The standard for IS governance just updated.


Safeguarding a company’s information against data breaches and hacking is an increasingly complex affair, often involving many systems, tools and people to get it right. However, all the best efforts in the world can lead to failure if the whole system is not effectively governed to ensure visibility over what works and doesn’t, and how it all fits within organizational structures and strategies. The internationally agreed standard for IS governance has just been updated.

ISO/IEC 27014Information security, cybersecurity and privacy protection – Governance of information security, provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate an information security management system (ISMS) based on ISO/IEC 27001.

Dr Edward Humphreys, Convenor of the joint ISO and IEC working group of experts that developed the standard [1], said:

This new edition of ISO/IEC 27014 is a key companion to ISO/IEC 27001 as it is fundamental to the information security governance activities embedded in the scope of an ISMS, and in the context of the overall organizational governance.

 

The standard has recently been updated to improve clarity and structure and features new information. It has been aligned with ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements, while also remaining relevant to the broader scope of governance requirements of an organization.

ISO/IEC 27014 will be joined by several other standards for information security currently being developed by the same expert committee. These are:

ISO/IEC 27002Information technology – Security techniques – Code of practice for information security controls

ISO/IEC TS 27110Information technology, cybersecurity and privacy protection – Cybersecurity framework development guidelines

ISO/IEC TS 27100Information technology – Cybersecurity – Overview and concepts

ISO/IEC 27005Information technology – Security techniques – Information security risk management