ISO/IEC 27014:2020 – Cybersecurity, information security, and privacy protection – Information security governance
In collaboration with the ITU Telecommunication Standardization Sector (ITU-T), ISO/IEC JTC1/SC 27 has developed and issued a standard/recommendation specifically designed to help companies manage their information security arrangements.
Scope and objectives
“The standard consolidates information security governance concepts, objectives, and processes and supports information security service providers in the evaluation, direction, monitoring, and communication of their results and accomplishments providers of information security services with the evaluation, direction, monitoring, and communication of information security-related processes in their environment.”
Similarly to other ISO27k standards, it applies to all types and sizes of organizations”, especially those where the ISMS covers the entire organization or a part of it, or where one ISMS applies to several organizations (such as in a group structure).
Information security should be appropriately governed so that it aligns with and supports business objectives.
The structure and content
There’s a preamble, a scope, references, and definitions, and then the main clauses:
1. Governance and management guidelines – describes the governance aspect of ISO/IEC 27001 and the objectives of governance within the context of that standard;
2. Information security governance and entity governance – refers to integrating information security governance functions with other governance functions;
3. The governing body’s requirements on [of] the ISMS – the governing body’s expectations of and requirements for ISO27k ISMS;
… are accompanied by two simple appendices.
Specifically, the standard states:
– The goals of information security governance (i.e. “Ensure a comprehensive approach to information security throughout the enterprise”, “Adopt a risk-based approach to making decisions”, plus four others, each explained briefly); and
– The governing body uses governance processes such as: evaluating, directing, monitoring, and communicating. [The assurance process from the first edition doesn’t appear in the second edition: assurance is equally important, although it may not be included in governance, while monitoring and evaluating information remains.]
The standard’s status
2013 marked the first publication of this standard, which is both ISO/IEC 27014 and ITU-T recommendation X.1054 with identical content.
ISO/IEC and ITU released the second edition of the standard at the end of 2020. The main changes are:
– Compliant with ISO/IEC 27001:2013.
– A description of the governance-related activities required by ISO/IEC 27001.
– Outline information security governance goals and processes.
Despite the reference to the term ‘information security risk’ seven times in the updated second edition, it is reassuring to note that the new second edition is more explicit about using the shorter and more accurate term ‘information risk’ five times, for instance, “An ISMS focuses upon the management of risks relating to information” (8.1) as well as the “Appropriate resources to implement information risk management should be allocated as a part of the security governance process” (8.2.2). Information security isn’t the only field that needs to be governed well. You did a great job, SC 27! In due course, I hope this change of emphasis will extend to other ISO27k standards as well.
As part of SC 27, participants considered the application of ISO 38500 (“corporate governance of information technology”) to information security and the interconnection between information security governance and other forms of governance. Despite its strong links with IT governance, ISO/IEC 27014 refers to information security governance as an integral part of corporate governance, but it seems a bit vague on the details.
As defined in ISO/IEC 27000, the ‘governing body’ was associated with executive management, which was defined as “the group or individual in charge of managing an organization at its highest level”. Senior management is implied to have distinct or separable governance (as in establishing strategy and monitoring) and management (as in directing the organization, determining employee performance, and so on).
As stated in the summary, the standard is “essential to driving information security initiatives in the organization.” In most organizations, this is successfully achieved in part through the establishment of an overarching information security policy, which is supported by a set of lesser level policies, standards, procedures, guidelines, etc. This standard does not include any detail on other related aspects, including management structures for IT security, risk, and compliance, reporting lines, responsibilities, the delegation of authority, and so on, largely, I suppose, due to the differences in the organizational structures.
The governing body should require, promote, and support coordination of stakeholder activities to achieve a coherent direction for information security since I am an information security professional who is keenly interested in security awareness. This will ensure that security education, awareness programs, and training are provided.” That is a cohesive approach indeed. A good idea.
If ISO 37000 “Guidance for the governance of organizations” is published, ‘27014 could be updated to incorporate common concepts and terms. Could be.
I highly recommend ISACA’s Information Security Governance: Guidance for Boards of Directors and Executive Management, (2nd Edition) for anyone interested in this topic. Considering it was published back in 2006, it shows remarkable foresight.