Is ISO 27014 the new graal of information security governance ?!

The needs for more governance

Cyber attacks are unfortunately growing in terms of frequency, business impacts and visibility. When reading the headlines, citizens, end consumers and senior executives are more and more aware of severe data breaches. For example, the very recent Dropbox data breach left 6.9 million accounts possibly compromised…

No organization can avoid being influenced by the tsunami of innovative technology such as the Social Mobile Analytics and Cloud (SMAC) services. Technology makes business efficient, however information security is often simply ignored.

As a result, this growing complexity and speed of business, IT and threats landscape requires both more flexibility and a stronger governance.

Let’s define Governance !

In the IT world there is a great confusion in understanding the meaning of the words “governance”, “organization” and “management”.

Go back to the basics! Corporate governance broadly refers to the mechanisms, processes and relations by which corporations are controlled and directed. Governance structures identify the distribution of rights and responsibilities among different participants in the corporation (such as the board of directors, managers, shareholders, creditors, auditors, regulators, and other stakeholders) and includes the rules and procedures for making decisions in corporate affairs. Corporate governance includes the processes through which corporations’ objectives are set and pursued in the context of the social, regulatory and market environment. Governance mechanisms include monitoring the actions, policies and decisions of corporations and their agents. Corporate governance practices are affected by attempts to align the interests of stakeholders.

The concept of information security governance should be inseparable from the concepts Corporate Governance and IT Governance.

From information security governance frameworks … to ISO/IEC 27014

The IT Governance Institute (ITGI) and ISACA were among the first to issue guidelines for the governance of information security, and their various publications have been complemented by other governance frameworks. Other frameworks have been proposed by industry advisory services such as Gartner Group or Deloitte for examples.

This collection of different frameworks emphasizes the need to standardize and professionalize information security governance. As a result, ISO/IEC 27014 was published in 2013 and provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization.

A bunch of benefits

Using ISO 27014 will allow you to 1/Better align information security with the strategy and goals of the organisation (strategic alignment) 2/ Deliver business value to stakeholders, including the board (value delivery) 3/Ensure effective management of risk (accountability)

The benefits of employing ISO 27014 will be 0/ Raise awareness at the board level 1/ Board oversight of information security matters 2/A flexible approach to risk decision making 3/ Efficient and effective investments on information security 4/Compliance with regulations, standards and agreements.

Remember it was once upon a time, in 2000, the ISO 27002 standard adoption … It was massively used by the industry, consulting firms and end users. At the very moment, most of large firms have being designed and/or implemented the controls. ISO 27014 is surely not a new buzz or standard. It shows the growing interest of shaping information security governance in a professional way. It is not an end in itself but a strong pre requisite to better manage risks.

Let’s try NOW the five tenets of the ISO 27014 standard !

• Principle 1 – Establish organisation-wide information security
• Principle 2 – Adopt a risk-based approach
• Principle 3 – Set the direction of investment decisions
• Principle 4 – Ensure conformance with internal and external requirements
• Principle 5 – Foster a security-positive environment
• Principle 6 – Review performance in relation to business outcomes