The internationally agreed standard for IS governance has just been updated. Safeguarding a company’s information against data breaches and hacking is an increasingly complex affair, often involving many systems, tools and people to get it right. However, all the best efforts in the world can lead to failure if the whole system is not effectively governed to ensure visibility over what works and what doesn’t, and how it all fits within organisational structures and strategies.
The updated standard ISO/IEC 27014, Information security, cyber security and privacy protection provides for the governance of information security, guidance on concepts, and the objectives and processes for the governance of information security, by which organisations can evaluate, direct, monitor and communicate an information security management system (ISMS) based on ISO/IEC 27001.
Dr Edward Humphreys, Convenor of the joint ISO and IEC working group of experts that developed the standard, said: “This new edition of ISO/IEC 27014 is a key companion to ISO/IEC 27001 as it is fundamental to the information security governance activities embedded in the scope of an ISMS, and in the context of the overall organisational governance.”
The standard has recently been updated to improve clarity and structure and features new information. It has been aligned with ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements, while also remaining relevant to the broader scope of governance requirements of an organisation.
According to the ISO organisation, ISO/IEC 27014 will be joined by several other standards for information security currently being developed by the same expert committee. These are:
• ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security controls
• ISO/IEC TS 27110, Information technology, cyber security and privacy protection – Cybersecurity framework development guidelines
• ISO/IEC TS 27100, Information technology – Cyber security – Overview and concepts
• ISO/IEC 27005, Information technology – Security techniques – Information security risk management
The ISO/IEC 27014 and all the standards mentioned above are the work of joint ISO and IEC (International Electrotechnical Commission) technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, Information security, cyber security and privacy protection, the secretariat of which is held by DIN, ISO’s member for Germany.