Abstract
<jats:p>The relevance of this research is determined by the increasing role of information as a strategic resource and a tool of geopolitical confrontation, which requires the development of scientifically based approaches to the formation and implementation of an information security strategy. The aim of the article is to develop a sketch of a systems approach to defining an information security strategy as a model of management actions aimed at achieving the goals of ensuring security in the information sphere. In this paper, strategy is considered as a complex system, including subsystems of information security policies, internal standards and regulations. A classification of strategies by management levels (global, portfolio and functional), as well as by the object of security (conceptual, systemic and object strategies) is proposed. The behavioral essence of strategy as a model of an organization's activity, implemented through a set of management decisions is revealed. The feasibility of applying a risk-oriented approach and an information security risk management cycle, including situational analysis, decision-making, planning, implementation of measures and performance evaluation, is substantiated. In addition, a model for assessing the maturity of information security management processes based on a tiered approach is proposed. Prospects for further research are related to the in-depth development of methodology for the formation of information security strategies, the development of tools for assessing their effectiveness, as well as the study of the relationship between strategy, public policy and economic factors in the context of the development of the information society.</jats:p>