Over the past ten years, we have seen a clear increase in maturity levels regarding understanding of the importance of actively working with information security. Previously, the work was mainly driven by legal aspects. Today, companies and organizations see it's own value in addressing these issues in terms of increased internal control and reduced risk.