1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 27014:2013 Information technology Security techniques Governance of information securityBS ISO/IEC 27014:2013 BRITISH STANDARD National foreword This British Standa
2、rd is the UK implementation of ISO/IEC 27014:2013. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to in
3、clude all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 69147 8 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. Thi
4、s British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 May 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 27014:2013Reference number ISO/IEC 27014:2013(E) ISO/IEC 2013INTERNATIONAL STANDARD ISO/IEC 27014 First edition 2013-05
5、-15 Information technology Security techniques Governance of information security Technologies de linformation Techniques de scurit Gouvernance de la scurit de linformation BS ISO/IEC 27014:2013 ISO/IEC 27014:2013(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise spe
6、cified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office
7、Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reservedBS ISO/IEC 27014:2013 ISO/IEC 27014:2013(E) ISO/IEC 2013 All rights reserved iiiCONTENTS Page Summary iv Foreword . v 1 S
8、cope 1 2 Normative references . 1 3 Definitions . 1 4 Concepts 2 4.1 General 2 4.2 Objectives 2 4.3 Desired Outcomes . 2 4.4 Relationship 2 5 Principles and processes. 3 5.1 Overview . 3 5.2 Principles . 3 5.3 Processes 5 5.3.1 Overview . 5 5.3.2 Evaluate . 5 5.3.3 Direct . 6 5.3.4 Monitor 6 5.3.5 C
9、ommunicate 6 5.3.6 Assure 7 Annex A (informative) An example of information security status 8 Annex B (informative) An example of detailed information security status 9 Bibliography 11 BS ISO/IEC 27014:2013 ISO/IEC 27014:2013(E) iv ISO/IEC 2013 All rights reservedINTERNATIONAL STANDARD ITU-T RECOMME
10、NDATION Information technology Security techniques Governance of information security Summary This Recommendation | International Standard provides guidance on the governance of information security. Information security has become a key issue for organisations. Not only are there increasing regulat
11、ory requirements but also the failure of an organisations information security measures can have a direct impact on an organisations reputation. Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information security to ensure the objective
12、s of the organisation are achieved. In addition, governance of information security provides a powerful link between an organisations governing body, executive management and those responsible for implementing and operating an information security management system. It provides the mandate essential
13、 for driving information security initiatives throughout the organisation. Furthermore, an effective governance of information security ensures that the governing body receives relevant reporting - framed in a business context - about information security-related activities. This enables pertinent a
14、nd timely decisions about information security issues in support of the strategic objectives of the organisation. BS ISO/IEC 27014:2013 ISO/IEC 27014:2013(E) ISO/IEC 2013 All rights reserved vForeword The International Telecommunication Union (ITU) is the United Nations specialized agency in the fie
15、ld of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a world-wide basis. The
16、World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
17、In some areas of information technology that fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form the specialized system for w
18、orldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. ISO and IEC technical committees collaborat
19、e in fields of mutual interest. Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are
20、drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an I
21、nternational Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent right
22、s. ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.1054. BS ISO/IEC 27014:2013BS ISO/IEC 27014:2013 ISO/IEC FDIS 27014:201
23、3(E) ITU-T Rec. X.1054 (09/2012) 1 1 Scope This Recommendation | International Standard provides guidance on concepts and principles for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security related activities within the
24、 organisation. This International Standard is applicable to all types and sizes of organisations. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation | International St
25、andard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition of the R
26、ecommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. ISO/IEC 27000:2009, Information Technology Security tech
27、niques Information security management systems Overview and vocabulary 3 Definitions For the purposes of this Recommendation | International Standard, the terms and definitions in ISO/IEC 27000:2009 and the following definitions apply: 3.1 executive management person or group of people who have dele
28、gated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organisation. NOTE 1 Executive management form part of top management: For clarity of roles, this standard distinguishes between two groups within top management: the governing
29、 body and executive management. NOTE 2 Executive management can include Chief Executive Officers (CEOs), Heads of Government Organizations, Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and like roles
30、. 3.2 governing body person or group of people who are accountable for the performance and conformance of the organisation NOTE Governing body forms part of top management: For clarity of roles, this standard distinguishes between two groups within top management: the governing body and executive ma
31、nagement. 3.3 governance of information security system by which an organisations information security activities are directed and controlled 3.4 stakeholder any person or organisation that can affect, be affected by, or perceive themselves to be affected by an activity of the organisation. NOTE A d
32、ecision maker can be a stakeholder. BS ISO/IEC 27014:2013 ISO/IEC 27014:2013(E) ITU-T Rec. X.1054 (09/2012) 2 4 Concepts 4.1 General Governance of information security needs to align objectives and strategies for information security with business objectives and strategies, and requires compliance w
33、ith legislation, regulations and contracts. It should be assessed, analysed and implemented through a risk management approach, supported by an internal control system. The governing body is ultimately accountable for an organisations decisions and the performance of the organisation. In respect to
34、information security, the key focus of the governing body is to ensure that the organisations approach to information security is efficient, effective, acceptable and in line with business objectives and strategies giving due regard to stakeholder expectations. Various stakeholders can have differen
35、t values and needs. 4.2 Objectives The objectives of governance of information security are to: align the information security objectives and strategy with business objectives and strategy (strategic alignment) deliver value to the governing body and to stakeholders (value delivery) ensure that info
36、rmation risk is being adequately addressed (accountability) 4.3 Desired Outcomes The desired outcomes from effectively implementing governance of information security include: governing body visibility on the information security status an agile approach to decision-making about information risks ef
37、ficient and effective investments on information security compliance with external requirements (legal, regulatory or contractual) 4.4 Relationship There are several other areas of governance models within an organisation, such as governance of information technology, and organisational governance.
38、Every governance model is an integral component of the governance of an organisation, which emphasizes the importance of alignment with business objectives. It is usually beneficial for the governing body to develop a holistic and integrated view of its governance model, of which governance of infor
39、mation security should be a part. The scopes of governance models sometimes overlap. For example, the relationship between governance of information security and governance of information technology is illustrated in Figure 1. BS ISO/IEC 27014:2013 ISO/IEC 27014:2013(E) ITU-T Rec. X.1054 (09/2012) 3
40、Figure 1 Relationship between governance of information security and governance of information technology Whereas the overarching scope of governance of information technology aims at resources required to acquire, process, store and disseminate information, the scope of governance of information se
41、curity covers confidentiality, integrity and availability of information. Both governance schemes need to be handled by the following governance processes: EDM (Evaluate, Direct, Monitor). However the governance of information security requires the additional internal process “communicate“. The task
42、s required of the governing body to establish governance of information security are described in Clause 5. Governance tasks are also related to management requirements specified in ISO/IEC 27001 as well as to other standards of the ISMS family, as referenced in the Bibliography. 5 Principles and pr
43、ocesses 5.1 Overview This clause describes the principles and processes that, together, form the governance of information security. Governance principles of information security are accepted rules for governance action or conduct that act as a guide for the implementation of governance. A governanc
44、e process for information security describes a series of tasks enabling the governance of information security and their interrelationships. It also shows a relationship between governance and the management of information security. These two components are explained in the following subclauses. 5.2
45、 Principles Meeting the needs of stakeholders and delivering value to each of them is integral to the success of information security in the long term. To achieve the governance objective of aligning information security closely with the goals of the business and to deliver value to stakeholders, th
46、is sub-clause sets out six action-oriented principles. The principles provide a good foundation for the implementation of governance processes for information security. The statement of each principle refers to what should happen, but does not prescribe how, when or by whom the principles would be i
47、mplemented because these aspects are dependent on the nature of the organisation implementing the principles. The governing body should require that these principles be applied and appoint someone with responsibility, accountability, and authority to implement them. BS ISO/IEC 27014:2013 ISO/IEC 270
48、14:2013(E) ITU-T Rec. X.1054 (09/2012) 4 Principle 1: Establish organisation-wide information security Governance of information security should ensure that information security activities are comprehensive and integrated. Information security should be handled at an organisational level with decisi
49、on-making taking into account business, information security, and all other relevant aspects. Activities concerning physical and logical security should be closely coordinated. To establish organisation-wide security, responsibility and accountability for information security should be established across the full span of an organisations activities. This regularly extends beyond the generally perceived borders of the organisation e.g. with information being stored or transferred by external parties. Principle 2: A
