Safeguarding a company’s information against data breaches and hacking is an increasingly complex affair, often involving many systems, tools, and people to get it right. However, all the best efforts in the world can lead to failure if the whole system is not effectively governed to ensure visibility over what works and doesn’t, and how it all fits within organizational structures and strategies.
The International Organization for Standardization (ISO) has recently updated the internationally agreed standard for IS governance.
ISO/IEC 27014, Information security, cybersecurity and privacy protection – Governance of information security, provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate an information security management system (ISMS) based on ISO/IEC 27001.
Dr. Edward Humphreys, convener of the joint ISO and IEC working group of experts that developed the standard , said: “This new edition of ISO/IEC 27014 is a key companion to ISO/IEC 27001 as it is fundamental to the information security governance activities embedded in the scope of an ISMS, and in the context of the overall organizational governance.”
The standard has recently been updated to improve clarity and structure and features new information. It has been aligned with ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements, while also remaining relevant to the broader scope of governance requirements of an organization.
ISO/IEC 27014 will be joined by several other standards for information security currently being developed by the same expert committee. These are:
- ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security controls
- ISO/IEC TS 27110, Information technology, cybersecurity and privacy protection – Cybersecurity framework development guidelines
- ISO/IEC TS 27100, Information technology – Cybersecurity – Overview and concepts
- ISO/IEC 27005, Information technology – Security techniques – Information security risk management