< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27014:2020 — Information security, cybersecurity and privacy protection — Governance of information security
ISO/IEC JTC1/SC 27, in collaboration with the ITU Telecommunication Standardization Sector (ITU-T), published a standard/recommendation specifically aimed at helping organizations govern their information security arrangements.
Scope and purpose
The standard “provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization.”
As with other ISO27k standards, it is “applicable to all types and sizes of organisations”, particularly those where the ISMS encompasses either the entirety or certain parts of the organization, or where a single ISMS applies across several businesses (e.g. within a group structure).
Proper governance of information security ensures its alignment with, and support for, business objectives defined in strategies and policies.
Structure and content
After the usual preamble, scope, references and definitions, the main clauses are:
- 7. Governance and management standards - emphasises the governance aspects of ISO/IEC 27001 and lays out governance objectives in this context;
- 8. Entity governance and information security governance - concerns the integration of information security governance activities with other governance activities and objectives;
- 9. The governing body’s requirements on [of] the ISMS - what the governing body should expect/demand of an ISO27k ISMS;
... plus two simple descriptive appendices.
The standard describes:
- information security governance objectives (such as “Establish integrated comprehensive entity-wide information security”, “Make decisions using a risk-based approach” and four more, each one explained in a couple of paragraphs); and
- governance processes used by the governing body: evaluate, direct, monitor, and communicate. [The first edition’s ‘assurance’ process disappears from the second edition: assurance is no less important, but arguably it’s not part of governance, although monitoring and evaluating information remains.]
Status of the standard
The standard was first published in 2013, dual-numbered as both ISO/IEC 27014 and ITU-T recommendation X.1054 with identical text.
The second edition was published at the end of 2020 by both ISO/IEC and ITU. Main changes:
- Aligned with ISO/IEC 27001:2013.
- Governance-related activities required by ISO/IEC 27001 explained.
- Objectives and processes of information security governance described.
Although it also mentions ‘information security risk’ seven times, I am
relieved pleased thrilled ecstastic to note that the new second edition explicitly uses the more succinct and apt term ‘information risk’ five times e.g. “An ISMS focuses upon management of risks relating to information” (8.1) and “Appropriate resources to implement information risk management should be allocated as a part of the security governance process” (8.2.2). It’s not just information security that deserves to be properly governed. Way to go, SC 27! I hope this subtle but potentially important change of emphasis spreads to the other ISO27k standards in due course.
SC 27 discussed the application of principles from ISO 38500 (“Corporate governance of IT”) to information security, and considered the relationship between information security governance and other governance and management disciplines. ISO/IEC 27014 refers to governance for information security as an integral part of the organization’s corporate governance with strong links to IT governance, but is arguably a bit vague on the details.
The definition of ‘governing body’ obliquely notes that, along with ‘executive management’, both are parts of ‘top management’ which ISO/IEC 27000 defines as “the person or group of people who directs and controls an organization at the highest level”. In essence, the standard hints that senior management has distinct or separable governance (as in direction-setting and monitoring) and management (as in hands-on organizational and personnel management) roles.
The summary points out that the standard “provides the mandate essential for driving information security initiatives throughout the organisation.” At present, this is typically achieved in part by senior management mandating an overarching organization-wide information security policy that is supported and amplified by lower level security policies, standards, procedures, guidelines and other security awareness materials. The standard does not go into depth on other related aspects such as the information security, risk and compliance management structures, reporting lines, divisions of responsibility, delegated authorities and so forth, largely I guess because of the differences between organisations.
As an information security professional with a keen interest in security awareness, I am gratified to note that, in order to “establish a positive information security culture, the governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.” ‘A coherent direction’ indeed. Nice idea. I approve.
When published, ISO 37000 “Guidance for the governance of organizations” may prompt another update of ’27014 to utilise common concepts and terms. Maybe.
PS If you are interested in this topic, ISACA’s Information Security Governance: Guidance for Boards of Directors and Executive Management, (2nd Edition) is highly recommended. It was published way back in 2006 showing remarkable foresight.
< Previous standard ^ Up a level ^ Next standard >