This document discusses two ISO standards: ISO/IEC 27014:2013, which provides guidance on governance of information security, and ISO/IEC 38500:2008, which provides guidance on governance of information technology. It notes some key differences between the two standards, such as ISO 27014 focusing specifically on information security while ISO 38500 focuses more broadly on IT governance. It also discusses the development process for ISO 27014 and some of the challenges faced in creating the standard over five years of work.
1. ISO/IEC 27014:2013 & 38500:2008
Governance of Information
Technology
vs.
Governance of Information Security
Hugh H. Penri-Williams
CFE CIA CCSA CRMA PIIA CISA CISM CGEIT CRISC ITIL-F C31000
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
2. Disclaimer!
Unless indicated otherwise the opinions and
views expressed in this presentation are
those of the author alone and do not reflect
the official policy or position of ISO, AFAI,
ISACA, ITGI, The IIA, IFACI, Alcatel-Lucent,
ACFE, S.W.I.F.T. or any other organization.
Reminder for documents bought from ISO, e.g.:
Licensed to GLANIAD 1865/HUGH PENRI-WILLIAMS
Single user licence only, copying and networking prohibited
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 2
3. Who or What does ISO* represent?
The International Organization for Standardization consists of the national
standards institutes of 164 countries (e.g. AFNOR FR, ANSI / NIST US, BSI
GB, DIN DE) with a Central Secretariat in Geneva CH for coordination.
ISACA/ITGI has Category A (originally C in 2008) Liaison status within the
ISO/IEC Joint Technical Committee 1 Information technology:
ü SubCommittee7 Develops guidance for Software & Systems Engineering
ü SC27 Develops guidance for IT Security Techniques, including the
27000 family / series of Security Standards
ü SC40 Develops guidance for IT Service Management & IT Governance
ISACA members who are ISO Subject Matter Experts are invited to
volunteer to participate on future review teams for ISO exposure drafts.
*Greek for ‘equal’, NOT an acronym! IEC = International Electrotechnical Committee
also liaisons with other standards bodies like ITU = International Telecommunication Union
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 3
4. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
4
ISO/IEC JTC 1/SC 27 Working Groups
WG1 Information security management systems*
ü 27000**, 27001, 27002, 27005, etc.
WG2 Cryptography and security mechanisms
ü 10116, 18033, 29192, etc.
WG3 Security evaluation, testing and specification
ü 15048, 15446, 18045, 29147, etc.
WG4 Security controls and services*
ü 27033, 27035, 27036, 27040, 27050, etc.
WG5 Identity management and privacy technologies
ü 24745, 24760, 29100**, 29190, etc.
*ISACA Liaison Representatives participate **available FREE of charge on ISO website
5. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
5
The ISO Process Cycle
Ø Study Period
Ø New Work Item Proposal
Ø Working Drafts (1st, 2nd,…)
Ø Committee Drafts (1st, 2nd,…)
Ø Final Committee Draft
Ø Draft International Standard
Ø Final Draft International Standard
Ø Publication!
Subsequently, revisions are foreseen every 5 years (most recently
it took 8 years for 27001 & 27002!)
Another route results in publication of a Technical Report (TR nnnnn)
6. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
6
ISO/IEC 27014 Development 1/2
Study Period agreed Kyoto JP April 2008, ‘Call for contributions’ issued July
2008 (particularly involved early on were Japan & Korea – who then became
co-editors, CA, ZA, BE, SE & Liaisons: Information Security Forum & ISACA)
Results presented in Limassol CY Oct. 2008 (situation was touch & go, ISACA
persuaded WG1 Convenor to call informal meeting on future of ISG)
NWIP voting results February 2009 32 with 5 Questions of which Q2 “Do
you support as a NWI” received 28 YES & 4 Abstentions
Then 3 WDs (during meetings in Beijing CN May & Redmond US Nov. 2009,
Melaka* MY Apr. & Berlin DE Oct. 2010) before voting on 1st CD Feb. 2011:
Approval 14 plus with comments 5 = 19, Disapproval 4, Abstention 13! The
whole project could have nearly failed again at this stage, just like in Cyprus!
DIS improvements made in Singapore Apr., finalised in Nairobi KE Oct. 2011
*seriously impacted by absence of European delegations due to Icelandic volcano – used Skype!
7. ISO/IEC 27014 Development 2/2
November 2011 DIS voting result
*P-Members voting: 24 in favour out of 27 = 89 %
(requirement >= 66.66%) {AU, UK, US}
Member bodies voting: 3 negative votes out of 35 = 9 %
(requirement <= 25%)
FDIS improvements made in Stockholm SE May & in Rome IT Oct. 2012
November 2012 FDIS voting result
P-Members voting: 19 in favour out of 20 = 95 %
(requirement >= 66.66%) {US}
Member bodies voting: 1 negative vote out of 32 = 3 %
(requirement <= 25%)
Finally published May 2013 = 5 year effort for 11 pages!
*Participating i.e. voting vs. Observing members
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
7
8. CG Defined (source OECD)
u involves a set of relationships between an
organization’s management, its board, its
shareholders and other stakeholders
u also provides the structure through which
the objectives of the company are set, and
the means of attaining those objectives and
monitoring performance are determined
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
8
9. Many other definitions exist but with certain
common elements, describing governance as
the policies, processes and structures used by
an organisation:
v To direct and control its activities
v To achieve its objectives
v To protect the interests of its stakeholders
v Consistent with appropriate ethical standards
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
9
Governance
10. The Responsibilities of the Board
The board should fulfil certain key functions, including:
1. Reviewing and guiding corporate strategy, annual budgets and
business plans; setting performance objectives; monitoring
corporate performance; and overseeing major capital expenditures,
acquisitions and divestitures.
2. Monitoring the effectiveness of the company’s governance and
risk management practices and making changes as needed
3. Selecting, compensating, monitoring and, when necessary,
replacing key executives and overseeing succession planning.
4. Aligning key executive and board remuneration with the longer
term interests of the company and its shareholders.
5. Ensuring the integrity of the organisation’s accounting and financial
reporting systems;
6. Ensuring a formal and transparent board nomination and election
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
process.
10
12. Governance does not exist as a set of distinct and separate
processes and structures. Rather, there are relationships
among governance, risk management, and internal controls:
§ Effective governance activities consider risk when setting
strategy. Conversely, risk management relies on effective
governance (e.g., tone at the top, risk appetite and tolerance,
risk culture, and the oversight of risk management).
§ Effective governance relies on internal controls and
communication to the board on the effectiveness of those
controls.
§ Control and risk also are related, as control is defined as “any
action taken by management, the board and other parties to
manage risk and increase the likelihood that established goals
will be achieved.”
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
12
Internal Governance Elements
13. Internal Governance Elements
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
13
Stakeholders
14. IT Governance Definition
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
14
IT Governance is an integral part of enterprise
governance and consists of the leadership and
organisational structures and processes that ensure
that the organisation’s IT sustains and extends the
organisation’s strategies and objectives.
IT governance is the responsibility of the board of
directors and executive management.
by the IT Governance Institute®
“Technology is a tool to accomplish
business, not an end in itself”
15. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
15
COBIT: Governance of Enterprise IT
16. ISACA Contribution to Study Period
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
16
17. Ideas that were floated 2/2
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
17
18. Conclusion: ISG must differentiate itself from
ITG because of Risks from Non-IT factors
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
18
21. Why were they created?
ISO 38500 1.3 Objectives
The purpose of this standard is to promote effective, efficient,
and acceptable use of IT in all organizations by:
• assuring stakeholders (including consumers, shareholders,
and employees) that, if the standard is followed, they can
have confidence in the organization’s corporate governance of
IT;
• informing and guiding directors in governing the use of IT in
their organization; and
• providing a basis for objective evaluation of the corporate
governance of IT.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
21
22. Why were they created?
ISO 27014 4.1 General
Governance of information security needs to align objectives and
strategies for information security with business objectives and
strategies, and requires compliance with legislation, regulations
and contracts. It should be assessed, analysed and implemented
through a risk management approach, supported by an internal
control system.
The governing body is ultimately accountable for an organisation’s
decisions and the performance of the organisation. In respect to
information security, the key focus of the governing body is to
ensure that the organisation’s approach to information security is
efficient, effective, acceptable and in line with business objectives
and strategies giving due regard to stakeholder expectations.
Various stakeholders can have different values and needs.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
22
23. What do they have in common?
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 23
24. ISO 38500 ISO 27014
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
24
25. What distinguishes them from each other?
38500 fast tracked from AS8015; 27014 completely new!
Only one mention in 38500 of ‘security’, namely as a bullet
under 1.4.2 in respect of breaches: security standards!
38500 only refers to ISO Guide 73:2002 because revised
Guide & ISO 31000 only published in 2009!
27014 refers to new Guide 73 & ISO 31000 plus 27005 and
ITGI’s Security Governance Framework, and, of course to
38500 itself!
27014 gives examples in Annex of IS summary & detailed
status reports; 38500 has none.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 25
26. What distinguishes them from each other?
ISO 38500 Principles*
1: Responsibility
2: Strategy
3: Acquisition
4: Performance
5: Conformance
6: Human Behaviour
ISO 27014 5.2 Principles**
1 Establish organisation-wide
information security
2 Adopt a risk-based approach
3 Set the direction of
investment decisions
4 Ensure conformance with
internal and external
requirements
5 Foster a security-positive
environment
6 Review performance in
relation to business outcomes
* Mere headings vs.
** action-oriented
statements!
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 26
27. Resources (1/3)
GTAG-‐15
Informa/on
Security
Governance
§ What
is
Informa/on
Security
Governance?
§ Why
Should
the
CAE
Be
Concerned
About
Informa/on
Security
Governance?
§ The
Internal
Audit
Ac/vity’s
Role
in
Informa/on
Security
Governance
§ The
Internal
Audit
Ac/vity’s
Responsibili/es
Related
to
Informa/on
Security
Governance
§ Audi/ng
Informa/on
Security
Governance
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
27
28. Resources (2/3)
GTAG-‐17
Audi/ng
IT
Governance
Some
of
the
key
areas
of
IT
governance
internal
auditors
should
address
are:
§ Chief
IT
Officer
(e.g.
Chief
Informa/on
Officer;
Chief
Technology
Officer;
Chief
Informa/on
Security
Officer)
related
roles
and
responsibili/es.
§ Accountability
and
decision-‐making.
§ IT
performance
monitoring
and
repor/ng
metrics,
including
financial
management
of
IT
opera/ons
and
projects.
§ CxO4
level
of
understanding
of
how
IT
supports
and
enables
the
achievement
of
the
organiza/on’s
strategy
and
objec/ves.
§ Alignment
between
IT
and
the
organiza/on.
§ IT
governance
risks
and
controls.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
28
29. Information technology is the
Elephant in the Room – especially
the boardroom. Organizations depend
on it for routine operations and future
performance, and IT problems can
have serious consequences.
Yet many organizations lack effective
oversight of IT, and are at risk of
surprises. This book aims to help
build shared understanding that leads
to a well-integrated system for
governance of IT from the boardroom
to the coalface, framed around the
guidance in ISO/IEC 38500.
Resources (3/3)
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
29
by
Mark
Toomey
also author of The Infonomics Letter (free)
30. ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 30
A
nnex
I
Bibliography FR
Cadre de référence international des pratiques professionnelles
de l’audit interne [CRIPP] / IIA, IFACI trad. – 2013
IT Gouvernance / F. Georgel – 2009
La Gouvernance des Systèmes d’Information / Audit & Contrôle
internes IFACI N°206 - sept. 2011
Prise de position IFA/IFACI sur le rôle de l’audit interne dans le
gouvernement d’entreprise. – IFA ; IFACI – 2009