ISO/IEC 27014:2020
(Main)Information security, cybersecurity and privacy protection — Governance of information security
Information security, cybersecurity and privacy protection — Governance of information security
This document provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization. The intended audience for this document is: — governing body and top management; — those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; — those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. This document is applicable to all types and sizes of organizations. All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001. This document focuses on the three types of ISMS organizations given in Annex B. However, this document can also be used by other types of organizations.
Sécurité de l'information, cybersécurité et protection de la vie privée — Gouvernance de la sécurité de l'information
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27014
Second edition
2020-12
Corrected version
2022-04
Information security, cybersecurity
and privacy protection — Governance
of information security
Sécurité de l'information, cybersécurité et protection de la vie
privée — Gouvernance de la sécurité de l'information
Reference number
ISO/IEC 27014:2020(E)
© ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 27014:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27014:2020(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed
for the different types of document should be noted (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs)
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details
of any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent
declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by ITU-T as ITU-T X.1054 (04/2021) and drafted in accordance with its
editorial rules, in collaboration with Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 27014:2013), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the document has been aligned with ISO/IEC 27001:2013;
— the requirements in ISO/IEC 27001 which are governance activities have been explained;
— the objectives and processes of information security governance have been described.
This corrected version of ISO/IEC 27014:2020 incorporates the following corrections:
— the document has been editorially revised in accordance with the rules-for-presentation-ITU-T-ISO-
IEC common text.
© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27014:2020(E)
Any feedback or questions on this document should be directed to the user’s national standards body. A
www.iec.ch/national-
complete listing of these bodies can be found at www.iso.org/members.html and
committees.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27014:2020(E)
INTERNATIONAL STANDARD ISO/IEC 27014
RECOMMENDATION ITU-T X.1054
Information security, cybersecurity and privacy
protection – Governance of information security
Summary
Recommendation ITU-T X.1054 | International Standard ISO/IEC 27014 provides guidance on the governance of
information security.
Information security is a key issue for organizations, amplified by rapid advances in attack methodologies and
technologies, and corresponding increased regulatory pressures.
The failure of an organization's information security controls can have many adverse impacts on an organization and its
interested parties including but not limited to the undermining of trust.
Governance of information security is the use of resources to ensure effective implementation of information security, and
provides assurance that:
• directives concerning information security will be followed; and
• the governing body will receive reliable and relevant reporting about information security related activities.
This assists the governing body to make decisions concerning the strategic objectives for the organization by providing
information about information security that may affect these objectives. It also ensures that information security strategy
aligns with the overall objectives of the entity.
Managers and others working in organizations need to understand:
• the governance requirements that affect their work; and
• how to meet governance requirements that require them to take action.
History
*
Edition Recommendation Approval Study Group Unique ID
1.0 ITU-T X.1054 2012-09-07 17 11.1002/1000/11594
2.0 ITU-T X.1054 2021-04-30 17 11.1002/1000/14248
Keywords
Information security, information security governance, information security management, ISMS.
*
To access the Recommendation, type the URL http://handle.itu.int/ in the address field of your web
browser, followed by the Recommendation's unique ID. For example, http://handle.itu.int/11.1002/1000/11830-en.
© ISO/IEC 2020 – All rights reserved Rec. ITU-T X.1054 (04/2021) v
---------------------- Page: 5 ----------------------
ISO/IEC 27014:2020(E)
FOREWORD
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications, information and communication technologies (ICTs). The ITU Telecommunication
Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
operating and tariff questions and issuing Recommendations on them with a view to standardizing
telecommunications on a worldwide basis.
The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes
the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.
The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
In some areas of information technology which fall within ITU-T's purview, the necessary standards are
prepared on a collaborative basis with ISO and IEC.
NOTE
In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
telecommunication administration and a recognized operating agency.
Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the
Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other
obligatory language such as "must" and the negative equivalents are used to express requirements. The use of
such words does not suggest that compliance with the Recommendation is required of any party.
INTELLECTUAL PROPERTY RIGHTS
ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve
the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of
the Recommendation development process.
As of the date of approval of this Recommendation, ITU had not received notice of intellectual property,
protected by patents/software copyrights, which may be required to implement this Recommendation.
However, implementers are cautioned that this may not represent the latest information and are therefore
strongly urged to consult the appropriate ITU-T databases available via the ITU-T website at
http://www.itu.int/ITU-T/ipr/.
© ITU 2022
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior
written permission of ITU.
vi Rec. ITU-T X.1054 (04/2021)
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 27014:2020(E)
CONTENTS
Page
1 Scope . 1
2 Normative references . 1
3 Definitions . 1
4 Abbreviations . 2
5 Use and structure of this Recommendation | International Standard . 2
6 Governance and management standards . 2
6.1 Overview . 2
6.2 Governance activities within the scope of an ISMS . 2
6.3 Other related standards . 3
6.4 Thread of governance within the organization . 3
7 Entity governance and information security governance . 4
7.1 Overview . 4
7.2 Objectives . 4
7.3 Processes . 5
8 The governing body's requirements on the ISMS . 7
8.1 Organization and ISMS . 7
8.2 Scenarios (see Annex B) . 8
Annex A – Governance relationship . 10
Annex B – Types of ISMS organization . 11
Annex C – Examples of communication . 12
Bibliography . 13
Rec. ITU-T X.1054 (04/2021) vii
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27014:2020(E)
Introduction
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T
is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view
to standardizing telecommunications on a world-wide basis. The World Telecommunication Standardization Assembly
(WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce
Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in
WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards
are prepared on a collaborative basis with ISO and IEC.
ISO (the International Organization for Standardization) and IEC (the International Electro technical Commission) form
the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the
development of Recommendation | International Standards through technical committees established by the respective
organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of
mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work. In the field of Information security, cybersecurity and privacy protection, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
This Recommendation | International Standard has been drafted in accordance with the rules given in the ISO/IEC
Directives, Part 2.
The main task of the joint technical committee is to prepare this Recommendation | International Standard. Draft
Recommendation | International Standards adopted by the joint technical committee are circulated to national bodies for
voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this Recommendation | International Standard may be
the subject of patent rights. ITU, ISO or IEC shall not be held responsible for identifying any or all such patent rights.
Rec. ITU-T X.1054 | ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with
ITU-T SG17.
viii Rec. ITU-T X.1054 (04/2021)
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27014:2022 (E)
ISO/IEC 27014:2020(E)
INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information Security, Cybersecurity and Privacy
Protection – Governance of Information Security
1 Scope
This Recommendation | International Standard provides guidance on concepts, objectives and processes for the governance
of information security, by which organizations can evaluate, direct, monitor and communicate the information security-
related processes within the organization.
The intended audience for this document is:
• governing body and top management;
• those who are responsible for evaluating, directing and monitoring an information security management
system (ISMS) based on ISO/IEC 27001;
• those responsible for information security management that takes place outside the scope of an ISMS
based on ISO/IEC 27001, but within the scope of governance.
This Recommendation | International Standard is applicable to all types and sizes of organizations.
All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001.
This Recommendation | International Standard focuses on the three types of ISMS organizations given in Annex B.
However, it can also be used by other types of organizations.
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition
of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid
International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid
ITU-T Recommendations.
– ISO/IEC 27000:in force, Information technology – Security techniques – Information security management
systems – Overview and vocabulary.
– ISO/IEC 27001:in force, Information technology – Security techniques – Information security management
systems – Requirements.
3 Definitions
For the purposes of this Recommendation | International Standard, the terms and definitions given in ISO/IEC 27000, and
the following apply.
ISO, IEC and ITU maintain terminology databases for use in standardization at the following addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
• ITU Terms and Definitions: available at http://www.itu.int/go/terminology-database
3.1 entity: Organization (3.2) and other bodies or parties.
NOTE – An entity can be a group of companies, or a single company, or a non for profit company, or other. The entity has
governance authority over the organization. The entity can be identical to the organization, for example in smaller companies.
3.2 organization: That part of an entity (3.1) which runs and manages an ISMS.
3.3 governing body: Person or group of people who are accountable for the performance and conformance of the
entity.
NOTE – SOURCE: ISO/IEC 27000:2018, 3.24, modified – "organization" has been replaced by "entity".
Rec. ITU-T X.1054 (04/2021) 1
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27014:2022 (E)
ISO/IEC 27014:2020(E)
3.4 top management: Person or group of people who directs and controls an organization (3.2) at the highest level.
NOTE 1 – Source ISO/IEC 9001.
NOTE 2 – Top management has the power to delegate authority and provide resources within the organization.
NOTE 3 – If the scope of the management system covers only part of an entity, then top management refers to those who direct
and control that part of the entity. In this situation, top management are accountable to the governing body of the entity.
NOTE 4 – Depending on the size and resources of the organization, top management can be the same as the governing body.
NOTE 5 – Top management reports to the governing body. [SOURCE: ISO/IEC 27000:2018, 3.75].
NOTE 6 – ISO/IEC 37001 also provides definitions for governing body and top management.
4 Abbreviations
For the purposes of this Recommendation | International Standard, the following abbreviations apply:
ISMS Information Security Management System
IT Information Technology
5 Use and structure of this Recommendation | International Standard
This Recommendation | International Standard describes how information security governance operates within an ISMS
based upon ISO/IEC 27001, and how these activities can relate to other governance activities which operate outside the
scope of an ISMS. It outlines four main processes of "evaluate", "direct", "monitor" and "communicate" in which an
ISMS can be structured inside an organization, and suggests approaches for integrating information security governance
into organizational governance activities in each of these processes. Finally, Annex A describes the relationships between
organizational governance, governance of information technology and governance of information security.
The ISMS covers the whole of the organization, by definition (see ISO/IEC 27000). It can cover the whole of the entity,
or part of the entity. This is illustrated in Figure B.1.
6 Governance and management standards
6.1 Overview
Governance of information security is the means by which an organization's governing body provides overall direction
and control of activities that affect the security of an organization's information. This direction and control focuses on
circumstances where inadequate information security can adversely affect the organization's ability to achieve its overall
objectives. It is common for a governing body to realise its governance objectives by:
• providing direction by setting strategies and policies;
• monitoring the performance of the organization; and
• evaluating proposals and plans developed by managers.
Management of information security is associated with ensuring the achievement of the objectives of the organization
described within the strategies and policies established by the governing body. This can include interacting with the
governing body by:
• providing proposals and plans for consideration by the governing body; and
• providing information to the governing body concerning the performance of the organization.
Effective governance of information security requires both members of the governing body and managers to fulfil their
respective roles in a consistent way.
6.2 Governance activities within the scope of an ISMS
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an
information security management system within the context of an organization. It also includes requirements for the
assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27001 does not use the term "governance" but specifies a number of requirements which are governance
activities. The following list provides examples of these activities. References to the organization and top management
are, as previously noted, associated with the scope of an ISMS based on ISO/IEC 27001.
2 Rec. ITU-T X.1054 (04/2021)
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27014:2022 (E)
ISO/IEC 27014:2020(E)
• ISO/IEC 27001:2013, 4.1 requires the organization to identify what it is aiming to achieve – its information
security goals and objectives. These should be related to, and support, the overall goals and objectives of
the entity. This relates to governance objectives 1, 3 and 4 stated in 7.2 of this Recommendation |
International Standard.
• ISO/IEC 27001:2013, 4.2 requires the organization to identify the interested parties that are relevant to its
ISMS, and the requirements of those interested parties relevant to information security. This relates to
governance objective 4 stated in 7.2 of this Recommendation | International Standard.
• ISO/IEC 27001:2013, 4.3 requires the organization to define the boundaries and applicability of the ISMS
to establish its scope by considering the external issues and internal issues, the requirements, and interfaces
and dependencies. It is also specified that the organization shall build the requirements and expectations
of interested parties into its information security management system, as well as external and internal issues
(such as laws, regulations and contracts). This relates to governance objective 1 stated in 7.2 of this
Recommendation | International Standard.
• ISO/IEC 27001:2013, 5 specifies that the organization shall set policy, objectives, and integrate
information security into its processes (which can be considered to include governance processes). It
requires the organization to make suitable resources available and communicate the importance of
information security management. Most importantly, it also states that the organization shall direct and
support persons to contribute to the effectiveness of the ISMS, and that other relevant management roles
shall be supported in their areas of responsibility. ISO/IEC 27001:2013, 5 contains instructions for setting
policy, and assigning roles for information security management and reporting. This relates to governance
objectives 1 and 3 stated in 7.2 of this Recommendation | International Standard.
• ISO/IEC 27001:2013, 6 considers the design of a risk management approach for the organization,
specifying that the organization shall identify risks and opportunities to be addressed to ensure that its
ISMS is effective. It introduces the concept of risk owners, and puts their responsibilities into the context of
the organization's activities to manage risk and approve risk treatment activities. It also requires the
organization to establish information security objectives. This relates to governance objective 2 stated in
7.2 of this Recommendation | International Standard.
• ISO/IEC 27001:2013, 7 specifies that persons shall be competent in carrying out their information security
obligations, and provides a requirement for organizational communications. This relates to governance
objective 5 stated in 7.2 of this Recommendation | International Standard.
• ISO/IEC 27001:2013, 8 specifies the responsibility of the organization to plan, implement and control its
ISMS, including outsourced arrangements. This relates to governance objectives 4 and 6 stated in 7.2 of
this Recommendation | International Standard.
• ISO/IEC 27001:2013, 9 requires monitoring and reporting of all relevant aspects of the ISMS, internal
audits, and top management and governing body review and decisions on the operational effectiveness of
the ISMS, including any changes required. This relates to governance objective 6 stated in 7.2 of this
Recommendation | International Standard.
• ISO/IEC 27001:2013, 10 specifies the identification and treatment of non-conformities, the requirement
for identification of opportunities for continual improvement, and acting on those opportunities. This
relates to governance objective 4 stated in 7.2 of this Recommendation | International Standard.
6.3 Other related standards
ISO/IEC 38500 provides guiding principles for members of governing bodies of organizations on the effective, efficient,
and acceptable use of information technology within their organizations. It also provides guidance to those advising,
informing, or assisting governing bodies in governance of IT.
6.4 Thread of governance within the organization
These threads are in exact correspondence to the organizational governance processes described in 7. The last two items
in the list are equivalents of their governance aspects in the context of information security:
• the alignment of the information security objectives with the business objectives;
• the management of information security risk in accordance with those information security objectives;
• the avoidance of conflicts of interest in the management of information security;
• preventing the organization's information technology from being used to harm other organizations.
Rec. ITU-T X.1054 (04/2021) 3
© ISO/IEC 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27014:2022 (E)
ISO/IEC 27014:2020(E)
7 Entity governance and information security governance
7.1 Overview
There are many areas of governance within an entity, including information security, information technology, health and
safety, quality and finance. Each governance area is a component of the overall governance objectives of an entity, and
thus should be aligned with the discipline of the entity. The s copes of governance models sometimes overlap. Clauses 7.2
and 7.3 describe objectives and processes involved in information security governance, which can apply to any area being
governed.
An ISMS focuses on management of risks relating to inf ormation. It does not directly address subjects such as
profitability, acquisition, use and realization of assets, or the efficiency of other processes, although it should support any
organizational objectives on these subjects.
7.2 Objectives
7.2.1 Objective 1: Establish integrated comprehensive entity-wide information security
Governance of information security should ensure that information security objectives are comprehensive and integrated.
Information security should be handled at an entity level, with decision making taking into account entity priorities.
Activities concerning physical and logical security should be closely coordinated. This does not, however, require a single
set of security measures, or a single information security management system (ISMS) across the entity.
To ensure entity-wide information security, responsibility and accountability for information security should be
established across the full span of an entity's activities. This can extend beyond the generally perceived "borders" of an
entity e.g., to include information being stored or transferred by external parties.
7.2.2 Objective 2: Make decisions using a risk-based approach
Governance of information security should be b
...
INTERNATIONAL ISO/IEC
STANDARD 27014
Second edition
2020-12
Information security, cybersecurity
and privacy protection — Governance
of information security
Sécurité de l'information, cybersécurité et protection de la vie
privée — Gouvernance de la sécurité de l'information
Reference number
ISO/IEC 27014:2020(E)
©
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 27014:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27014:2020(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Use and structure of this document . 2
6 Governance and management standards . 2
6.1 Overview . 2
6.2 Governance activities within the scope of an ISMS . 3
6.3 Other related standards . 4
6.4 Thread of governance within the organization. 4
7 Entity governance and information security governance . 4
7.1 Overview . 4
7.2 Objectives. 5
7.2.1 Objective 1: Establish integrated comprehensive entity-wide information
security . 5
7.2.2 Objective 2: Make decisions using a risk-based approach . 5
7.2.3 Objective 3: Set the direction of acquisition . 5
7.2.4 Objective 4: Ensure conformance with internal and external requirements . 5
7.2.5 Objective 5: Foster a security-positive culture . 6
7.2.6 Objective 6: Ensure the security performance meets current and future
requirements of the entity . 6
7.3 Processes . 6
7.3.1 General. 6
7.3.2 Evaluate . 7
7.3.3 Direct . 8
7.3.4 Monitor . . 8
7.3.5 Communicate . 9
8 The governing body’s requirements on the ISMS . 9
8.1 Organization and ISMS . 9
8.2 Scenarios (see Annex B).10
Annex A (informative) Governance relationship .12
Annex B (informative) Types of ISMS organization .13
Annex C (informative) Examples of communication .15
Bibliography .16
© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27014:2020(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with ITU-T.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
This second edition cancels and replaces the first edition (ISO/IEC 27014:2013), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the document has been aligned with ISO/IEC 27001:2013;
— the requirements in ISO/IEC 27001 which are governance activities have been explained;
— the objectives and processes of information security governance have been described.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27014:2020(E)
Introduction
Information security is a key issue for organizations, amplified by rapid advances in attack
methodologies and technologies, and corresponding increased regulatory pressures.
The failure of an organization’s information security controls can have many adverse impacts on an
organization and its interested parties including, but not limited to, the undermining of trust.
Governance of information security is the use of resources to ensure effective implementation of
information security, and provides assurance that:
— directives concerning information security will be followed; and
— the governing body will receive reliable and relevant reporting about information security–related
activities.
This assists the governing body to make decisions concerning the strategic objectives for the
organization by providing information about information security that can affect these objectives. It
also ensures that information security strategy aligns with the overall objectives of the entity.
Managers and others working in organizations need to understand:
— the governance requirements that affect their work; and
— how to meet governance requirements that require them to take action.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27014:2020(E)
Information security, cybersecurity and privacy
protection — Governance of information security
1 Scope
This document provides guidance on concepts, objectives and processes for the governance of
information security, by which organizations can evaluate, direct, monitor and communicate the
information security-related processes within the organization.
The intended audience for this document is:
— governing body and top management;
— those who are responsible for evaluating, directing and monitoring an information security
management system (ISMS) based on ISO/IEC 27001;
— those responsible for information security management that takes place outside the scope of an
ISMS based on ISO/IEC 27001, but within the scope of governance.
This document is applicable to all types and sizes of organizations.
All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001.
This document focuses on the three types of ISMS organizations given in Annex B. However, this
document can also be used by other types of organizations.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
entity
organization and other bodies or parties
Note 1 to entry: An entity can be a group of companies, or a single company, or a non for profit company, or other.
The entity has governance authority over the organization. The entity can be identical to the organization, for
example in smaller companies.
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 27014:2020(E)
3.2
organization
part of an entity (3.1) which runs and manages an ISMS
3.3
governing body
person or group of people who are accountable for the performance and conformance of the entity
[SOURCE: ISO/IEC 27000:2018, 3.24, modified — “organization” has been replaced by “entity”]
3.4
top management
person or group of people who directs and controls an organization at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system covers only part of an entity, then top management refers
to those who direct and control that part of the entity. In this situation, top management are accountable to the
governing body of the entity.
Note 3 to entry: Depending on the size and resources of the organization, top management can be the same as the
governing body.
Note 4 to entry: Top management reports to the governing body.
Note 5 to entry: ISO/IEC 37001 also provides definitions for governing body and top management.
[SOURCE: ISO/IEC 27000:2018, 3.75, modified — In Note 2 to entry, the second sentence has been added
and "organization" has been changed to "entity". Note 3 to entry has been replaced. Notes 4 and 5 to
entry have been added.]
4 Abbreviated terms
ISMS information security management system
IT information technology
5 Use and structure of this document
This document describes how information security governance operates within an ISMS based on
ISO/IEC 27001, and how these activities can relate to other governance activities which operate
outside the scope of an ISMS. It outlines four main processes of “evaluate”, “direct”, “monitor” and
“communicate” in which an ISMS can be structured inside an organization, and suggests approaches for
integrating information security governance into organizational governance activities in each of these
processes. Finally, Annex A describes the relationships between organizational governance, governance
of information technology and governance of information security.
The ISMS covers the whole of the organization, by definition (see ISO/IEC 27000). It can cover the whole
entity or part of it. This is illustrated in Figure B.1.
6 Governance and management standards
6.1 Overview
Governance of information security is the means by which an organization’s governing body provides
overall direction and control of activities that affect the security of an organization’s information. This
direction and control focuses on circumstances where inadequate information security can adversely
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27014:2020(E)
affect the organization’s ability to achieve its overall objectives. It is common for a governing body to
realise its governance objectives by:
— providing direction by setting strategies and policies;
— monitoring the performance of the organization; and
— evaluating proposals and plans developed by managers.
Management of information security is associated with ensuring the achievement of the objectives of
the organization described within the strategies and policies established by the governing body. This
can include interacting with the governing body by:
— providing proposals and plans for consideration by the governing body; and
— providing information to the governing body concerning the performance of the organization.
Effective governance of information security requires both members of the governing body and
managers to fulfil their respective roles in a consistent way.
6.2 Governance activities within the scope of an ISMS
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of an organization. It also
includes requirements for the assessment and treatment of information security risks tailored to the
needs of the organization.
ISO/IEC 27001 does not use the term “governance” but specifies a number of requirements which
are governance activities. The following list provides examples of these activities. References to the
organization and top management are, as previously noted, associated with the scope of an ISMS based
on ISO/IEC 27001.
— ISO/IEC 27001:2013, 4.1, requires the organization to identify what it is aiming to achieve – its
information security goals and objectives. These should be related to, and support, the overall goals
and objectives of the entity. This relates to governance objectives 1, 3 and 4 stated in 7.2.
— ISO/IEC 27001:2013, 4.2, requires the organization to identify the interested parties that are relevant
to its ISMS, and the requirements of those interested parties relevant to information security. This
relates to governance objective 4 stated in 7.2.
— ISO/IEC 27001:2013, 4.3, requires the organization to define the boundaries and applicability
of the ISMS to establish its scope by considering the external issues and internal issues, the
requirements, and interfaces and dependencies. It is also specified that "the organization shall build
the requirements and expectations of interested parties into its information security management
system, as well as external and internal issues (such as laws, regulations and contracts)". This
relates to governance objective 1 stated in 7.2.
— ISO/IEC 27001:2013, Clause 5, specifies that "the organization shall set policy, objectives and integrate
information security into its processes (which can be considered to include governance processes)".
It requires the organization to make suitable resources available and communicate the importance
of information security management. Most importantly, it also states that "the organization shall
direct and support persons to contribute to the effectiveness of the ISMS, and that other relevant
management roles shall be supported in their areas of responsibility". ISO/IEC 27001:2013, Clause 5,
contains instructions for setting policy, and assigning roles for information security management
and reporting. This relates to governance objectives 1 and 3 stated in 7.2.
— ISO/IEC 27001:2013, Clause 6, considers the design of a risk management approach for the
organization, specifying that "the organization shall identify risks and opportunities to be
addressed to ensure that its ISMS is effective". It introduces the concept of risk owners, and puts
their responsibilities into the context of the organization’s activities to manage risk and approve risk
© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 27014:2020(E)
treatment activities. It also requires the organization to establish information security objectives.
This relates to governance objective 2 stated in 7.2.
— ISO/IEC 27001:2013, Clause 7, specifies that "persons shall be competent in carrying out their
information security obligations". It also provides a requirement for organizational communications.
This relates to governance objective 5 stated in 7.2.
— ISO/IEC 27001:2013, Clause 8, requires the organization to plan, implement and control its ISMS,
including outsourced arrangements. This relates to governance objectives 4 and 6 stated in 7.2.
— ISO/IEC 27001:2013, Clause 9, requires monitoring and reporting of all relevant aspects of the ISMS,
internal audits, and top management and governing body review and decisions on the operational
effectiveness of the ISMS, including any changes required. This relates to governance objective 6
stated in 7.2.
— ISO/IEC 27001:2013, Clause 10, specifies the identification and treatment of non-conformities, the
requirement for identification of opportunities for continual improvement and acting on those
opportunities. This relates to governance objective 4 stated in 7.2.
6.3 Other related standards
ISO/IEC 38500 provides guiding principles for members of governing bodies of organizations on the
effective, efficient and acceptable use of information technology within their organizations. It also
provides guidance to those advising, informing or assisting governing bodies in governance of IT.
6.4 Thread of governance within the organization
These threads are in exact correspondence to the organizational governance processes described in
Clause 7. The last two items in the list are equivalents of their governance aspects in the context of
information security:
— the alignment of the information security objectives with the business objectives;
— the management of information security risk in accordance with those information security
objectives;
— the avoidance of conflicts of interest in the management of information security;
— preventing the organization’s information technology from being used to harm other organizations.
7 Entity governance and information security governance
7.1 Overview
There are many areas of governance within an entity, including information security, information
technology, health and safety, quality and finance. Each governance area is a component of the overall
governance objectives of an entity, and thus should be aligned with the discipline of the entity. The
scopes of governance models sometimes overlap. 7.2 and 7.3 describe objectives and processes involved
in information security governance, which can apply to any area being governed.
An ISMS focuses on management of risks relating to information. It does not directly address subjects
such as profitability, acquisition, use and realization of assets, or the efficiency of other processes,
although it should support any organizational objectives on these subjects.
4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27014:2020(E)
7.2 Objectives
7.2.1 Objective 1: Establish integrated comprehensive entity-wide information security
Governance of information security should ensure that information security objectives are
comprehensive and integrated. Information security should be handled at an entity level, with decision
making taking into account entity priorities. Activities concerning physical and logical security should
be closely coordinated. This does not, however, require a single set of security measures or a single
information security management system (ISMS) across the entity.
To ensure entity-wide information security, responsibility and accountability for information security
should be established across the full span of an entity’s activities. This can extend beyond the generally
perceived “borders’”of an entity, e.g. to include information being stored or transferred by external
parties.
7.2.2 Objective 2: Make decisions using a risk-based approach
Governance of information security should be based on compliance obligations and also on entity-
specific risk-based decisions. Determining how much security is acceptable should be based on the risk
appetite of an entity, including loss of competitive advantage, compliance and liability risks, operational
disruptions, reputational harm, and financial loss.
Information security risk management should be consistent across the entity and include considerations
of the adverse financial, operational and reputational impacts of breaches and non-compliance.
Furthermore, information security risk management should be integrated with the entity’s overall risk
management approach so it is not done in isolation and does not cause confusion, for example, mapping
to the entity methodology or capturing strategic information risks into the entity’s risk register.
Appropriate resources to implement information risk management should be allocated as a part of the
security governance process.
7.2.3 Objective 3: Set the direction of acquisition
The impact of information security risk should be adequately assessed when undertaking new
activities, including, but not limited to, any investment, purchases, merger, adoption of new technology,
outsourcing arrangements and contract with external suppliers.
To optimize information security acquisition to support entity objectives, the governing body should
ensure that information security is integrated with existing entity processes, including project
management, procurement, financial expenditure, legal and regulatory compliance, and strategic risk
management.
The top management for each ISMS should establish an information security strategy based on
organizational objectives, ensuring harmonization between entity requirements and organizational
information security requirements, thereby meeting the current and evolving needs of interested
parties.
7.2.4 Objective 4: Ensure conformance with internal and external requirements
Governance of information security should ensure that information security policies and practices
conform to requirements of interested parties. These can include legislation and regulations, as well as
contractual requirements and internal commitments.
To address conformance and compliance issues, top management can obtain assurance that information
security activities are satisfactorily meeting internal and external requirements by commissioning
independent security audits.
© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 27014:2020(E)
7.2.5 Objective 5: Foster a security-positive culture
Governance of information security should be built on entity culture, including the evolving needs
of all the interested parties, since human behaviour is one of the fundamental elements to support
the appropriate level of information security. If not adequately coordinated, the objectives, roles,
responsibilities and resources can conflict with each other, resulting in the failure to meet any
objectives. Therefore, harmonization and concerted orientation between the various interested parties
is very important.
To establish a positive information security culture, top management should require, promote and
support coordination of interested party activities to achieve a coherent direction for information
security. This supports the delivery of security education, training and awareness programs.
Information security responsibilities should be integrated into the roles of staff and other parties, and
they should support the success of each ISMS by taking on these responsibilities.
7.2.6 Objective 6: Ensure the security performance meets current and future requirements of
the entity
Governance of information security should ensure that the approach taken to protect information
is fit for purpose in supporting the entity, providing agreed levels of information security. Security
performance should be monitored and maintained at levels required to meet current and future
requirements.
To review performance of information security from a governance perspective, the governing body
should evaluate the performance of information security in relation to its entity-level impact, not just
the effectiveness and efficiency of security controls.
Within each ISMS, top management should be required to implement a performance measurement
program to monitor, audit and identify opportunities for improvement. The governing body should link
information security performance to the performance of the organization, and of the entity.
7.3 Processes
7.3.1 General
The governing body withi
...
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27014
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection — Governance
Voting begins on:
202009-02 of information security
Voting terminates on:
20201028
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/IEC FDIS 27014:2020(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 27014:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 27014:2020(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Use and structure of this document . 2
6 Governance and management standards . 2
6.1 Overview . 2
6.2 Governance activities within the scope of an ISMS . 3
6.3 Other related standards . 4
6.4 Thread of governance within the organization. 4
7 Entity governance and information security governance . 4
7.1 Overview . 4
7.2 Objectives. 5
7.2.1 Objective 1: Establish integrated comprehensive entity-wide information
security . 5
7.2.2 Objective 2: Make decisions using a riskbased approach . 5
7.2.3 Objective 3: Set the direction of acquisition . 5
7.2.4 Objective 4: Ensure conformance with internal and external requirements . 5
7.2.5 Objective 5: Foster a security-positive culture . 6
7.2.6 Objective 6: Ensure the security performance meets current and future
requirements of the entity . 6
7.3 Processes . 6
7.3.1 General. 6
7.3.2 Evaluate . 7
7.3.3 Direct . 8
7.3.4 Monitor . . 8
7.3.5 Communicate . 9
8 The governing body’s requirements on the ISMS . 9
8.1 Organization and ISMS . 9
8.2 Scenarios (see Annex B).10
Annex A (informative) Governance relationship .12
Annex B (informative) Types of ISMS organization .13
Annex C (informative) Examples of communication .15
Bibliography .16
© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 27014:2020(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and nongovernmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with ITUT.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
This second edition cancels and replaces the first edition (ISO/IEC 27014:2013), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the document has been aligned with ISO/IEC 27001:2013;
— the requirements in ISO/IEC 27001 which are governance activities have been explained;
— the objectives and processes of information security governance have been described.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 27014:2020(E)
Introduction
Information security is a key issue for organizations, amplified by rapid advances in attack
methodologies and technologies, and corresponding increased regulatory pressures.
The failure of an organization’s information security controls can have many adverse impacts on an
organization and its interested parties including, but not limited to, the undermining of trust.
Governance of information security is the use of resources to ensure effective implementation of
information security, and provides assurance that:
— directives concerning information security will be followed; and
— the governing body will receive reliable and relevant reporting about information security–related
activities.
This assists the governing body to make decisions concerning the strategic objectives for the
organization by providing information about information security that can affect these objectives. It
also ensures that information security strategy aligns with the overall objectives of the entity.
Managers and others working in organizations need to understand:
— the governance requirements that affect their work; and
— how to meet governance requirements that require them to take action.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 27014:2020(E)
Information security, cybersecurity and privacy
protection — Governance of information security
1 Scope
This document provides guidance on concepts, objectives and processes for the governance of
information security, by which organizations can evaluate, direct, monitor and communicate the
information security-related processes within the organization.
The intended audience for this document is:
— governing body and top management;
— those who are responsible for evaluating, directing and monitoring an information security
management system (ISMS) based on ISO/IEC 27001;
— those responsible for information security management that takes place outside the scope of an
ISMS based on ISO/IEC 27001, but within the scope of governance.
This document is applicable to all types and sizes of organizations.
All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001.
This document focuses on the three types of ISMS organizations given in Annex B. However, this
document can also be used by other types of organizations.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
entity
organization and other bodies or parties
Note 1 to entry: An entity can be a group of companies, or a single company, or a non for profit company, or other.
The entity has governance authority over the organization. The entity can be identical to the organization, for
example in smaller companies.
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC FDIS 27014:2020(E)
3.2
organization
part of an entity (3.1) which runs and manages an ISMS
3.3
governing body
person or group of people who are accountable for the performance and conformance of the entity
[SOURCE: ISO/IEC 27000:2018, 3.24, modified — “organization” has been replaced by “entity”]
3.4
top management
person or group of people who directs and controls an organization at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system covers only part of an organization, then top management
refers to those who direct and control that part of the organization. In this situation, top management are
accountable to the governing body of the entity.
Note 3 to entry: Depending on the size and resources of the organization, top management can be the same as the
governing body.
Note 4 to entry: Top management reports to the governing body.
Note 5 to entry: ISO/IEC 37001 also provides definitions for governing body and top management.
[SOURCE: ISO/IEC 27000:2018, 3.75, modified — In Note 2 to entry, the second sentence has been added.
Note 3 to entry has been replaced. Notes 4 and 5 to entry have been added.]
4 Abbreviated terms
EDM evaluate, direct, monitor
ISMS information security management system
IT information technology
5 Use and structure of this document
This document describes how information security governance operates within an ISMS based on
ISO/IEC 27001, and how these activities can relate to other governance activities which operate
outside the scope of an ISMS. It outlines four main processes of “evaluate”, “direct”, “monitor” and
“communicate” in which an ISMS can be structured inside an organization, and suggests approaches for
integrating information security governance into organizational governance activities in each of these
processes. Finally, Annex A describes the relationships between organizational governance, governance
of information technology and governance of information security.
The ISMS covers the whole of the organization, by definition (see ISO/IEC 27000). It can cover the whole
entity or part of it. This is illustrated in Figure B.1.
6 Governance and management standards
6.1 Overview
Governance of information security is the means by which an organization’s governing body provides
overall direction and control of activities that affect the security of an organization’s information. This
direction and control focuses on circumstances where inadequate information security can adversely
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC FDIS 27014:2020(E)
affect the organization’s ability to achieve its overall objectives. It is common for a governing body to
realise its governance objectives by:
— providing direction by setting strategies and policies;
— monitoring the performance of the organization; and
— evaluating proposals and plans developed by managers.
Management of information security is associated with ensuring the achievement of the objectives of
the organization described within the strategies and policies established by the governing body. This
can include interacting with the governing body by:
— providing proposals and plans for consideration by the governing body; and
— providing information to the governing body concerning the performance of the organization.
Effective governance of information security requires both members of the governing body and
managers to fulfil their respective roles in a consistent way.
6.2 Governance activities within the scope of an ISMS
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of an organization. It also
includes requirements for the assessment and treatment of information security risks tailored to the
needs of the organization.
ISO/IEC 27001 does not use the term “governance” but specifies a number of requirements which
are governance activities. The following list provides examples of these activities. References to the
organization and top management are, as previously noted, associated with the scope of an ISMS based
on ISO/IEC 27001.
— ISO/IEC 27001:2013, 4.1, requires the organization to identify what it is aiming to achieve – its
information security goals and objectives. These should be related to, and support, the overall goals
and objectives of the entity. This relates to governance objectives 1, 3 and 4 stated in 7.2.
— ISO/IEC 27001:2013, 4.2, requires the organization to identify the interested parties that are relevant
to its ISMS, and the requirements of those interested parties relevant to information security. This
relates to governance objective 4 stated in 7.2.
— ISO/IEC 27001:2013, 4.3, requires the organization to define the boundaries and applicability
of the ISMS to establish its scope by considering the external issues and internal issues, the
requirements, and interfaces and dependencies. It is also specified that "the organization shall build
the requirements and expectations of interested parties into its information security management
system, as well as external and internal issues (such as laws, regulations and contracts)". This
relates to governance objective 1 stated in 7.2.
— ISO/IEC 27001:2013, Clause 5, specifies that "the organization shall set policy, objectives and integrate
information security into its processes (which can be considered to include governance processes)".
It requires the organization to make suitable resources available and communicate the importance
of information security management. Most importantly, it also states that "the organization shall
direct and support persons to contribute to the effectiveness of the ISMS, and that other relevant
management roles shall be supported in their areas of responsibility". ISO/IEC 27001:2013, Clause 5,
contains instructions for setting policy, and assigning roles for information security management
and reporting. This relates to governance objectives 1 and 3 stated in 7.2.
— ISO/IEC 27001:2013, Clause 6, considers the design of a risk management approach for the
organization, specifying that "the organization shall identify risks and opportunities to be
addressed to ensure that its ISMS is effective". It introduces the concept of risk owners, and puts
their responsibilities into the context of the organization’s activities to manage risk and approve risk
© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 27014:2020(E)
treatment activities. It also requires the organization to establish information security objectives.
This relates to governance objective 2 stated in 7.2.
— ISO/IEC 27001:2013, Clause 7, specifies that "persons shall be competent in carrying out their
information security obligations". It also provides a requirement for organizational communications.
This relates to governance objective 5 stated in 7.2.
— ISO/IEC 27001:2013, Clause 8, requires the organization to plan, implement and control its ISMS,
including outsourced arrangements. This relates to governance objectives 4 and 6 stated in 7.2.
— ISO/IEC 27001:2013, Clause 9, requires monitoring and reporting of all relevant aspects of the ISMS,
internal audits, and top management and governing body review and decisions on the operational
effectiveness of the ISMS, including any changes required. This relates to governance objective 6
stated in 7.2.
— ISO/IEC 27001:2013, Clause 10, specifies the identification and treatment of non-conformities, the
requirement for identification of opportunities for continual improvement and acting on those
opportunities. This relates to governance objective 4 stated in 7.2.
6.3 Other related standards
ISO/IEC 38500 provides guiding principles for members of governing bodies of organizations on the
effective, efficient and acceptable use of information technology within their organizations. It also
provides guidance to those advising, informing or assisting governing bodies in governance of IT.
6.4 Thread of governance within the organization
These threads are in exact correspondence to the organizational governance processes described in
Clause 7. The last two items in the list are equivalents of their governance aspects in the context of
information security:
— the alignment of the information security objectives with the business objectives;
— the management of information security risk in accordance with those information security
objectives;
— the avoidance of conflicts of interest in the management of information security;
— preventing the organization’s information technology from being used to harm other organizations.
7 Entity governance and information security governance
7.1 Overview
There are many areas of governance within an entity, including information security, information
technology, health and safety, quality and finance. Each governance area is a component of the overall
governance objectives of an entity, and thus should be aligned with the discipline of the entity. The
scopes of governance models sometimes overlap. 7.2 and 7.3 describe objectives and processes involved
in information security governance, which can apply to any area being governed.
An ISMS focuses on management of risks relating to information. It does not directly address subjects
such as profitability, acquisition, use and realization of assets, or the efficiency of other processes,
although it should support any organizational objectives on these subjects.
4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC FDIS 27014:2020(E)
7.2 Objectives
7.2.1 Objective 1: Establish integrated comprehensive entity-wide information security
Governance of information security should ensure that information security objectives are
comprehensive and integrated. Information security should be handled at an entity level, with decision
making taking into account entity priorities. Activities concerning physical and logical security should
be closely coordinated. This does not, however, require a single set of security measures or a single
information security management system (ISMS) across the entity.
To ensure entity-wide information security, responsibility and accountability for information security
should be established across the full span of an entity’s activities. This can extend beyond the generally
perceived “borders’”of an entity, e.g. to include information being stored or transferred by external
parties.
7.2.2 Objective 2: Make decisions using a risk-based approach
Governance of information security should be based on compliance obligations and also on entity-
specific risk-based decisions. Determining how much security is acceptable should be based on the risk
appetite of an entity, including loss of competitive advantage, compliance and liability risks, operational
disruptions, reputational harm, and financial loss.
Information security risk management should be consistent across the entity and include considerations
of the adverse financial, operational and reputational impacts of breaches and non-compliance.
Furthermore, information security risk management should be integrated with the entity’s overall risk
management approach so it is not done in isolation and does not cause confusion, for example, mapping
to the entity methodology or capturing strategic information risks into the entity’s risk register.
Appropriate resources to implement information risk management should be allocated as a part of the
security governance process.
7.2.3 Objective 3: Set the direction of acquisition
The impact of information security risk should be adequately assessed when undertaking new
activities, including, but not limited to, any investment, purchases, merger, adoption of new technology,
outsourcing arrangements and contract with external suppliers.
To optimize information security acquisition to support entity objectives, the governing body should
ensure that information security is integrated with existing entity processes, including project
management, procurement, financial expenditure, legal and regulatory compliance, and strategic risk
management.
The top management for each ISMS should establish an information security strategy based on
organizational objectives, ensuring harmonization between entity requirements and organizational
information security requirements, thereby meeting the current and evolving needs of interested
parties.
7.2.4 Objective 4: Ensure conformance with internal and external requirements
Governance of information security should ensure that information security policies and practices
conform to requirements of interested parties. These can include legislation and regulations, as well as
contractual requirements and internal commitments.
To address conformance and compliance issues, top management can obtain assurance that information
security activities are satisfactorily meeting internal and external requirements by commissioning
independent security audits.
© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC FDIS 27014:2020(E)
7.2.5 Objective 5: Foster a security-positive culture
Governance of information security should be built on entity culture, including the evolving needs
of all the interested parties, since human behaviour is one of the fundamental elements to support
the appropriate level of information security. If not adequately coordinated, the objectives, roles,
responsibilities and resources can conflict with each other, resulting in the failure to meet any
objectives. Therefore, harmonization and concerted orientation between the various interested parties
is very important.
To establish a positive information security culture, top management should require, promote and
support coordination of interested party activities to achieve a coherent direction for information
security. This supports the delivery of security education, training and awareness programs.
Information security responsibilities should be integrated into the roles of staff and other parties, and
they should support the success of each ISMS by taking on these responsibilities.
7.2.6 Objective 6: Ensure the security performance meets current and future requirements of
the entity
Governance of information security should ensure that the approach taken to protect information
is fit for purpose in supporting the entity, providing agreed levels of information security. Security
performance should be monitored and maintained at levels required to meet current and future
requirements.
To review performance of information security from a governance perspective, the
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.