The safety and defence of the United Kingdom (UK) and its citizens depend on the efficient delivery of a number of national essential services, among them information and communication systems, energy, banking, finance, transport and vital human services such as the provision of food and water. These national essential services, comprising both Public organizations and Private sector companies, are collectively known as the UK Critical National Infrastructure (UKCNI). Protecting the UKCNI and ensuring the continuation of political, social and economic activity is vital to the UK. As a modern 'just-in-time' information-based society it is becoming increasingly dependent on goods and services distributed through critical information infrastructures; the potential consequences of disruption to those infrastructures are becoming more serious. However, the increasing importance of well-protected, resilient infrastructure is threatened by the growing complexities and interdependencies of the UKCNI, which is spread across public and private sectors. Public sector organisations and private sector companies are all key partners in ensuring the secure functioning of the UKCNI. The problem is that they are independent government or commercial organizations, each having their own identity, objectives, culture and information security management processes. This Thesis seeks to answer the fundamental question: how can information security management processes in the UKCNI be better designed, developed and implemented? To do this, the Thesis must range across a number of different organisations drawn from the public and private sectors, and even within these within disparate organisational and cultural norms. The purpose of this work is to develop a process model to aid the development of Processes that may be utilised by information security managers in any of the UKCNI sectors. The model is called PROMISE - Process Modelling for Information Security Engineering.