Previous papers mostly dealt with specific views of information security management (either technical, organizational for instance). Recently, major progress has been achieved in the development of a business driven approach with BORIS (Business Oriented management of Information Security) and a process-oriented approach called ORBIT (Operational Risks in Business and IT). An integrated framework is being described in this paper that bases on the beneficial and complementary merge of both approaches. It supports management of an enterprise’s information security functions with a strong economic focus whereby it specifically links business and information security objectives. The methodology to be presented has proven to be reliable, user friendly, consistent and precise under real conditions over several years in enterprises with world wide presence.