Information Security Governance Papers
| Paper Title | ISO/IEC 27014 Information technology -- Security techniques -- Information security governance framework |
|---|---|
| The Abstract of The Paper |
A new project within ISO/IEC JTC1/SC27 is developing a global governance standard aimed at helping organizations govern information security.
Information security governance seems likely to take into account: The organization’s business strategies, policies and objectives; Compliance with applicable governance regulations and laws; Compliance of the organization with it contractual and other legal obligations to third parties, and vice versa; Audit and perhaps certification requirements to provide assurance to third parties. The standard will hopefully cover the following aspects of governance: Risk management - specifically management of information security risks; Management controls - specifically the ISMS being a coherent framework of information security controls; Compliance and assurance activities - specifically certification audits, internal audits, management reviews etc. on the ISMS; The relationship between governance of information security [information security governance], IT [IT governance], possibly information [information governance], and the entire corporation [corporate governance]; Both accountability and responsibility for information security, issues arising from the nominal ‘ownership’ of information assets by specific individuals or functions within many organizations. Note: a Special Working Group within ISO/IEC JTC1 is considering how best to cover governance standards. The work on this standard by SC27 will complement governance work being undertaken elsewhere in JTC 1 including SC7. The New Work Item proposal listed the following areas of scope: Define information security governance [ISG] Clarify ISG’s relationship with corporate and IT governance Produce rationale for developing an ISG framework Identify focus areas of an ISG framework Show how an ISG framework can be used to evaluate, direct, and monitor an information security management system Establish objectives, principles, and processes for an ISG framework The “justification” section of the NWI proposal stated that the project aims to take account of the needs of stakeholders such as shareholders, regulators, auditors and management. The SC27 meeting in November 2009 discussed the application of principles from ISO 38500 to information security, and considered the relationship between information security governance and other governance and management disciplines. |
| Web Link | http://www.iso27001security.com/html/27014.html |