Principles of Generally Accepted Information Security Principles (GAISP)

GAISP is based on a solid consensus-building process that is central to the success of this approach. Principles at all levels are developed by information security practitioners who fully understand the underlying issues of the
documented practices and their application in the real world. Then, these principles will be reviewed and vetted by
skilled information security experts and authorities who will ensure that each principle is:

• Accurate, complete, and consistent
• Compliant with its stated objective
• Technically reasonable
• Well-presented, grammatically and editorially correct
• Conforms to applicable standards and guideline

The principles are:
1. Computer security supports the mission of the organization
2. Computer security is an integral element of sound management
3. Computer security should be cost-effective
4. Systems owners have security responsibilities outside their own organization
5. Computer security responsibilities and accountability should be made explicit
6. Computer security requires a comprehensive and integrated approach
7. Computer security should be periodically reassessed
8. Computer security is constrained by societal factors