ISO/IEC 27014 Information Security Governance

Book a demo

office,colleagues,having,casual,discussion,during,meeting,in,conference,room.

Information security is a critical concern for businesses as they attempt to adapt to rapid advancements in attack methods and techniques and subsequent changes in regulatory requirements. Failure of an organisation’s information security measures may have several negative consequences for the organisation and its stakeholders, including the loss of trust.

To stay relevant and compete in today’s business world, every enterprise should have an information security governance programme (ISGP) in place. Thankfully, there is an opportunity to improve information security governance and overall risk management in the business environment by aligning it with compliance requirements such as ISO 27001 and the offshoot ISO 27014 standard.

What is ISO/IEC 27014 Standard?

ISO/IEC 27014 is a standard in the ISO/IEC 27000 series.

This standard is “designed to aid organisations in effectively managing their information security strategies.” The standard offers “directions on the principles and concepts for information security governance, from which organisations can evaluate, direct, monitor, communicate and assure information security-related practices in the organisation.

The eleven-page standard summarises information technology governance standards and includes a structure of six principles and five processes. The standard views IT governance as interacting with information technology governance, all of which are components of the wider framework of organisational governance. In December 2020, another ISO/IEC 27014:2020 guidance document was released, succeeding the 2013 first edition.

We’re so pleased we found this solution, it made everything fit together more easily.
Emmie Cooney
Operations Manager Amigo
100% of our users pass certification first time
Book your demo

What is Information Security Governance?

  • Information security governance is the lifecycle of policies, controls and procedures to ensure information security for an organisation.
  • Information security governance brings an integrated approach to overall information security.
  • It guarantees that the organisation’s information security approach is consistent with the organisation’s overall goals. This enables the governing body to make decisions on the organisation’s strategic goals by presenting information about potential threats to information security.
  • Implementing an effective information security governance program will help reduce risk, instil trust into all activities and eliminate inappropriate actions.

What is a Governing Body?

A governing body is a collective of individuals who have the authority and responsibility to formulate policies and lead an organisation’s general trajectory. The collective body is responsible for decision-making and implementation on behalf of its staff, stakeholders, and the organisation.

The governing body’s primary function is to safeguard the organisation’s privileges and interests, as well as those of anyone who works within the organisation’s framework. This body accomplishes this by ensuring that the organisation operates efficiently and is capable of achieving the aims and priorities it has committed to. Additionally, the governing body is accountable for the organisation’s finances, personnel, and assets. One major role of the governing body in any organisation is to make decisions that will encourage the security of information within the organisation.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

See who we’ve already helped

Implementation of the governance processes for information security (ISO/IEC 27014)

Information security governance processes have been developed to help organisations monitor and manage their information security efforts. They don’t exist in a vacuum, though — they need to be integrated into the overall business management processes if they are going to be effective (and this is true for many related security activities, such as risk management). The governing body and top management are responsible for the execution of four governance systems, according to ISO/IEC 27014:2020.

Evaluate

One of the Information security governance processes is evaluation. Evaluation is an important process in which the current state of a process or component within an organisation is scrutinised. This helps determine what is both right and wrong with that particular process or component.

Direct

Direction is one of the information security governance processes. It includes planning, establishing and reviewing policy standards and procedures, and evaluating compliance by personnel with established limitations.

Monitor

Monitoring is one of the information security processes. It is management activities that ensure the availability, integrity, authentication and confidentiality of the systems and networks as well as check to see that employees are properly using those systems and networks in a way that follows security policies.

Communicate

Communication is the key when it comes to Information Security Governance processes. You are entrusted with keeping your company and its various assets secure, but it cannot be an isolated process.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

See how our simple, powerful platform works

What are the objectives of Information Security Governance?

Information security governance should ensure that information security measures are robust and integrated. The standard establishes six high-level “action-oriented” principles for information security governance. This includes the following:

Establish organisation-wide information security

Concerns over information technology, or cybersecurity, can penetrate the framework and functions of the organisation. In all levels of management, information security should be combined with information technology (IT) and other functions. Top management should ensure that information security meets the company’s general strategic interests and should create accountability and responsibility across the organisation.

Make decisions using a risk-based approach

Security governance, including resource distribution and budgeting, should be guided by an organisation’s risk appetite, which in turn should be influenced by a risk-based approach that takes into account: competitive advantage loss, regulatory and liability concerns, operational delays, reputational damage, and financial loss.

Set the direction of investment decisions

Ensure that information security risks are properly analysed before embarking on new operations, such as investments, acquisitions, mergers, the introduction of new technologies, outsourcing agreements, and contracts with external suppliers. Additionally, incorporate information security into internal agency processes, such as project management, procurement, financial management, legal and regulatory compliance, and organisational risk management. Top management should develop an information security approach that is aligned with the organisation’s goals, meaning that agency and organisational information security needs are consistent.

Ensure conformance with internal and external requirements

External requirements include required laws and regulations, certification standards, and contractual obligations. Internal criteria are subsets of a larger organisation’s overall aims and priorities. Independent security assessments are the generally agreed method for establishing and tracking conformance. Top management must ensure that information security practices are meeting internal and external standards satisfactorily by looking into independent security audits.

Foster a security-positive culture

There should be coordination and alignment among the different stakeholders in the ISMS. To achieve a coherent course for information security, top management must encourage and facilitate the collaboration of the tasks and activities of everyone affected by the ISMS. Additionally, proof of security instruction, preparation, and awareness programmes should be provided. Information security responsibilities should be incorporated into the positions of personnel and other stakeholders, and all should embrace their responsibilities to contribute to the effectiveness of the ISMS.

Ensure the security performance meets current and future requirements of the entity

Security success is measured not only in terms of efficacy and reliability but also in terms of its effects on overall company goals and objectives. Top management in charge of governance should include periodic reviews of a performance measurement scheme for tracking, auditing, and improvement that translates information security into optimal business performance.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

Don’t see what you’re looking for?
We can build it easily.

Scope and Purpose of ISO 27014 Standard

The ISO 27014 document provides guidelines on information security governance principles, objectives, and procedures that organisations should use to evaluate, direct, monitor, and communicate information security-related processes within the organisation.

As with the other ISO27k standards, it is “suitable for all type and sizes of organisations,” especially those where the ISMS covers the whole organisation or just a subset of it, or where a single ISMS extends to several companies (such as within a corporate structure).

Proper information security governance guarantees that it is consistent with and supportive of company goals identified in strategies and policies.

ISO 27014 places considerable emphasis on the governance components of ISO/IEC 27001 and establishes governance objectives within this framework. It covers the incorporation of information security governance activities with other governance functions and goals. ISO 27014 further specifies the requirements and expectations of the governing body from an ISO27k ISMS.

Who Should Implement ISO 27014?

ISO/IEC 27014:2020 is targeted for the following audiences:

  • The governing body and top management of an organisation.
  • Those accountable for evaluating, directing, and tracking an ISO/IEC 27001-compliant information security management system (ISMS).
  • Those accountable for information security management that occurs beyond the reach of an ISO/IEC 27001-based information security management system (ISMS), but inside the context of governance.

This document is applicable to all types and sizes of organisations.

How ISMS.online Can Make Implementing ISO 27014 Easy

At ISMS.online, we make it easy for you to document your Information Security Governance so that it is in line with the ISO 27014 standard. We provide you with a logical, usable, cloud-based information management interface that will help your organisation check its infosec governance processes and progress against the ISO 27014 standard.

Our cloud-based platform allows you to access all your ISMS resources in one place. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27014 implementation so that you can demonstrate your dedication to information security governance best practices. Call ISMS.online on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27001.

Book your demo

See how simple
it is with
ISMS.online

Book a tailored hands-on session based on your needs and goals.

Book your demo

Since migrating we’ve been able to reduce the time spent on administration.
Jodie Korber
Managing Director Lanrex
100% of our users pass certification first time
Book your demo

The proven path to ISO 27001 success

Built with everything you need to succeed with ease, and ready to use straight out of the box – no training required!
Policies

Perfect Policies & Controls

Easily collaborate, create and show you are on top of your documentation at all times

Find out more
Risk-Management

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Find out more
Reporting

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Find out more
Audits

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Find out more
Linking

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Find out more
Assets

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Find out more
Seamless-Integration

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Find out more
Standards-Regulations

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Find out more
Compliance

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Find out more
Supply-Chain

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Find out more
Interested-Parties

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Find out more
Privacy

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

Find out more
 

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Explore other standards within the ISO 27k family

  • 1The ISO 27000 family
  • 2ISO 27002
  • 3ISO 27003
  • 4ISO 27004
  • 5ISO 27005
  • 6ISO 27008
  • 7ISO 27009
  • 8ISO 27010
  • 9ISO 27014
  • 11ISO 27013
  • 12ISO 27016
  • 13ISO 27017
  • 14ISO 27018
  • 15ISO 27019
  • 16ISO 27038
  • 17ISO 27039
  • 18ISO 27040
  • 19ISO 27050
  • 20ISO 27102

100% of our users achieve ISO 27001 certification first time

Start your journey today
See how we can help you

Streamline your workflow with our new Jira integration! Learn more here.