attributes from COBIT 5 for Information Security that must be considered when implementing an information security management program.
  • Appendix. COBIT 5 for Information Security Monitor, Evaluate and Assess (MEA)


Code Galore Caselet

Company profile, problems, and background information included. Students take on the role of a new CSO, at a financially-weak business function automation software company. The CSO is asked to do a new risk analysis using COBIT 5, identifying new risks and mitigation efforts, resulting from the acquisition of a new software company with potentially crippling security risks.

  Download Caselet (Academic Advocates only; 39-slide PPT file)

  Download Caselet in Portuguese (Academic Advocates only; 39-slide PPT file)

  Download Caselet Answers/Solutions (Academic Advocates only; Teaching Notes, 12-slide PPT file)


McClintock Manufacturing Caselet

Company profile, background information and problems included. Students are assigned the role of a successful manufacturing company’s CISO, who needs to re-engage senior management in addressing emerging security concerns. The CISO will need to develop tactical and strategic IS security metrics with relevance to business activity and organizational goals.

  Download Caselets  (Academic Advocates only; 37-slide PPT file)

  Download Caselets Answers/Solutions (Academic Advocates only; Teaching Notes, 20-slide PPT file)


More4Less Foods Caselet

Company profile, background information, a very hectic ‘day in the life’ scenario, and sample Information Security Programme included. Students get an opportunity to experience a very hectic day in the life of a CISO, and respond by writing a letter to the More4Less Foods executive committee thoroughly answering the issues concerning possible deficiencies in their information security programme.

  Download Caselets  (Academic Advocates only; 42-slide PPT file)

  Download Caselets Answers/Solutions (Academic Advocates only; Teaching Notes, 14-slide PPT file)


PharmUniverse Caselet

Company profile, background information and problems included. Students are assigned the role of the new CISM-certified CISO of PharmUniverse, a growing international pharmaceutical company that has become vulnerable to security risks, including possible industrial espionage. The CISO must develop a ‘desired state’ of IS security practices, by prioritizing a set of 10 attributes with pros and cons, based on COBT 5, ISO/IEC and/or NIST standards.

  Download Caselets  (Academic Advocates only; 32-slide PPT file)

  Download Caselets Answers/Solutions (Academic Advocates only; Teaching Notes, 14-slide PPT file)


TravelFar Hotels Caselet

Company profile, background information and problems included. Students take on the role of an IS security manager reporting to the CISO of an expanding hotel chain, that has insufficient security for its three web servers within its corporate network. The IS security manager will develop a containment plan, addressing external threats as well as possible inside tampering by competitive regional managers, as a part of a larger incident response plan.

  Download Caselets  (Academic Advocates only; 35-slide PPT file)

  Download Caselets Answers/Solutions (Academic Advocates only; Teaching Notes, 11-slide PPT file)


UpwardBound Airlines Caselet

Company profile, background information and problems included. Students are assigned the role of an experienced CISO, with an MBA and CISM, who is challenged to modify the company’s security architecture. In an effort to fund a new fleet of airplanes, the company is planning to move its IT operations to cloud-base applications, and new cloud-base controls will be needed to replace former controls.

  Download Caselets  (Academic Advocates only; 36-slide PPT file)

  Download Caselets Answers/Solutions (Academic Advocates only; Teaching Notes, 15-slide PPT file)