< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27014:2020 / ITU-T X.1054 — Information security, cybersecurity and privacy protection — Governance of information security
“This document provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation. The intended audience for this document is: governing body and top management; those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. This document is applicable to all types and sizes of organisations. All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001. This document focuses on the three types of ISMS organisations given in Annex B. However, this document can also be used by other types of organisations.”
[Source: ISO/IEC 27014:2020/ITU-T X.1054]
This standard, produced by ISO/IEC JTC 1/SC 27 in collaboration with the International Telecommunications Union’s Telecommunication Standardization Sector (ITU-T), is specifically aimed at helping organisations govern their information security arrangements.
Scope and purpose
The standard “provides guidance on concepts, objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security-related processes within the organisation.”
As with other ISO27k standards, it is “applicable to all types and sizes of organisations”, particularly those where the ISMS encompasses either the entirety or certain parts of the organisation, or where a single ISMS applies across several businesses (e.g. within a group structure).
Proper governance of information security ensures its alignment with, and support for, business objectives defined in strategies and policies.
Structure and content
After the usual preamble, scope, references and definitions, the main clauses are:
- 7. Governance and management standards - emphasises the governance aspects of ISO/IEC 27001 and lays out governance objectives in this context;
- 8. Entity governance and information security governance - concerns the integration of information security governance activities with other governance activities and objectives;
- 9. The governing body’s requirements on [of] the ISMS - what the governing body should expect/demand of an ISO27k ISMS;
... plus two simple descriptive appendices.
The standard describes:
- information security governance objectives (such as “Establish integrated comprehensive entity-wide information security”, “Make decisions using a risk-based approach” and four more, each one explained in a couple of paragraphs); and
- governance processes used by the governing body: evaluate, direct, monitor, and communicate.
Status of the standard
The standard was first published in 2013, dual-numbered as both ISO/IEC 27014 and ITU-T recommendation X.1054 with identical text.
The second edition was published in 2020. Main changes:
- Aligned with ISO/IEC 27001:2013.
- Governance-related activities required by ISO/IEC 27001 explained.
- Objectives and processes of information security governance described.
Although it also mentions ‘information security risk’ seven times, I am
relieved pleased thrilled ecstastic to note that the second edition explicitly uses the more succinct and apt term ‘information risk’ five times e.g. “An ISMS focuses upon management of risks relating to information” (8.1) and “Appropriate resources to implement information risk management should be allocated as a part of the security governance process” (8.2.2). It’s not just information security that deserves to be properly governed. Way to go, SC 27! I hope this subtle but potentially important change of emphasis spreads to the other ISO27k standards in due course.
SC 27 discussed the application of principles from ISO 38500 (“Corporate governance of IT”) to information security, and considered the relationship between information security governance and other governance and management disciplines. ISO/IEC 27014 refers to governance for information security as an integral part of the organisation’s corporate governance with strong links to IT governance, but is arguably a bit vague on the details.
The definition of ‘governing body’ obliquely notes that, along with ‘executive management’, both are parts of ‘top management’ which ISO/IEC 27000 defines as “the person or group of people who directs and controls an organisation at the highest level”. In essence, the standard hints that senior management has distinct or separable governance (as in direction-setting and monitoring) and management (as in hands-on organisational and personnel management) roles.
The summary points out that the standard “provides the mandate essential for driving information security initiatives throughout the organisation.” At present, this is typically achieved in part by senior management mandating an overarching organisation-wide information security policy that is supported and amplified by lower level security policies, standards, procedures, guidelines and other security awareness materials. The standard does not go into depth on other related aspects such as the information security, risk and compliance management structures, reporting lines, divisions of responsibility, delegated authorities and so forth, largely I guess because of the differences between organisations.
As an information security professional with a keen interest in security awareness, I am gratified to note that, in order to “establish a positive information security culture, the governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.” ‘A coherent direction’ indeed. Nice idea. I approve.
When published, ISO 37000 “Guidance for the governance of organisations” may prompt another update of ’27014 to utilise common concepts and terms. Maybe.
< Previous standard ^ Up a level ^ Next standard >