Modeling on the other hand has a proven track record in
certain fields of information security like secure software
development, but has found only limited application for the
management aspects of information security. These two
approaches, standards and modeling, have been combined by
metamodeling [14] the ISO 27001 information security
standard [10]. To determine the practical application of such a
metamodel we pick a generic process model for phases of
information security management. This will serve as a
framework against which the applicability of the metamodel
can be checked.