ISO/IEC 27014:2020—Governance Of Information Security

The average cost of a data breach was $4.45 million in 2023, the highest average on record. The average time to identify a breach is 207 days. Information security is a key issue for organizations that has been amplified by rapid advances in attack methodologies and technologies. Luckily, ISO/IEC 27014:2020— Information Security, Cybersecurity And Privacy Protection – Governance Of Information Security provides guidance on the governance of information security.

What Is Governance of Information Security?

There are many areas of governance within an entity, including information security, information technology, health and safety, quality, and finance. Governance in information security describes the way a company manages its information security needs. Ideally, it protects the integrity, confidentiality, and availability of information. IT managers begin by identifying all possible risks and establishing an information security management system (ISMS). They then design proactive policies, frameworks, and strategies to tackle these issues at the source.

What Is ISO/IEC 27014?

ISO/IEC 27014:2020 provides guidance on concepts, objectives, and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization. The intended audience for this document is:

1. Governing body and top management
2. Those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001
3. Those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance

Our past post ISO/IEC 27001:2022—Information Security Systems explains ISO/IEC 27001 more in depth.

Why Are Security Controls Important?

Business is becoming more digital by the day, driven by advances in everything from cloud computing and artificial intelligence (AI) to blockchain and the Internet of Things (IoT). With increasing volumes of sensitive data and systems now in the digital space, protecting them from cybercriminals is a growing priority, particularly as these criminals are becoming increasingly sophisticated and tenacious. Security control failures can have many adverse impacts on an organization including unauthorized access and/or use of corporate systems, denial of service attacks, the transmission of malicious code such as ransomware, and data exfiltration.

Implementing strong security controls (i.e., any type of safeguard or countermeasure used to avoid, detect, counteract or minimize security risks to physical property, information, computer systems or other assets) is critical to protecting various forms of data and infrastructure important to an organization.

Types of Security Controls

There are several types of security controls that can protect hardware, software, networks and data from actions and events that could cause loss or damage. They are categorized as physical, administrative, and technical controls

1. Physical security controls: set of security controls implemented physically to prevent unauthorized access to the data and security risks (e.g., data center perimeter fencing, alarm systems, locks, guards, access control cards, biometric access control systems, surveillance cameras and intrusion detection sensors)
2. Administrative security controls: set of security rules, policies, procedures, or guidelines specified by the management to control access and usage of confidential information (e.g., employee training and awareness)
3. Technical security controls: set of hardware and software controls that protect a system against cyberattacks (e.g., access controls, firewalls, encryption, intrusion detection systens, and network authentication)

Types of Technical Security Controls

• Digital security controls: protect your online identity, data, and other assets (e.g., usernames and passwords, smartphone SIM cards, biometrics, two-factor authentication, antivirus software, and firewalls)
• Cybersecurity controls: include anything specifically designed to prevent attacks on data (e.g., DDoS mitigation and intrusion prevention systems)
• Cloud security controls: include measures that you take in cooperation with a cloud services provider to offer the necessary protection for data and workloads in cloud environments (e.g., Cloud Workload Protection Platform and Cloud Access Security Broker)

What Are the Main Objectives of Information Security Governance?

An organization’s governing body provides overall direction and control of activities that affect the security of an organization’s information. ISO/IEC 27014:2020 details that this direction and control focus on circumstances where inadequate information security can adversely affect the organization’s ability to achieve its overall objectives.

1. Objective 1: Establish integrated comprehensive entity-wide information security
2. Objective 2: Make decisions using a risk-based approach
3. Objective 3: Set the direction of acquisition
4. Objective 4: Ensure conformance with internal and external requirements
5. Objective 5: Foster a security-positive culture
6. Objective 6: Ensure the security performance meets current and future requirements of the entity

ISO/IEC 27014:2020— Information Security, Cybersecurity And Privacy Protection – Governance Of Information Security is available on the ANSI Webstore and in the Standards Packages: ISO/IEC 27007 / ISO/IEC 27009 / ISO/IEC 27014 / ISO/IEC 27001 – Cybersecurity And Privacy Protection Package and ISO/IEC 27018 / ISO/IEC 27014 / ISO/IEC TR 27015 – Cloud Security for Finance Package.