Increasing information security losses, coupled with more closely regulated security risk disclosure, are raising the importance of information security standards for identifying control gaps and for implementing appropriate and effective information security controls. Despite the growing importance and variety of information security standards, and the large amount of resources involved in their adoption, there remains a lack of theoretical development in this area. The objective of this paper is to develop a better understanding of information security controls defined in standards, by analyzing and comparing their control sets. Our analysis of control sets in two prominent information security standards led to the discovery of a new class of controls - generative controls – which was not previously recognized in the information security literature, and also to the proposition of a new classification scheme with simple metrics for analyzing control sets in standards. This discovery serves as a building block for the proposition of a new theory called ‘generative control theory’ (GCT) for information security. This theory, together with its underlying concepts, explain how the presence of generative controls defined in standards allows them to be applicable to a large number of widely differing organizations, and thereby assures the implementation of appropriate and effective information security controls in those organizations. It also explains the implications of the presence of generative controls in standards for practitioners, researchers and compliance auditors. For example, generative controls present a higher risk of creative compliance. Finally, this study provides recommendations regarding the design, implementation and audit of controls as defined in standards. 

AICPA. (2010), Summary of the Provisions of the Sarbanes-Oxley Act of 2002, American Institute of Certified Public Accountants, New York.

Backhouse, J., Hsu C.W., and Silva L. (2006), “Circuits of Power in Creating De Jure Standards: Shaping an International Information Systems Security Standard,” MIS Quarterly, 30 (SI): 413-438.

Baskerville, R. (1988), Designing Information Systems Security, J. Wiley, Chichester.

Baskerville, R. (2005), “Best Practices in IT Risk Management: Buying Safeguards, Designing Security Architecture, or Managing Information Risk?” Cutter Benchmark Review, 5 (12): 5-12.

Braganza, A. and Hackney, R. (2008), “Diffusing Management Information for Legal Compliance: The Role of the Is Organization within the Sarbanes-Oxley Act,” Journal of Organizational and End User Computing, 20 (2): 1-24.

Braiotta, L. (2005), “An Overview of the EU 8th Directive: The European Union Prepares to Issue Its Response to Corporate Malfeasance,” Internal Auditor (April).

Business Rules Group (2001), ‘Defining Business Rules: What Are They Really?’,www.businessrulesgroup.org/first_paper/br01c0.htm, 29 April 2013.

Business Rules Group (2003), ‘Business Rules Manifesto’, www.businessrulesgroup.org/brmanifesto.htm, 29 April 2013.

Chiasson, M.W. and Green, L.W. (2007), “Questioning the IT Artefact: User Practices That Can, Could, and Cannot Be Supported in Packaged-Software Designs,” European Journal of Information Systems, 16 (5): 542-554.

CSA/ACVM. (2008), Notice of National Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings, Canadian Securities Administrators / Autorités canadiennes en valeurs mobilières, Ontario.

Goldstein, M. (1978), How We Know: An Exploration of the Scientific Process, Plenum, New York.

Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Sohail, T. (2006), “The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities,” Journal of Accounting and Public Policy, 25 (5): 503-530.

Grey, K. and Dale, L. (2005), “Australian Companies and Sarbanes-Oxley: Governance Regulation in a Parallel Universe,” Keeping Good Companies, (June).

Haworth, D.A. and Pietron, L.R. (2006), “Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799,” Information Systems Management, 23 (1): 73-87.

IT Governance Institute. (2006), COBIT Mapping: Mapping of ISO/IEC 17799-2005 with COBIT 4.0., Rolling Meadows, Il.

Liebesman, S. (2007), “ASQ Team Says QMS and EMS Standards Support SOX,” Quality Progress, 40 (10): 34-39.

Mckelvey, B. (1982), Organizational Systematics: Taxonomy, Evolution, Classification, University of California Press, Berkeley, California.

Morgan, T. (2002), Business Rules and Information Systems: Aligning It with Business Goals, Addison-Wesley, Boston, MA.

Neil, B. (2005), “Global Debate over Controls,” The Internal Auditor, 62 (3): 50-54.

Nes, S. and Moen, A. (2010), “Constructing standards: a study of nurses negotiating with multiple modes of knowledge,” Journal of Workplace Learning, 22 (6): 376-393.

Peters, S. (2009), CSI Computer Crime and Security Survey Executive Summary, Computer Security Institute, New York, New York.

Ray, D., Gulla, U., Dash, S. S., and Gupta, M.P. (2011), “A critical survey of selected government interoperability frameworks,” Transforming Government: People, Process and Policy, 5 (2): 114-142.

Richardson, R. (2010), 2010/2011CSI Computer Crime and Security Survey, Computer Security Institute, San Francisco, California.

Robins, F. (2006), “Corporate Governance after Sarbanes-Oxley: An Australian Perspective,” Corporate Governance, 6 (1): 34.

Sandman, P., Klompus, C., and Yarrison, B. (1985), Scientific and Technical Writing, Holt, Rhinehart and Winston, Ft. Worth, Texas.

Shah, A.K. (1996), “Creative Compliance in Financial Reporting,” Accounting, Organizations and Society, 21 (1): 23-39.

Sim, J. and Wright C.C. (2005), “The Kappa Statistic in Reliability Studies: Use, Interpretation, and Sample Size Requirements,” Physical Therapy, 85 (3): 257-268.

Star, S. L. (2010), “This is Not a Boundary Object: Reflections on the Origin of a Concept,” Science, Technology, & Human Values, 35 (5): 601-617.

Tiemann, M. (2006), “An objective definition of open standards,” Computer Standards & Interfaces, 28: 495-507.

Timmermans, S. and Berg, M. (1997), “Standardization in Action: Achieving Local Universality through Medical Protocols,” Social Studies of Science, 27 (2): 273-305.

Truex, D. and Baskerville, R. (1998), “Deep Structure or Emergence Theory: Contrasting Theoretical Foundations for Information Systems Development,” Information Systems Journal, 8 (2): 99-118.

Von Halle, B. (2002), Business Rules Applied: Building Better Systems Using the Business Rules Approach, John Wiley & Sons Inc., New York.

Walker, A.J. (1998), “Improving the Quality of ISO 9001 Audits in the Field of Software,” Information and Software Technology, 40: 865-869.