The COBIT 5 process APO13 requires that an Information Security Management System be developed and implemented to coordinate and manage effectively and efficiently the resources and processes used, and the controls required to ensure ongoing confidentiality, integrity and availability of information and information systems in line with predefined operational and strategic objectives.

The process APO13 (Information security management) addresses a broad range of issues and assets that support business operations. There is hardly an IT activity that is not linked to information security. In COBIT 5 every process has an aspect that impacts information security or is impacted by information security.

Because the need is ubiquitous, information security is best managed with a single, holistic management system. This is similar to ISO 27001 which also requires a set of interrelated or interacting elements that organisations use to direct and control how security policies are implemented and security objectives are achieved. As with the COBIT 5 APO13 management system for information security, the purpose of the ISO 27001 management system is to orchestrate and co-ordinate the various actions required to design, implement, execute and sustain the desired level of information security across the organisation.