Skip to content
You are viewing information for England.  Change country.

Information security management

The protection of information assets underpins the commercial viability and profitability of all enterprises and the effectiveness of public sector organisations. It should not be left to chance. If you work in an organisation concerned (directly or indirectly) with valuable information assets, this practical module will enable you to understand and manage strategic and operational aspects of information security, including IT governance and risk analysis and management. It will also provide the knowledge and skills needed to plan the implementation of an information security management system that provides efficient, effective safeguards and responds to your organisation’s needs.

What you will study

‘In today’s high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their systems of internal control’ (Nigel Turnbull, from the preface of the book IT Governance: A Manager’s Guide to Data Security & BS 7799/ISO 17799).

Taking a practice-based approach based upon an organisation you are familiar with, M886 provides the foundational knowledge, understanding, analysis and synthesis that you need to develop a practical information security management system, to the standard set by the  ISO/IEC 27001:2005 and BS ISO/IEC 17799:2005. You also acquire the personal development skills you need to keep abreast of important development in a rapidly developing field.

The module is structured as three independent units written to support and extend the set book:

An introduction to information security – In this unit you will first learn about the current requirements on, and incentives for organisations to implement information security. You then study the foundations of the subject, learning to identify and value information as an organisational asset. The protection of information assets is the subject of the British standards, around which the module is based. This unit outlines the processes that must be gone through to satisfy the requirements of the standards.

Information security risk assessment – This unit places in context the issues involved in information security risk assessment, as required by the standard. You will examine the risks that may arise in all relevant aspects of an organisation's operations, including human factors, e-commerce, web-services, and systems development. You will learn how to conduct a systematic risk assessment that leads to a prioritised list of information security risks for an organisation, and the requirements for their treatment. The unit concludes with an assignment in which you will carry out a risk assessment for your chosen organisation, based on the information contained in the British standards and the set book.

Information security risk management – In this unit you will complete your study of the development of a fit-for-purpose information security management system through the management of information security risks. You will learn how to be systematic in the choice of controls that treat specific risks, and how the documentation required by the British standards applicable to the module can be produced. There is a full discussion of the technologies that underpin the standard's controls, and the unit finishes by considering the topic of planning for when things do go wrong.

At the end of the module you will be required to carry out some independent research into an issue in information security management, analysing and evaluating the results of your research for presentation in the examination.

The module has been updated from 2008 so that it is based on the current version of the Information Security standard against which an Information Security Management System would be assessed.

You will learn

After studying this module you will be able to:

  • understand contemporary issues in information security management
  • analyse and prioritise information security risks
  • identify countermeasures and review techniques appropriate to the management of information security risks
  • understand the policy and technology trade-offs involved in developing information security systems of adequate quality
  • locate, read, comprehend and evaluate developments in the field as they appear in contemporary professional and research publications.

It is important to realise that information security management is a ‘big picture’ subject concerned with getting the balance of technology, physical and social factors correct. As such, there is no special emphasis on any one factor; this is not a module specifically about security technology and you will not, for instance, learn how to configure a firewall as part of the core teaching of M886.


You can take this as a stand-alone module and it requires no formal qualifications for entry. However, it is a postgraduate level module, and you will be expected to have appropriate skills at this level, which might be developed from previous study (to HNC/HND level or above) or professional or commercial experience. In particular, you will need report-writing skills, since the work you are expected to submit in your assignments and examination will consist mainly of reports.

M886’s assessment involves a significant amount of practical work, including the building of an Information Security Management System for a part of an organisation with which you are familiar. To successfully complete your studies of M886 you will therefore need access to information about your chosen organisation. This often entails obtaining the permission, and possibly the active support, of the manager of that area and we recommend that you make any necessary arrangements before the start of the module. If you require any further information please contact the Postgraduate Technology Centre Adviser by email

If you would like more information about the Postgraduate Computing programme as a whole, you can visit the programme website. This site includes additional information about the programme, details of new modules and qualifications that are being planned, some samples of study materials, FAQs and links to descriptions of current modules and related qualifications.

You do need to have a reasonable standard of spoken and written English to study successfully with us. Poor language skills will make study more difficult, and it will take longer. The normal requirements for English language skills are explained on our website.

If you have any doubts about whether your level of English is good enough for you to study this module you may find it helpful to look at our Skills for OU Study site.

Discount for Open University Graduates

If you are a graduate of The Open University (holding either an undergraduate or masters degree), you are eligible for a discount of £100 towards the cost of this module. You can claim this discount when you register, please contact our Student Registration & Enquiry Service.


As a student of The Open University, you should be aware of the content of the Module Regulations and the Student Regulations which are available on our Essential documents website.

If you have a disability

You will need to spend considerable amounts of time using a personal computer and the internet.

Study materials

What's included

Module text, set book (A. Calder and S. Watkins (2006) International IT Governance: An Executive Guide to ISO 17799/ ISO 27001, Kogan Page), online access to copies of the standards ISO/IEC 27001:2005 and BS ISO/IEC 17799:2005, other printed and online materials, website, optional online forums.

You will need

Access to the internet is essential for this module, since some study materials are available only on the M886 website. You also need to use the internet to submit your assignments to your tutor.

Teaching and assessment

Support from your tutor

You will have a tutor who will be responsible for monitoring your progress on the module, marking and commenting on your written work and whom you can contact for advice and guidance. There is usually a lively student online forum. Contact our Student Registration & Enquiry Service if you want to know more about study with The Open University before you register.


The assessment details can be found in the facts box above.

You will be expected to submit your tutor-marked assignments (TMAs) online through the eTMA system unless there are some difficulties which prevent you from doing so. In these circumstances, you must negotiate with your tutor to get their agreement to submit your assignment on paper.

You will take your examination in one of the University’s examination centres.

Future availability

The details given here are for the final module start in November 2013. 

Distance learning

The Open University is the world's leading provider of flexible, high quality distance learning. Unlike other universities we are not campus based. You will study in a flexible way that works for you whether you're at home, at work or on the move. As an OU student you'll be supported throughout your studies - your tutor or study adviser will guide and advise you, offer detailed feedback on your assignments, and help with any study issues. Tuition might be in face-to-face groups, via online tutorials, or by phone.

For more information about distance learning at the OU read Study explained.

Get a prospectus

Download or