Information security is a critical concern for businesses as they attempt to adapt to rapid advancements in attack methods and techniques and subsequent changes in regulatory requirements. Failure of an organisation’s information security measures may have several negative consequences for the organisation and its stakeholders, including the loss of trust.
To stay relevant and compete in today’s business world, every enterprise should have an information security governance programme (ISGP) in place. Thankfully, there is an opportunity to improve information security governance and overall risk management in the business environment by aligning it with compliance requirements such as ISO 27001 and the offshoot ISO 27014 standard.
What is ISO/IEC 27014 Standard?
ISO/IEC 27014 is a standard in the ISO/IEC 27000 series.
This standard is “designed to aid organisations in effectively managing their information security strategies.” The standard offers “directions on the principles and concepts for information security governance, from which organisations can evaluate, direct, monitor, communicate and assure information security-related practices in the organisation.
The eleven-page standard summarises information technology governance standards and includes a structure of six principles and five processes. The standard views IT governance as interacting with information technology governance, all of which are components of the wider framework of organisational governance. In December 2020, another ISO/IEC 27014:2020 guidance document was released, succeeding the 2013 first edition.
What is Information Security Governance?
- Information security governance is the lifecycle of policies, controls and procedures to ensure information security for an organisation.
- Information security governance brings an integrated approach to overall information security.
- It guarantees that the organisation’s information security approach is consistent with the organisation’s overall goals. This enables the governing body to make decisions on the organisation’s strategic goals by presenting information about potential threats to information security.
- Implementing an effective information security governance program will help reduce risk, instil trust into all activities and eliminate inappropriate actions.
What is a Governing Body?
A governing body is a collective of individuals who have the authority and responsibility to formulate policies and lead an organisation’s general trajectory. The collective body is responsible for decision-making and implementation on behalf of its staff, stakeholders, and the organisation.
The governing body’s primary function is to safeguard the organisation’s privileges and interests, as well as those of anyone who works within the organisation’s framework. This body accomplishes this by ensuring that the organisation operates efficiently and is capable of achieving the aims and priorities it has committed to. Additionally, the governing body is accountable for the organisation’s finances, personnel, and assets. One major role of the governing body in any organisation is to make decisions that will encourage the security of information within the organisation.
Implementation of the governance processes for information security (ISO/IEC 27014)
Information security governance processes have been developed to help organisations monitor and manage their information security efforts. They don’t exist in a vacuum, though — they need to be integrated into the overall business management processes if they are going to be effective (and this is true for many related security activities, such as risk management). The governing body and top management are responsible for the execution of four governance systems, according to ISO/IEC 27014:2020.
One of the Information security governance processes is evaluation. Evaluation is an important process in which the current state of a process or component within an organisation is scrutinised. This helps determine what is both right and wrong with that particular process or component.
Direction is one of the information security governance processes. It includes planning, establishing and reviewing policy standards and procedures, and evaluating compliance by personnel with established limitations.
Monitoring is one of the information security processes. It is management activities that ensure the availability, integrity, authentication and confidentiality of the systems and networks as well as check to see that employees are properly using those systems and networks in a way that follows security policies.
Communication is the key when it comes to Information Security Governance processes. You are entrusted with keeping your company and its various assets secure, but it cannot be an isolated process.
We needed ISO 27001 to win new corporate clients and we needed it quickly. As a small business with limited resources, we were looking for a one-stop solution to radically speed up our implementation. ISMS.online has done exactly that.
What are the objectives of Information Security Governance?
Information security governance should ensure that information security measures are robust and integrated. The standard establishes six high-level “action-oriented” principles for information security governance. This includes the following:
Establish organisation-wide information security
Concerns over information technology, or cybersecurity, can penetrate the framework and functions of the organisation. In all levels of management, information security should be combined with information technology (IT) and other functions. Top management should ensure that information security meets the company’s general strategic interests and should create accountability and responsibility across the organisation.
Make decisions using a risk-based approach
Security governance, including resource distribution and budgeting, should be guided by an organisation’s risk appetite, which in turn should be influenced by a risk-based approach that takes into account: competitive advantage loss, regulatory and liability concerns, operational delays, reputational damage, and financial loss.
Set the direction of investment decisions
Ensure that information security risks are properly analysed before embarking on new operations, such as investments, acquisitions, mergers, the introduction of new technologies, outsourcing agreements, and contracts with external suppliers. Additionally, incorporate information security into internal agency processes, such as project management, procurement, financial management, legal and regulatory compliance, and organisational risk management. Top management should develop an information security approach that is aligned with the organisation’s goals, meaning that agency and organisational information security needs are consistent.
Ensure conformance with internal and external requirements
External requirements include required laws and regulations, certification standards, and contractual obligations. Internal criteria are subsets of a larger organisation’s overall aims and priorities. Independent security assessments are the generally agreed method for establishing and tracking conformance. Top management must ensure that information security practices are meeting internal and external standards satisfactorily by looking into independent security audits.
Foster a security-positive culture
There should be coordination and alignment among the different stakeholders in the ISMS. To achieve a coherent course for information security, top management must encourage and facilitate the collaboration of the tasks and activities of everyone affected by the ISMS. Additionally, proof of security instruction, preparation, and awareness programmes should be provided. Information security responsibilities should be incorporated into the positions of personnel and other stakeholders, and all should embrace their responsibilities to contribute to the effectiveness of the ISMS.
Ensure the security performance meets current and future requirements of the entity
Security success is measured not only in terms of efficacy and reliability but also in terms of its effects on overall company goals and objectives. Top management in charge of governance should include periodic reviews of a performance measurement scheme for tracking, auditing, and improvement that translates information security into optimal business performance.
Scope and Purpose of ISO 27014 Standard
The ISO 27014 document provides guidelines on information security governance principles, objectives, and procedures that organisations should use to evaluate, direct, monitor, and communicate information security-related processes within the organisation.
As with the other ISO27k standards, it is “suitable for all type and sizes of organisations,” especially those where the ISMS covers the whole organisation or just a subset of it, or where a single ISMS extends to several companies (such as within a corporate structure).
Proper information security governance guarantees that it is consistent with and supportive of company goals identified in strategies and policies.
ISO 27014 places considerable emphasis on the governance components of ISO/IEC 27001 and establishes governance objectives within this framework. It covers the incorporation of information security governance activities with other governance functions and goals. ISO 27014 further specifies the requirements and expectations of the governing body from an ISO27k ISMS.
Who Should Implement ISO 27014?
ISO/IEC 27014:2020 is targeted for the following audiences:
- The governing body and top management of an organisation.
- Those accountable for evaluating, directing, and tracking an ISO/IEC 27001-compliant information security management system (ISMS).
- Those accountable for information security management that occurs beyond the reach of an ISO/IEC 27001-based information security management system (ISMS), but inside the context of governance.
This document is applicable to all types and sizes of organisations.
How ISMS.online Can Make Implementing ISO 27014 Easy
Our cloud-based platform allows you to access all your ISMS resources in one place. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27014 implementation so that you can demonstrate your dedication to information security governance best practices. Call ISMS.online on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27001.
Take a deep dive into some of our more advanced features
What kind of help do you need from us?
New to information security?
We have everything you need to design, build and implement your first ISMS.
Ready to transform your ISMS?
We’ll help you get more out of the infosec work you’ve already done.
Want to unleash your infosec expertise?
With our platform you can build the ISMS your organisation really needs.