An algorithm to determine the maturity improvement plan for information system risk management. Application on a case study

Abstract

A good and relevant Risk Management process is a key issue when Information System effective governance is concerned. Therefore, several paradigms have been devised to help achieving such goal. Among these paradigms, maturity models are quite popular. The main aim of a maturity model is to help users improve their activities capability. However, one of the major challenges encountered when using these models is the definition of the improvement plan after the evaluation. This challenge is all the stronger and costly when it comes to an activity whose elements or phases have an important interdependence such as IS risk management. In this article, we propose an algorithm called "Path Prerequisites" to help users define a graduate improvement plan, easily and efficiently, from a given maturity level to a target one, while handling criteria dependencies constraints. The algorithm is based on an acyclic graph representation of the control objectives and the dependencies among them and it corresponds to a guided (backwards) traversal of the graph. We assess the algorithm by applying it to a study case.