Information security has moved a long way from the early days when physical security, together with a set of backups, formed the backbone of a company's security controls. Today,information security is all about policies, standards, awareness programs, security strategies, etc. The aim of information security management efforts is to enhance confidence in the effectiveness of the information services within an organization. Unfortunately, this confidence is restricted to the organization itselfand can only, with great effort, be passed on to external parties.
Today, business partners need to link their computer systems for business reasons, but first want to receive some sort of proof that the other partner has got an adequate level of information security in place. A security evaluation and certification scheme that can instill confidence and assurance, regarding information security status, to external business parties will solve a lot of problems for the commercial world. This approach to Information Security Management, to proof adequate information security to external parties, is termed in this paper as; The Second Generation of Information Security Management.