Providing good governance for information security

Good governance has always been at the heart of successful organisations. It is suggested that the term ‘governance’ derives from the ancient Greek word ‘kubernáo’ meaning ‘to steer’. This would seem appropriate as the primary responsibility of governing bodies is to navigate their organisations through the issues, risks, challenges and opportunities that the external world and their own operations present to them, in their journey to achieve their defined objectives.

Good governance is not only expected at the most senior levels of the organisation, but it should also be reflected in everything that the organisation does. ISO/IEC 27014 - Information security, cybersecurity and privacy protection — Governance of information security, establishes links between good governance and effective information security management, as defined by the requirements of ISO 27001:2013. It provides guidance on concepts, objectives and processes for the governance of information security, which organisations can use to evaluate, direct, monitor and communicate the information security-related processes they operate.

Information security is a key issue for organisations, as they seek to respond to rapid advances in attack methodologies and technologies and corresponding increases in regulatory pressures. The failure of an organisation’s information security controls can have many adverse impacts on an organisation and its interested parties including the undermining of trust.

Governance of information security seeks to preserve trust by directing resources to ensure effective implementation of the information security management system. It provides assurance that directives concerning information security will be followed and that the governing body is receiving reliable and relevant reporting about information security related activities. This assists the governing body to make decisions concerning the strategic objectives for the organisation by providing information about information security that may affect these objectives. It also ensures that the organisation’s information security strategy aligns with the overall objectives of the organisation.

A brief background

The ISO/IEC 27014:2020 guidance document was published in December last year, replacing the 2013 first edition.

The intended audience for ISO/IEC 27014:2020 remains the same:

• an organisation’s governing body and its top management
• those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001
• those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance.

The second edition has however been aligned with the latest version of ISO/IEC 27001 (2013), and the requirements in ISO/IEC 27001 which relate to governance activities have been explained. Moreover, the objectives and processes of information security governance are described in clauses 7.2 and 7.3.

ISO/IEC 27014 introduces two definitions; ‘entity’ which may equate to the organisation, part of the organisation or a number of organisations, and ‘governing body’ which may equate to top management or direct top management, depending on the structure of the business.

Information security governance objectives

Six information security governance objectives are identified within ISO/IEC 27014:2020. Four information security governance processes are then applied to these objectives to ensure the objectives are realised.

Objective 1: Establish integrated comprehensive entity-wide information security.

Indicators of success – Information security objectives are comprehensive and integrated into the business. Information security is handled at an entity level, with decision-making taking into account entity priorities. Activities concerning physical and logical security are closely coordinated. Responsibility and accountability for information security are established across the full span of an entity’s activities.

Objective 2: Make decisions using a risk-based approach. Indicators of success – Compliance obligations are met. Decisions taken are risk-based and entity specific. IS risk management is integrated with the entity’s strategic risk management, with a consistent approach to risk management across the entity. Sufficient resources are made available to effectively manage information risk.

Objective 3: Set the direction of acquisition. Indicators of success – Information security risk is adequately assessed when undertaking new activities, including, but not limited to: any investment, purchases, merger, adoption of new technology, outsourcing arrangements and contract with external suppliers.

Information security is integrated with existing entity processes, including project  management, procurement, financial expenditure, legal and regulatory compliance, and strategic risk management. Top management have established an information security strategy based on organisational objectives, ensuring entity requirements and organisational information security requirements are compatible.

Objective 4: Ensure conformance with internal and external requirements. Indicators of success – The entity’s information security policies and practices conform to requirements of interested parties, including legislation, regulations, contractual requirements and internal commitments. Top management obtain assurance that information security activities are satisfactorily meeting internal and external requirements (eg, by commissioning independent security audits).

Objective 5: Foster a security-positive culture. Indicators of success – There is harmonisation and concerted orientation between the various ISMS interested parties. Top management require, promote and support coordination of interested party activities to achieve a coherent direction for information security. There is evidence of security education, training and awareness programmes. Information security responsibilities are integrated into the roles of staff and other parties, and everyone contributes to the success of the ISMS by embracing their responsibilities.

Objective 6: Ensure the security performance meets current and future requirements of the entity. Indicators of success – The approach the entity has taken to protect information provides the agreed level of information security. Security performance is monitored and maintained to meet the entity’s current and future IS requirements. Top management have implement performance measures to monitor, audit and identify opportunities for improvement. IS performance is linked to the overall performance of the entity.

Information security governance processes

ISO/IEC 27014:2020 sets out the responsibilities for the governing body and top management in respect of the operation of four governance processes.

Process 1: “Evaluate” is the governance process that considers the current and forecast achievement of objectives based on current processes and planned changes, and determines where any adjustments are required to realise the future achievement of strategic objectives.

Process 2: “Direct” is the governance process by which the governing body provides direction about the entity’s objectives and strategy. Direction can include changes in resourcing levels, allocation of resources, prioritisation of activities, and approvals of policies, material risk acceptance and risk management plans.

Process 3: “Monitor” is the governance process that enables the governing body to assess the achievement of its strategic objectives.

Process 4: “Communicate” is the two-way governance process by which the governing body and interested parties exchange information appropriate to their specific needs.

Evaluate, direct and monitor form a cycle similar to Plan, Do, Check Act (PDCA), linking the governing body to top management, while communication is undertaken as and when necessary to keep interested parties advised as to the entity’s ongoing information security status.

ISO/IEC 27014 concludes by reiterating that governing bodies should require the design of entity’s ISMS to be such that it supports the achievement of the entity’s objectives.

The entity’s objectives may be identical to the ISMS objectives, but they do not have to be, as long as the two sets of objectives are consistent and not in conflict with each other.

Also, governing bodies should require the design of the ISMS to be consistent with the entity’s general policies and processes, including risk management.