< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security (second edition)
“This document provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation. The intended audience for this document is: governing body and top management; those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. This document is applicable to all types and sizes of organisations. All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001. This document focuses on the three types of ISMS organisations given in Annex B. However, this document can also be used by other types of organisations.”
[Source: ISO/IEC 27014:2020/ITU-T X.1054]
This standard, produced by ISO/IEC JTC 1/SC 27 in collaboration with the International Telecommunications Union’s Telecommunication Standardization Sector (ITU-T), is specifically aimed at helping organisations govern their information security arrangements.
Scope and purpose
The standard “provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation.”
In a nutshell, through sound governance arrangements, information security management achieves business objectives - a very important and powerful concept.
As with other ISO27k standards, it is “applicable to all types and sizes of organisations”, particularly those with one or more ISO 27001-style ISMSs encompassing either the entirety or certain parts of the organisation, or where a single ISMS applies across several businesses or business units (e.g. within a group structure).
Structure and content
After the conventional introductory sections, the three main clauses are:
6. Governance and management standards;
7. Entity governance and information security governance;
8. The governing body’s requirements on the ISMS;
... followed by three informative annexes:
A. Governance relationship;
B. Types of ISMS organization;
C. Examples of communication.
The standard explains four “processes” (key aspects of governance):
- Evaluation: senior management considers proposals and plans for information security management (e.g. "We intend to implement an ISO27001 ISMS");
- Direction: preparing strategies, policies and objectives for information security that align with and support the achievement of the organisation’s business objectives;
- Monitoring the performance of information security through management information flows and internal reporting arrangements such as security metrics;
- Communication: ensures that all those within the organisation who are actively involved in directing, overseeing, driving, guiding and monitoring information security are 'singing from the same hymn sheet', while external stakeholders (such as owners and regulators such as the US government’s Securities and Exchange Commission) are assured that information risk is being competently managed.
It also lays out six information security objectives that the governance and management arrangements should satisfy:
- Establish integrated comprehensive entity-wide information security since the information at risk is found and used (legitimately exploited), and hence deserves protection, throughout the organisation;
- Make decisions using a risk-based approach - fundamental to all the ISO27k standards and at all levels of the ISMS from governance and strategy through management to routine operations (e.g. risk-assessing identified incidents to determine the priority and nature of the responses required);
- Set the direction of acquisition - as in corporate mergers and acquisitions, as opposed to procuring goods and services;
- Ensure conformance with internal and external requirements through assurance such as auditing of information security activities;
- Foster a security-positive culture - an excellent suggestion, albeit easier said than done;
- Ensure the security performance meets current and future requirements of the entity - there is a need for suitable management oversight, monitoring and measurement (metrics) in relation to current requirements, of course, but what about the future? Food for thought here.
Status of the standard
The standard was first published in 2013, dual-numbered as ISO/IEC 27014 and ITU-T recommendation X.1054 with identical text.
The second edition was published by ISO/IEC in 2020 and then released by ITU-T as a free PDF download in 2021.
ISO/IEC 27014 refers to ‘information risk management’ - a minor but important distinction from the usual terms ‘information security risk’ and ‘information security management’. Security (as in controls to reduce/mitigate risk) is not the only way to treat risks to information: they can also be avoided, shared and accepted. Personally, I would prefer the remaining ISO27k standards to adopt ‘information risk’ (defined along the lines of “risk pertaining to information”) in place of ‘information security risk’ (a term that is not actually defined as such) but, so far, SC 27 has blocked the move and we have not had the opportunity to debate it. I am merely a kayaker nudging a supertanker.
In the course of drafting the second edition, SC 27 discussed the application of principles from ISO 38500 (“Corporate governance of IT”) to information security, and considered the relationship between information security governance and other governance and management disciplines. ISO/IEC 27014 refers to governance for information security as an integral part of the organisation’s corporate governance with strong links to IT governance, but is arguably a bit vague on the details.
The definition of ‘governing body’ obliquely notes that, along with ‘executive management’, both are parts of ‘top management’ which ISO/IEC 27000 defines as “the person or group of people who directs and controls an organisation at the highest level”. In essence, the standard hints that senior management has distinct or separable governance (as in direction-setting and monitoring) and management (as in hands-on organisational and personnel management) roles.
The summary points out that the standard “provides the mandate essential for driving information security initiatives throughout the organisation.” At present, this is typically achieved in part by senior management mandating an overarching organisation-wide information security policy that is supported and amplified by lower level security policies, standards, procedures, guidelines and other security awareness materials. The standard does not go into depth on other related aspects such as the information security, risk and compliance management structures, reporting lines, divisions of responsibility, delegated authorities and so forth, largely I guess because of the differences between organisations.
As an information security professional with a keen interest in security awareness, I am gratified to note that, in order to “establish a positive information security culture, the governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.” ‘A coherent direction’ indeed. Nice idea. I approve.
ISO 37000:2021 “Guidance for the governance of organisations” could be the basis for updating ’27014 to utilise common concepts and terms. Maybe.
< Previous standard ^ Up a level ^ Next standard >