According to the associations, the emerging role of information security as integral to improved corporate governance, regulatory compliance and risk assessment has prompted the need for clear guidelines that are relevant to the business landscape.
Manuel Aceves, a member of ISACA's professional standards committee, says that because IT security has become such an important business function, it is important for security professionals to develop sound business skills, as well as the necessary technical skills and knowledge.
The 12 information security principles, he explained, are a good complement to ISACA's business model for information security (BMIS), which seek to provide a common language for IT security and business management professionals to improve information protection.
Over at (ISC)², John Colley, the association's managing director of EMEA, said that the security profession has to break away from its roots as an IT-focused discipline.
"While many organisations like our own have a code of ethics or guiding values for their membership, this set of principles offers professionals practical guidance on how to support business objectives", he said.
"Our research confirms that the success of security within an enterprise is highly dependent upon how closely aligned it is with the business", he added.
Colley went on to say that the principles are accessible to everyone working in IT security, whatever their qualification or affiliation.
As a result, he says that security professionals and their stakeholders now have a common framework for truly risk-based security management that all will be able to identify with.
Jason Creasey, global alliances leader with the ISF, meanwhile, said that there are other standards and frameworks around like SOGP, COBIT and ISO27002, which are all aimed at organisations, but the principles are unique, practical and effectively a code of conduct for individuals to adopt.
"The business environment is changing, and we need to be much more risk-focused when it comes to rapidly evolving threats", he said, adding that IT security – which for many years was not a priority, has now been elevated up the corporate agenda – and is now the responsibility of the entire business.