ISO/IEC 27014 Information technology — Security techniques — Governance of information security (DRAFT)
ISO/IEC JTC1/SC27 is developing a governance standard aimed at helping organizations govern information security, specifically.
The standard will hopefully cover aspects such as:
-
The organization’s business strategies, policies and objectives [in relation to information security, risks and controls];
-
Compliance with applicable governance regulations, laws, contractual and other legal obligations to third parties, and vice versa [in respect of information security obligations], including the associated assurance activities such as certification audits, internal audits, management reviews etc. on the ISMS;
-
Risk management - specifically management of information security risks;
-
Distinguishing management controls - specifically the ISMS being a management system managing a coherent framework/suite of information security controls - from governance;
-
The relationship between governance of information security [information security governance], IT [IT governance], possibly information [information governance], and the entire corporation [corporate governance];
-
Both accountability and responsibility for information security, issues arising from the nominal ‘ownership’ of information assets by specific individuals or functions within many organizations.
The 2nd CD specifies six high level principles guiding the overall design and operation of an ISMS (“1) Establish organization-wide security. 2) Adopt a risk-based approach ...”) plus four processes (“evaluate”, “direct”, “monitor” and “communicate”) for the governing body to use.
SC27 has discussed the application of principles from ISO 38500 to information security, and considered the relationship between information security governance and other governance and management disciplines. The draft standard refers to governance for information security being a part of the organization’s corporate governance, but is arguably a bit vague on the details.
In order to encourage more transparency, it is proposed that management might wish to confirm the overall status of information security in the organization to customers and stakeholders through management statements or assertions. Appendices to the 2nd CD presented two examples - one a formalized high-level version and another with slightly more meat on the bones. The first one in particular is similar to the accounting or auditing attestations typically included in annual reports for legal/regulatory compliance purposes: the statement itself is rather bland and unhelpful but making senior management formally endorse the content hopefully forces them to pay more attention to the true intent.
Scope of the standard
The scope covers “guidance on principles and processes for the governance of information security, by which organizations can evaluate, direct and monitor the management of information security.”
Latest available status info
Governance and management concepts have been disentangled but differences remain in the way the draft standard uses governance compared to other governance standards.
Publication of the standard is possible towards the end 2012.
|
