ISO/IEC 27014:2013 — Information technology — Security techniques — Governance of information security
ISO/IEC JTC1/SC 27, in collaboration with the ITU Telecommunication Standardization Sector (ITU-T), has developed a standard specifically aimed at helping organizations govern their information security arrangements.
Scope and purpose
The standard provides “guidance on concepts and principles for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security related activities within the organisation” and (as with other ISO27k standards) is “applicable to all types and sizes of organisations”.
Proper governance of information security ensures alignment of information security with business strategies and objectives, value delivery and accountability. It supports the achievement of visibility, agility, efficiency, effectiveness and compliance.
Structure and content
After the usual preamble, scope, references and definitions, the guts of this admirably succinct standard consists of just two main clauses (“Concepts” and “Principles and processes”) plus two appendices.
The standard specifies six high-level “action-oriented” information security governance principles (such as “Establish organisation-wide information security”, “Adopt a risk-based approach” and four more, each one explained in a couple of paragraphs) plus five governance processes used by the governing body:
- Communicate; and
In order to encourage more transparency, management might wish to confirm the overall status of information security in the organization to customers and stakeholders through management statements or assertions. Two appendices present example or template statements, a formalized high-level version and another with slightly more meat on the bones. The first is similar to the accounting or auditing attestations typically included in annual reports for legal/regulatory compliance purposes: the actual statement is rather bland but the idea is that making senior management formally endorse the content forces them to pay more attention to the true intent - in other words, there’s more to it than you might presume from the literal wording of the statement itself.
Status of the standard
The standard was published in 2013, dual-numbered as both ISO/IEC 27014 and ITU-T recommendation X.1054 with identical text.
A project to revise the standard is in progress. Initial comments indicate only minor adjustments might be required, perhaps more explanation for senior managers unfamiliar with information security concepts. Some wording changes may be needed to align with ISO directives but an additional complication is that, as currently worded, the standard is aimed at commercial companies, rather than ‘organizations’ in the more generic sense used in other ISO27k standards. The revised standard may also clarify information security governance where the ISMS covers only part of the entire organization, such as a business unit, site or department.
SC 27 discussed the application of principles from ISO 38500 (“Corporate governance of IT”) to information security, and considered the relationship between information security governance and other governance and management disciplines. ISO/IEC 27014 refers to governance for information security as an integral part of the organization’s corporate governance with strong links to IT governance, but is arguably a bit vague on the details.
Referring separately to the ‘governing body’ and ‘executive management’ is an interesting wrinkle. The definition of ‘governing body’ obliquely notes that both are parts of ‘top management’ which ISO/IEC 27000 defines as “the person or group of people who directs and controls an organization at the highest level”. In essence, the standard hints that senior management has distinct or separable governance (as in direction-setting and monitoring) and management (as in hands-on organizational management) roles.
The summary points out that the standard “provides the mandate essential for driving information security initiatives throughout the organisation.” At present, this is typically achieved in part by senior management mandating an overarching organization-wide information security policy that is supported and amplified by lower level security policies, standards, procedures, guidelines and other security awareness materials. The standard does not go into depth on other related aspects such as the information security, risk and compliance management structures, reporting lines, divisions of responsibility, delegated authorities and so forth.
As an information security professional with a keen interest in security awareness, I am gratified to note that, in order to “establish a positive information security culture, the governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.” ‘A coherent direction’ indeed. Nice idea. I approve.