ISO/IEC 27014:2013
(Main)Information technology — Security techniques — Governance of information security
Information technology — Security techniques — Governance of information security
ISO/IEC 27014:2013 provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization. ISO/IEC 27014:2013 is applicable to all types and sizes of organizations
Technologies de l'information — Techniques de sécurité — Gouvernance de la sécurité de l'information
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27014
First edition
2013-05-15
Information technology — Security
techniques — Governance of information
security
Technologies de l'information — Techniques de sécurité —
Gouvernance de la sécurité de l'information
Reference number
ISO/IEC 27014:2013(E)
©
ISO/IEC 2013
---------------------- Page: 1 ----------------------
ISO/IEC 27014:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27014:2013(E)
CONTENTS
Page
Summary . iv
Foreword . v
1 Scope . 1
2 Normative references . 1
3 Definitions . 1
4 Concepts . 2
4.1 General . 2
4.2 Objectives . 2
4.3 Desired Outcomes . 2
4.4 Relationship . 2
5 Principles and processes. 3
5.1 Overview . 3
5.2 Principles . 3
5.3 Processes . 5
5.3.1 Overview . 5
5.3.2 Evaluate . 5
5.3.3 Direct . 6
5.3.4 Monitor . 6
5.3.5 Communicate . 6
5.3.6 Assure . 7
Annex A (informative) An example of information security status . 8
Annex B (informative) An example of detailed information security status . 9
Bibliography . 11
© ISO/IEC 2013 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27014:2013(E)
INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information technology — Security techniques —
Governance of information security
Summary
This Recommendation | International Standard provides guidance on the governance of information security.
Information security has become a key issue for organisations. Not only are there increasing regulatory requirements
but also the failure of an organisation’s information security measures can have a direct impact on an organisation’s
reputation.
Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information
security to ensure the objectives of the organisation are achieved.
In addition, governance of information security provides a powerful link between an organisation’s governing body,
executive management and those responsible for implementing and operating an information security management
system.
It provides the mandate essential for driving information security initiatives throughout the organisation.
Furthermore, an effective governance of information security ensures that the governing body receives relevant
reporting - framed in a business context - about information security-related activities. This enables pertinent and timely
decisions about information security issues in support of the strategic objectives of the organisation.
iv © ISO/IEC 2013 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27014:2013(E)
Foreword
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T
is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view
to standardizing telecommunications on a world-wide basis. The World Telecommunication Standardization Assembly
(WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce
Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in
WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards
are prepared on a collaborative basis with ISO and IEC.
ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form
the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the
development of International Standards through technical committees established by the respective organisation to deal
with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.
Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in
the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC
JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards
adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO
and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation
X.1054.
© ISO/IEC 2013 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27014:2013(E)
1 Scope
This Recommendation | International Standard provides guidance on concepts and principles for the governance of
information security, by which organisations can evaluate, direct, monitor and communicate the information security
related activities within the organisation.
This International Standard is applicable to all types and sizes of organisations.
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent
edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently
valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently
valid ITU-T Recommendations.
ISO/IEC 27000:2009, Information Technology – Security techniques – Information security management systems –
Overview and vocabulary
3 Definitions
For the purposes of this Recommendation | International Standard, the terms and definitions in ISO/IEC 27000:2009
and the following definitions apply:
3.1
executive management
person or group of people who have delegated responsibility from the governing body for implementation of strategies
and policies to accomplish the purpose of the organisation.
NOTE 1 Executive management form part of top management: For clarity of roles, this standard distinguishes between
two groups within top management: the governing body and executive management.
NOTE 2 Executive management can include Chief Executive Officers (CEOs), Heads of Government Organizations,
Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIOs), Chief
Information Security Officers (CISOs), and like roles.
3.2
governing body
person or group of people who are accountable for the performance and conformance of the organisation
NOTE Governing body forms part of top management: For clarity of roles, this standard distinguishes between two
groups within top management: the governing body and executive management.
3.3
governance of information security
system by which an organisation's information security activities are directed and controlled
3.4
stakeholder
any person or organisation that can affect, be affected by, or perceive themselves to be affected by an activity of the
organisation.
NOTE A decision maker can be a stakeholder.
ITU-T Rec. X.1054 (09/2012)
1
---------------------- Page: 6 ----------------------
ISO/IEC 27014:2013(E)
4 Concepts
4.1 General
Governance of information security needs to align objectives and strategies for information security with business
objectives and strategies, and requires compliance with legislation, regulations and contracts. It should be assessed,
analysed and implemented through a risk management approach, supported by an internal control system.
The governing body is ultimately accountable for an organisation’s decisions and the performance of the organisation.
In respect to information security, the key focus of the governing body is to ensure that the organisation’s approach to
information security is efficient, effective, acceptable and in line with business objectives and strategies giving due
regard to stakeholder expectations. Various stakeholders can have different values and needs.
4.2 Objectives
The objectives of governance of information security are to:
align the information security objectives and strategy with business objectives and strategy (strategic
alignment)
deliver value to the governing body and to stakeholders (value delivery)
ensure that information risk is being adequately addressed (accountability)
4.3 Desired Outcomes
The desired outcomes from effectively implementing governance of information security include:
governing body visibility on the information security status
an agile approach to decision-making about information risks
efficient and effective investments on information security
compliance with external requirements (legal, regulatory or contractual)
4.4 Relationship
There are several other areas of governance models within an organisation, such as governance of information
technology, and organisational governance. Every governance model is an integral component of the governance of an
organisation, which emphasizes the importance of alignment with business objectives. It is usually beneficial for the
governing body to develop a holistic and integrated view of its governance model, of which governance of information
security should be a part. The scopes of governance models sometimes overlap. For example, the relationship between
governance of information security and governance of information technology is illustrated in Figure 1.
ITU-T Rec. X.1054 (09/2012)
2
---------------------- Page: 7 ----------------------
ISO/IEC 27014:2013(E)
Figure 1 ― Relationship between governance of information security and
governance of information technology
Whereas the overarching scope of governance of information technology aims at resources required to acquire, process,
store and disseminate information, the scope of governance of information security covers confidentiality, integrity and
availability of information. Both governance schemes need to be handled by the following governance processes: EDM
(Evaluate, Direct, Monitor). However the governance of information security requires the additional internal process
"communicate".
The tasks required of the governing body to establish governance of information security are described in Clause 5.
Governance tasks are also related to management requirements specified in ISO/IEC 27001 as well as to other standards
of the ISMS family, as referenced in the Bibliography.
5 Principles and processes
5.1 Overview
This clause describes the principles and processes that, together, form the governance of information security.
Governance principles of information security are accepted rules for governance action or conduct that act as a guide
for the implementation of governance. A governance process for information security describes a series of tasks
enabling the governance of information security and their interrelationships. It also shows a relationship between
governance and the management of information security. These two components are explained in the following
subclauses.
5.2 Principles
Meeting the needs of stakeholders and delivering value to each of them is integral to the success of information security
in the long term. To
...
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27014
ISO/IEC JTC 1 Secretariat: ANSI
Voting begins on Voting terminates on
2011-11-11 2012-04-11
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ ORGANISATION INTERNATIONALE DE NORMALISATION
INTERNATIONAL ELECTROTECHNICAL COMMISSION МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
Information technology — Security techniques — Governance
of information security
Technologies de l'information — Techniques de sécurité — Gouvernance de la sécurité de l'information
ICS 35.040
In accordance with the provisions of Council Resolution 21/1986 this DIS is circulated in the
English language only.
Conformément aux dispositions de la Résolution du Conseil 21/1986, ce DIS est distribué en
version anglaise seulement.
To expedite distribution, this document is circulated as received from the committee
secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at
publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.
THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME
STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
International Organization for Standardization, 2011
©
International Electrotechnical Commission, 2011
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27014
Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
photocopying, recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
ii © ISO/IEC 2011 — All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 27014
CONTENTS
Page
Summary . iv
Foreword . v
1 Scope. 1
2 Normative references . 1
3 Definitions . 1
4 Concepts . 1
4.1 General . 1
4.2 Objectives. 2
4.3 Desired Outcomes. 2
4.4 Relationship . 2
5 Principles and processes. 3
5.1 Overview . 3
5.2 Principles. 3
5.3 Processes. 4
5.3.1 Overview .4
5.3.2 Evaluate .5
5.3.3 Direct .5
5.3.4 Monitor.6
5.3.5 Communicate.6
5.3.6 Assure.7
Annex A (informative) An example of Information Security Status . 8
Annex B (informative) An example of Detailed Information Security Status . 9
Bibliography. 10
ITU-T Rec. X.1054 (11/2011) iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 27014
INTERNATIONAL STANDARD <27014>
ITU-T RECOMMENDATION
Information technology — Security techniques —
Governance of information security
Summary
This Recommendation | International Standard provides guidance on the governance of information security.
Information security has become a key issue for organisations. Not only are there increasing regulatory requirements
but also the failure of an organisation’s information security measures can have a direct impact on an organisation’s
reputation.
Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information
security to ensure the objectives of the organisation are achieved.
In addition, governance of information security provides a powerful link between an organisation’s governing body,
executive management and those responsible for implementing and operating an information security management
system.
It provides the mandate essential for driving information security initiatives throughout the organisation.
Furthermore, an effective governance of information security ensures that the governing body receives relevant
reporting - framed in a business context - about information security-related activities. This enables pertinent and timely
decisions about information security issues in support of the strategic objectives of the organisation.
.
iv ITU-T Rec. X.1054 (11/2011)
---------------------- Page: 4 ----------------------
ISO/IEC DIS 27014
Foreword
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications. The ITU Telecommunication Standardisation Sector (ITU-T) is a permanent organ of ITU. ITU-T
is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view
to standardising telecommunications on a world-wide basis. The World Telecommunication Standardisation Assembly
(WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce
Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in
WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards
are prepared on a collaborative basis with ISO and IEC.
ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form
the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the
development of International Standards through technical committees established by the respective organisation to deal
with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.
Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in
the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC
JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards
adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO
and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Security techniques in collaboration with ITU-T. The identical text is published as ITU-T Recommendation
X.1054.
ITU-T Rec. X.1054 (11/2011) v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 27014
1 Scope
This Recommendation | International Standard provides concepts and guidance on principles and processes for the
governance of information security, by which organisations can evaluate, direct and monitor the management of
information security.
This International Standard is applicable to all types and sizes of organisations.
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent
edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently
valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently
valid ITU-T Recommendations.
ISO/IEC 27000:2009, Information Technology - Security techniques – Information security management systems –
Overview and vocabulary
3 Definitions
For the purposes of this Recommendation | International Standard, the terms and definitions in ISO/IEC 27000 and the
following definitions apply:
3.1 Executive management: person or group of people who have delegated responsibility from the governing
body for implementation of strategies and policies to accomplish the purpose of the organisation.
NOTE - Executive management is sometimes called top management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles
3.2 governing body: person or group of people who are ultimately accountable for the performance of the
organisation
NOTE - Governing body can in some jurisdictions be a board of directors.
3.3 governance of information security: set of principles and processes by which an organisation provides
direction and oversight of information security-related activities.
3.4 stakeholder: any person or organisation that can affect, be affected by, or perceive themselves to be affected
by an activity of the organisation.
NOTE - A decision maker can be a stakeholder.
4 Concepts
4.1 General
Governance of information security needs to align objectives and strategies for information security with business
objectives and strategies, and requires compliance with legislation, regulations and contracts. It should be assessed,
analysed and implemented through a risk management approach, supported by an internal control system.
The governing body is ultimately accountable for an organisation’s decisions and the performance of the organisation.
In respect to Information security, the key focus of the governing body is to ensure that the organisation’s approach to
information security is efficient, effective and acceptable, giving due regard to stakeholder expectations. Various
stakeholders can have different values and needs.
ITU-T Rec. X.1054 (11/2011) 1
---------------------- Page: 6 ----------------------
ISO/IEC DIS 27014
4.2 Objectives
The objectives of governance of information security are to:
• align the information security strategy with business strategy /objectives (strategic alignment)
• deliver value to the governing body and to stakeholders (value delivery)
• ensure that information risk is being adequately addressed (accountability).
4.3 Desired Outcomes
The desired outcomes from effectively implementing governance of information security include:
• governing body visibility on the information security status
• an agile approach to decision-making about information risks
• efficient and effective investments on information security
• compliance with external requirements (legal and regulatory)
4.4 Relationship
There are several other governance models within an organisation, such as governance of information technology, and
organisational governance. Every governance model is an integral component of the governance of an organisation,
which emphasizes the importance of alignment with business objectives. It is usually beneficial for the governing body
to develop a holistic and integrated view of its governance model, of which governance of information security should
be a part. The scopes of governance models sometimes overlap. For example, the relationship between governance of
information security and governance of information technology is illustrated in Figure 1.
Figure 1 ― Relationship between governance of information security and
governance of information technology
Whereas the overarching scope of IT governance is aiming at resources required to acquire, process, store and
disseminate information. However, the scope of information security governance is aiming at confidentiality, integrity
2 ITU-T Rec. X.1054 (11/2011)
---------------------- Page: 7 ----------------------
ISO/IEC DIS 27014
and availability of information. Both governance schemes need to be handled by the following governance processes:
EDM (Evaluate, Direct, Monitor).
The tasks required of the governing body to establish governance of information security are described in Clause 5.
Governance
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.