ISO/IEC DIS 27014

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27014
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2020-01-10 2020-04-03
Information security, cybersecurity and privacy
protection — Governance of information security
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27014:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27014:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

Foreword ........................................................................................................................................................................................................................................iv

Summary ..........................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Definitions ................................................................................................................................................................................................................... 1

4 Abbreviations........................................................................................................................................................................................................... 2

5 Conventions ............................................................................................................................................................................................................... 2

6 Use and structure of this Recommendation | International Standard .........................................................2

7 Governance and management standards ................................................................................................................................... 3

7.1 Overview ...................................................................................................................................................................................................... 3

7.2 Governance activities within the scope of an ISMS ................................................................................................. 3

7.3 The role of ISO/IEC 27001 ............................................................................................................................................................ 4

7.4 Other related standards .................................................................................................................................................................. 4

7.5 Thread of governance within the organization........................................................................................................... 4

8 Organizational governance and information security governance .................................................................5

8.1 Overview ...................................................................................................................................................................................................... 5

8.2 Objectives..................................................................................................................................................................................................... 5

information security ..................................................................................................................................................... 5

8.2.2 Objective 2: Make decisions using a risk-based approach ........................................................... 5

8.2.3 Objective 3: Set the direction of acquisition ............................................................................................. 5

8.2.4 Objective 4: Ensure conformance with internal and external requirements .............. 6

8.2.5 Objective 5: Foster a security-positive culture ....................................................................................... 6

requirements of the organization ..................................................................................................................... 6

8.3 Processes ...................................................................................................................................................................................................... 6

8.3.1 General...................................................................................................................................................................................... 6

8.3.2 Evaluate ................................................................................................................................................................................... 7

8.3.3 Direct .......................................................................................................................................................................................... 8

8.3.4 Monitor ...................................................................... ............................................................................................................... 8

8.3.5 Communicate ...................................................................................................................................................................... 9

9 The governing body’s requirements on the ISMS ............................................................................................................... 9

9.1 Organization and ISMS ..................................................................................................................................................................... 9

9.2 Scenarios ...................................................................................................................................................................................................10

9.2.1 Type A: The ISMS organization is the whole entity ........................................................................10

9.2.2 Type B: The ISMS organization forms a part of a larger entity .............................................10

9.2.3 Type C: The ISMS organization includes parts of several entities ......................................11

Annex A (informative) Governance relationship ..................................................................................................................................12

Annex B (informative) Types of ISMS organization ............................................................................................................................13

Annex C (informative) Examples of Communication ........................................................................................................................14

Bibliography .............................................................................................................................................................................................................................15

The International Telecommunication Union (ITU) is the United Nations specialized agency in the field

of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent

organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing

Recommendations on them with a view to standardizing telecommunications on a world-wide basis.

The World Telecommunication Standardization Assembly (WTSA), which meets every four years,

establishes the topics for study by the ITU-T study groups that, in turn, produce Recommendations on

these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA

Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary

ISO (the International Organization for Standardization) and IEC (the International Electro technical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of Recommendation | International Standards

through technical committees established by the respective organization to deal with particular fields

of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take

part in the work. In the field of Information security, cybersecurity and privacy protection, ISO and IEC

This Recommendation | International Standards are drafted in accordance with the rules given in the

The main task of the joint technical committee is to prepare this Recommendation | International

Standards. Draft Recommendation | International Standards adopted by the joint technical committee

are circulated to national bodies for voting. Publication as an International Standard requires approval

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection , in collaboration with

Information security is a key issue for organizations, amplified by rapid advances in attack

methodologies and technologies, and corresponding increased regulatory pressures.

The failure of an organization’s information security controls can have many adverse impacts on an

organization and its interested parties including but not limited to the undermining of trust.

Governance of information security is the use of resources to ensure effective implementation of

• the governing body will receive reliable and relevant reporting about information security related

This assists the governing body to make decisions concerning the strategic objectives for the

organization by providing information about information security that may affect these objectives. It

also ensures that information security strategy aligns with the overall objectives of the entity.

Information Security, Information Security Management, ISMS, Information Security Governance,

This Recommendation | International Standard provides guidance on concepts, objectives and processes

for the governance of information security, by which organizations can evaluate, direct, monitor and

• Those who are responsible for evaluating, directing and monitoring an ISMS (Information Security

• Those responsible for information security management that takes place outside the scope of an

This Recommendation | International Standard is applicable to all types and sizes of organizations.

All references to an ISMS in this document apply to an ISMS based upon ISO/IEC 27001.

This document focuses on the three types of ISMS organizations given in Annex B. However, this

The following Recommendations and International Standards contain provisions which, through

reference in this text, constitute provisions of this Recommendation | International Standard. At the

time of publication, the editions indicated were valid. All Recommendations and Standards are subject

to revision, and parties to agreements based on this Recommendation | International Standard are

encouraged to investigate the possibility of applying the most recent edition of the Recommendations

and Standards listed below. Members of IEC and ISO maintain registers of currently valid International

Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management

For the purposes of this Recommendation | International Standard, the terms and definitions given in

ISO, IEC and ITU-T maintain terminological databases for use in standardization at the following

• ITU-T Terms and Definitions: available at http:// www .itu .int/ go/ terminology -database

Note 1 to entry In the context of this standard, the entity encompasses both the organization and other bodies

or parties. An entity may be a group of companies, or a single company, or non for profit company, or other.

The entity has governance authority over the organization. The entity may be identical to the organisation, for

Noun: an organized group of people with a particular purpose, such as a business or government

Note 1 to entry In the context of this standard, an organization is that which implements the ISMS.

Person or group of people who are accountable for the performance and conformance of the entity

[ISO/IEC 27000:2018, 3.24, modified — “organization” has been replaced by “entity”]

Person or group of people who directs and controls an organization at the highest level

Note 1 to entry Top management has the power to delegate authority and provide resources within the

Note 2 to entry If the scope of the management system covers only part of an entity, then top management refers

to those who direct and control that part of the entity. In this situation, top management are accountable to the

Note 3 to entry Depending on the size andresources of the organization, top management may be the same as

Note 4 to entry Top management reports to the governing body. [ISO/IEC 27000:2018, 3.75].

Note 5 to entry ISO/IEC 37001 also provides definitions for governing body and top management.

This Recommendation | International Standard describes how information security governance operates

within an ISMS based upon ISO/IEC 27001, and how these activities can relate to other governance

activities which operate outside the scope of an ISMS. It outlines four main processes of “evaluate”,

“direct”, “monitor” and “communicate” in which an ISMS can be structured inside an organization, and

suggests approaches for integrating information security governance into organizational governance

activities in each of these processes. Finally, Annex A describes the relationships between organizational

governance, governance of information technology and governance of information security.

An organization is the part of an entity which runs and manages an ISMS. The ISMS covers the whole

of the organization, by definition (see ISO/IEC 27000); it may not cover the whole of the entity. This is

Governance of information security is the means by which an organization’s governing body provides

overall direction and control of activities that affect the security of an organization’s information. This

direction and control focuses on circumstances where inadequate information security can adversely

affect the organization’s ability to achieve its overall objectives. It is common for a governing body to

Management of information security is associated with ensuring the achievement of the objectives of

the organization described within the strategies and policies established by the governing body. This

• providing information to the governing body concerning the performance of the organization.

Effective governance of information security requires both members of the governing body and

ISO/IEC 27001 does not use the term “governance” but specifies a number of requirements which

are governance activities. The following list provides examples of these activities. In the subclauses,

references to the organization and top management are, as previously noted, associated with the scope

• Subclause 4.1, Understanding the organization and its context, requires the organization to identify

what it is aiming to achieve – its information security goals and objectives. These should be related

to, and support, the overall goals and objectives of the entity. This relates to governance objectives

• Subclause 4.2, Understanding the needs and expectations of interested parties, requires the

organization to identify the interested parties that are relevant to its ISMS, and the requirements

of those interested parties relevant to information security. This relates to governance objective 4

• Subclause 4.3, Determining the scope of the ISMS, requires the organization to define the boundaries

and applicability of the ISMS to establish its scope by considering the external issues and internal

issues, the requirements, and interfaces and dependencies. It is also specified that the organization

shall build the requirements and expectations of interested parties into its information security

management system, as well as external and internal issues (such as laws, regulations and contracts).

• Clause 5, Leadership, specifies that the organization shall set policy, objectives, and integrate

information security into its processes (which may be considered to include governance processes).

It requires the organization to make suitable resources available and communicate the importance

of information security management. Most importantly, it also states that the organization shall

direct and support persons to contribute to the effectiveness of the ISMS, and that other relevant

management roles shall be supported in their areas of responsibility. The clause contains instructions

for setting policy, and assigning roles for information security management and reporting. This

• Clause 6, Planning, considers the design of a risk management approach for the organization,

specifying that the organization shall identify risks and opportunities to be addressed to ensure

that its ISMS will be effective. It introduces the concept of risk owners, and puts their responsibilities

into the context of the organization’s activities to manage risk and approve risk treatment activities.

It also requires the organization to establish information security objectives. This relates to

• Clause 7, Support, specifies that persons shall be competent in carrying out their information

security obligations, and provides a requirement for organizational communications. This relates

• Clause 8, Operation, specifies the responsibility of the organization to plan, implement and control

• Clause 9, Performance evaluation, requires monitoring and reporting of all relevant aspects of

the ISMS, internal audits, and top management and governing body review and decisions on the

operational effectiveness of the ISMS, including any changes required. This relates to governance

• Clause 10, Improvement, specifies the identification and treatment of non-conformities, the

requirement for identification of opportunities for continual improvement, and acting on those

opportunities. This relates to governance objective 4 stated in 8.2 of this document.

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually

improving an information security management system within the context of an organization. It also

includes requirements for the assessment and treatment of information security risks tailored to the

ISO/IEC 38500 provides guiding principles for members of governing bodies of organizations on the

effective, efficient, and acceptable use of information technology within their organizations. It also

provides guidance to those advising, informing, or assisting governing bodies in governance of IT.

These threads are in exact correspondence to the organizational governance processes described in

Clause 8. The last two items in the list are equivalents of their governance aspects in the context of

• the alignment of the information security objectives with the business objectives;

• the management of information security risk in accordance with those information security

• the avoidance of conflicts of interest in the management of information security

• preventing the organization’s information technology from being used to harm other organizations.

An ISMS focuses upon management of risks relating to information. It does not directly address subjects

such as profitability, acquisition, use and realisation of assets, or the efficiency of other processes,

There are many areas of governance within an organization, including information security, information

technology, health and safety, quality, and finance. Each governance area is a component of the overall

governance objectives of an organization, and thus should be aligned with organizational discipline.

The scopes of governance models sometimes overlap. Subclause 8.2 and 8.3 describe objectives and

processes involved in governance, which can apply to any area being governed. Types of organization is

8.2.1 Objective 1: Establish integrated comprehensive organization-wide information security

Governance of information security should ensure that information security objectives are

comprehensive and integrated. Information security should be handled at an organizational level, with

decision-making taking into account entity priorities. Activities concerning physical and logical security

should be closely coordinated. This does not, however, require a single set of security measures, or a

To ensure organization-wide information security, responsibility and accountability for information

security should be established across the full span of an organization’s activities. This may extend

beyond the generally perceived ‘borders’ of an entity e.g. to include information being stored or

Governance of information security should be based on compliance obligations, and also upon

organization-specific risk-based decisions. In addition to satisfying relevant regulatory requirements,

determining how much security is acceptable should be based upon the risk appetite of an organization,

including loss of competitive advantage, compliance and liability risks, operational disruptions,

Information security risk management should be consistent across the organization and include

considerations of the adverse financial, operational, and reputational impacts of breaches and non-

compliance. Furthermore, information security risk management should be integrated with the entity’s

overall risk management approach so it isn’t done in isolation and doesn t cause confusion, for example,

mapping to the entity methodology or capturing strategic information risks into the entity’s risk

Appropriate resources to implement information risk management should be allocated as a part of the

The impact of information security risk should be adequately assessed when undertaking new

activities, including but not limited to any investment, purchases, merger, adoption of new technology,

outsourcing arrangements and contract with external suppliers. The top management for the ISMS

should establish an information security strategy based on entity objectives, ensuring harmonisation

between entity requirements and organizational information security requirements, thereby meeting

To optimise information security acquisition to support entity objectives, the governing body should

ensure that information security is integrated with existing entity processes, including project