Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISO 27014 et 38500

5,762 views

Published on

ISO 27014 et 38500

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

ISO 27014 et 38500

  1. 1. ISO/IEC 27014:2013 & 38500:2008 Governance of Information Technology vs. Governance of Information Security Hugh H. Penri-Williams CFE CIA CCSA CRMA PIIA CISA CISM CGEIT CRISC ITIL-F C31000 ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
  2. 2. Disclaimer! Unless indicated otherwise the opinions and views expressed in this presentation are those of the author alone and do not reflect the official policy or position of ISO, AFAI, ISACA, ITGI, The IIA, IFACI, Alcatel-Lucent, ACFE, S.W.I.F.T. or any other organization. Reminder for documents bought from ISO, e.g.: Licensed to GLANIAD 1865/HUGH PENRI-WILLIAMS Single user licence only, copying and networking prohibited ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 2
  3. 3. Who or What does ISO* represent? The International Organization for Standardization consists of the national standards institutes of 164 countries (e.g. AFNOR FR, ANSI / NIST US, BSI GB, DIN DE) with a Central Secretariat in Geneva CH for coordination. ISACA/ITGI has Category A (originally C in 2008) Liaison status within the ISO/IEC Joint Technical Committee 1 Information technology: ü SubCommittee7 Develops guidance for Software & Systems Engineering ü SC27 Develops guidance for IT Security Techniques, including the 27000 family / series of Security Standards ü SC40 Develops guidance for IT Service Management & IT Governance ISACA members who are ISO Subject Matter Experts are invited to volunteer to participate on future review teams for ISO exposure drafts. *Greek for ‘equal’, NOT an acronym! IEC = International Electrotechnical Committee also liaisons with other standards bodies like ITU = International Telecommunication Union ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 3
  4. 4. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 4 ISO/IEC JTC 1/SC 27 Working Groups WG1 Information security management systems* ü 27000**, 27001, 27002, 27005, etc. WG2 Cryptography and security mechanisms ü 10116, 18033, 29192, etc. WG3 Security evaluation, testing and specification ü 15048, 15446, 18045, 29147, etc. WG4 Security controls and services* ü 27033, 27035, 27036, 27040, 27050, etc. WG5 Identity management and privacy technologies ü 24745, 24760, 29100**, 29190, etc. *ISACA Liaison Representatives participate **available FREE of charge on ISO website
  5. 5. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 5 The ISO Process Cycle Ø Study Period Ø New Work Item Proposal Ø Working Drafts (1st, 2nd,…) Ø Committee Drafts (1st, 2nd,…) Ø Final Committee Draft Ø Draft International Standard Ø Final Draft International Standard Ø Publication! Subsequently, revisions are foreseen every 5 years (most recently it took 8 years for 27001 & 27002!) Another route results in publication of a Technical Report (TR nnnnn)
  6. 6. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 6 ISO/IEC 27014 Development 1/2 Study Period agreed Kyoto JP April 2008, ‘Call for contributions’ issued July 2008 (particularly involved early on were Japan & Korea – who then became co-editors, CA, ZA, BE, SE & Liaisons: Information Security Forum & ISACA) Results presented in Limassol CY Oct. 2008 (situation was touch & go, ISACA persuaded WG1 Convenor to call informal meeting on future of ISG) NWIP voting results February 2009 32 with 5 Questions of which Q2 “Do you support as a NWI” received 28 YES & 4 Abstentions Then 3 WDs (during meetings in Beijing CN May & Redmond US Nov. 2009, Melaka* MY Apr. & Berlin DE Oct. 2010) before voting on 1st CD Feb. 2011: Approval 14 plus with comments 5 = 19, Disapproval 4, Abstention 13! The whole project could have nearly failed again at this stage, just like in Cyprus! DIS improvements made in Singapore Apr., finalised in Nairobi KE Oct. 2011 *seriously impacted by absence of European delegations due to Icelandic volcano – used Skype!
  7. 7. ISO/IEC 27014 Development 2/2 November 2011 DIS voting result *P-Members voting: 24 in favour out of 27 = 89 % (requirement >= 66.66%) {AU, UK, US} Member bodies voting: 3 negative votes out of 35 = 9 % (requirement <= 25%) FDIS improvements made in Stockholm SE May & in Rome IT Oct. 2012 November 2012 FDIS voting result P-Members voting: 19 in favour out of 20 = 95 % (requirement >= 66.66%) {US} Member bodies voting: 1 negative vote out of 32 = 3 % (requirement <= 25%) Finally published May 2013 = 5 year effort for 11 pages! *Participating i.e. voting vs. Observing members ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 7
  8. 8. CG Defined (source OECD) u involves a set of relationships between an organization’s management, its board, its shareholders and other stakeholders u also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 8
  9. 9. Many other definitions exist but with certain common elements, describing governance as the policies, processes and structures used by an organisation: v To direct and control its activities v To achieve its objectives v To protect the interests of its stakeholders v Consistent with appropriate ethical standards ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 9 Governance
  10. 10. The Responsibilities of the Board The board should fulfil certain key functions, including: 1. Reviewing and guiding corporate strategy, annual budgets and business plans; setting performance objectives; monitoring corporate performance; and overseeing major capital expenditures, acquisitions and divestitures. 2. Monitoring the effectiveness of the company’s governance and risk management practices and making changes as needed 3. Selecting, compensating, monitoring and, when necessary, replacing key executives and overseeing succession planning. 4. Aligning key executive and board remuneration with the longer term interests of the company and its shareholders. 5. Ensuring the integrity of the organisation’s accounting and financial reporting systems; 6. Ensuring a formal and transparent board nomination and election ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams process. 10
  11. 11. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 11
  12. 12. Governance does not exist as a set of distinct and separate processes and structures. Rather, there are relationships among governance, risk management, and internal controls: § Effective governance activities consider risk when setting strategy. Conversely, risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management). § Effective governance relies on internal controls and communication to the board on the effectiveness of those controls. § Control and risk also are related, as control is defined as “any action taken by management, the board and other parties to manage risk and increase the likelihood that established goals will be achieved.” ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 12 Internal Governance Elements
  13. 13. Internal Governance Elements ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 13 Stakeholders
  14. 14. IT Governance Definition ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 14 IT Governance is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. IT governance is the responsibility of the board of directors and executive management. by the IT Governance Institute® “Technology is a tool to accomplish business, not an end in itself”
  15. 15. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 15 COBIT: Governance of Enterprise IT
  16. 16. ISACA Contribution to Study Period ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 16
  17. 17. Ideas that were floated 2/2 ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 17
  18. 18. Conclusion: ISG must differentiate itself from ITG because of Risks from Non-IT factors ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 18
  19. 19. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 19
  20. 20. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 20
  21. 21. Why were they created? ISO 38500 1.3 Objectives The purpose of this standard is to promote effective, efficient, and acceptable use of IT in all organizations by: • assuring stakeholders (including consumers, shareholders, and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT; • informing and guiding directors in governing the use of IT in their organization; and • providing a basis for objective evaluation of the corporate governance of IT. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 21
  22. 22. Why were they created? ISO 27014 4.1 General Governance of information security needs to align objectives and strategies for information security with business objectives and strategies, and requires compliance with legislation, regulations and contracts. It should be assessed, analysed and implemented through a risk management approach, supported by an internal control system. The governing body is ultimately accountable for an organisation’s decisions and the performance of the organisation. In respect to information security, the key focus of the governing body is to ensure that the organisation’s approach to information security is efficient, effective, acceptable and in line with business objectives and strategies giving due regard to stakeholder expectations. Various stakeholders can have different values and needs. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 22
  23. 23. What do they have in common? ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 23
  24. 24. ISO 38500 ISO 27014 ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 24
  25. 25. What distinguishes them from each other? 38500 fast tracked from AS8015; 27014 completely new! Only one mention in 38500 of ‘security’, namely as a bullet under 1.4.2 in respect of breaches: security standards! 38500 only refers to ISO Guide 73:2002 because revised Guide & ISO 31000 only published in 2009! 27014 refers to new Guide 73 & ISO 31000 plus 27005 and ITGI’s Security Governance Framework, and, of course to 38500 itself! 27014 gives examples in Annex of IS summary & detailed status reports; 38500 has none. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 25
  26. 26. What distinguishes them from each other? ISO 38500 Principles* 1: Responsibility 2: Strategy 3: Acquisition 4: Performance 5: Conformance 6: Human Behaviour ISO 27014 5.2 Principles** 1 Establish organisation-wide information security 2 Adopt a risk-based approach 3 Set the direction of investment decisions 4 Ensure conformance with internal and external requirements 5 Foster a security-positive environment 6 Review performance in relation to business outcomes * Mere headings vs. ** action-oriented statements! ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 26
  27. 27. Resources (1/3) GTAG-­‐15 Informa/on Security Governance § What is Informa/on Security Governance? § Why Should the CAE Be Concerned About Informa/on Security Governance? § The Internal Audit Ac/vity’s Role in Informa/on Security Governance § The Internal Audit Ac/vity’s Responsibili/es Related to Informa/on Security Governance § Audi/ng Informa/on Security Governance ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 27
  28. 28. Resources (2/3) GTAG-­‐17 Audi/ng IT Governance Some of the key areas of IT governance internal auditors should address are: § Chief IT Officer (e.g. Chief Informa/on Officer; Chief Technology Officer; Chief Informa/on Security Officer) related roles and responsibili/es. § Accountability and decision-­‐making. § IT performance monitoring and repor/ng metrics, including financial management of IT opera/ons and projects. § CxO4 level of understanding of how IT supports and enables the achievement of the organiza/on’s strategy and objec/ves. § Alignment between IT and the organiza/on. § IT governance risks and controls. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 28
  29. 29. Information technology is the Elephant in the Room – especially the boardroom. Organizations depend on it for routine operations and future performance, and IT problems can have serious consequences. Yet many organizations lack effective oversight of IT, and are at risk of surprises. This book aims to help build shared understanding that leads to a well-integrated system for governance of IT from the boardroom to the coalface, framed around the guidance in ISO/IEC 38500. Resources (3/3) ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 29 by Mark Toomey also author of The Infonomics Letter (free)
  30. 30. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 30 A nnex I Bibliography FR Cadre de référence international des pratiques professionnelles de l’audit interne [CRIPP] / IIA, IFACI trad. – 2013 IT Gouvernance / F. Georgel – 2009 La Gouvernance des Systèmes d’Information / Audit & Contrôle internes IFACI N°206 - sept. 2011 Prise de position IFA/IFACI sur le rôle de l’audit interne dans le gouvernement d’entreprise. – IFA ; IFACI – 2009

×