ITU-T Recommendation X.1054 & ISO/IEC 27014:2013 Information technology— Security techniques — Governance of information security ISO/IEC JTC1/SC27, in collaborat ion with the ITU Telecommunicat ion Standardizat ion Sector (ITU-T), hasdeveloped a standard specif ically aimed at helping organizat ions govern their informat ion securityarrangements.

Overview and scopeThe standard provides “guidance on concepts and principles for the governance of informat ion security, bywhich organisat ions can evaluate, direct , monitor a n d communicat e the informat ion security relatedact ivit ies within the organisat ion” and is “applicable to all types and sizes of organisat ions”. Proper governance of informat ion security ensures alignment of informat ion security with business strategiesand object ives, value delivery a n d accountability. It supports the achievement of visibility, agility,eff iciency, effect iveness and compliance.

StructureAfter the usual preamble, scope, essent ial (“normat ive”) references and def init ions, the guts of this admirablysuccinct standard consists of just two main clauses (“Concepts” and “Principles and processes”) plus twoappendices. The standard specif ies six high-level “act ion-oriented” informat ion security governance principles (such as“Establish organisat ion-wide informat ion security”, “Adopt a risk-based approach” and four more, each one

PDFmyURL.com

explained by a couple of paragraphs) plus f ive governance processes (“evaluate”, “direct”, “monitor”,“communicate” and “assure”) used by the governing body.In order to encourage more transparency, management might wish to conf irm the overall status of informat ionsecurity in the organizat ion to customers and stakeholders through management statements or assert ions. Two appendices present example or template statements, a formalized high-level version and another withslight ly more meat on the bones. The f irst is similar to the account ing or audit ing at testat ions typicallyincluded in annual reports for legal/regulatory compliance purposes: the actual statement is rather bland butthe idea is that making senior management formally endorse the content forces them to pay more at tent ionto the true intent - in other words, there’s more to it than you might presume from the literal wording of thestatement itself .

Personal notesSC27 discussed the applicat ion of principles f rom ISO 38500 (“Corporate governance of IT”) to informat ionsecurity, and considered the relat ionship between informat ion security governance and other governance andmanagement disciplines. ISO/IEC 27014 refers to governance for informat ion security as an integral part ofthe organizat ion’s corporate governance with strong links to IT governance, but is arguably a bit vague on thedetails.Referring separately to ‘the governing body’ and ‘execut ive management ’ is an interest ing wrinkle. Thedef init ion of ‘governing body’ obliquely notes that both are parts of ‘top management ’ although that term isnot actually def ined. In essence, the standard hints that senior management has dist inct governance (as indirect ion-sett ing and monitoring) and management (as in hands-on organizat ional management) roles.The summary points out that the standard “provides the mandate essent ial for driving informat ion securityinit iat ives throughout the organisat ion.” At present, this is typically achieved in part by senior managementmandat ing an overarching organizat ion-wide informat ion security policy that is supported and amplif ied bylower level security policies, standards, procedures, guidelines and other security awareness materials. Thestandard does not go into depth on other related aspects (such as the informat ion security, risk andcompliance management structures, report ing lines, divisions of responsibility, delegated authorit ies and soforth).As an informat ion security professional with a keen interest in security awareness, I am grat if ied to note that,in order to “establish a posit ive informat ion security culture, the governing body should require, promote andsupport coordinat ion of stakeholder act ivit ies to achieve a coherent direct ion for informat ion security. Thiswill support the delivery of security educat ion, t raining and awareness programs.”

Status

PDFmyURL.com

The standard was released in 2013 as both ISO/IEC 27014 and ITU-T recommendat ion X.1054 (with ident icaltext).

Copyright © 2013 IsecT Ltd.

PDFmyURL.com