Achieving Information

Security Governance

though ISMS

Implementation

Prof. Edward Humphreys(Hagenberg University of Applied

Sciences, Austria & Beijing Institute

of Technology)

Governance is the activity of governing. It

consists of management and leadership

processes and relates to

• consistent management,

• cohesive policies and processes

• well-informed decision making and

• appropriate allocation of decision-rights

for example, managing at a corporate level involves evolving

policies on security of assets, risk management,

internal controls, management reviews, the use

of information …

Executives, CEO,

Directors

Business Unit

Heads

Senior Managers

CIO/CISO

Project Managers

Employees

What am I required to do?

What are my roles and

responsibilities?

How do I accomplish my

objectives?

How effectively do I achieve

my objectives?

What adjustments do I need

to make to improve?

Actors

Actions

Directives

Policies &

standardsProcedures

Executive manageme

nt

Senior and middle

management

Lower manageme

nt

direction

execution

control

Information

security

gap

What is needed

What is provided

widespread use and diversity of technology

systems interconnectivity distance and time no longer

constraints unevenness of technological

changes delegation of management and

control unconventional electronic

attacks against organizations external factors such as legal,

regulatory and contractual requirements

Corporate governance

Information security governance

IT governance

Effective information security requires the active engagement of

executive management defining specific tasks that employees at

all levels of an organization can discharge.

risk

assessment

risk management

decision making

implement

system of risk

controls

PLAN

ACT

CHECK

DO

risk re-

assessment

risk review

implement

improvement

s of risk

controls

ISMS

measurements

Plan, Do, Check,

Act (PDCA)

decision making

model

operationa

l (daily)

tactical

(review/follo

w-up)

strategic (annual

reviews, establishing

policies, organisational

objectives)

people (who)

process (how)

technology (what)

Assets

Operations

Tactical

Strategic

risksrisks

risks

controls

controls

Strategic alignment

• ISMS is driven by enterprise requirements

• Security solutions that are ‘fit for purpose’ for enterprise

processes

• Investment in information security aligned with enterprise

strategy and agreed upon the organisation’s risk profile

Strategy

Risk

System of

controls

Metrics

Audits

Tactical

Risk

System of Controls

Metrics

Audits

Operational

RiskSystem

of controls

Metrics Audits

PLAN

ACT

CHECK

DO

Strategy

Risk

System of

controls

Metrics

Audits

Tactical

Risk

System of Controls

Metrics

Audits

Operational

RiskSystem

of controls

Metrics Audits

Value delivery

• A standard set of security practices (following ISO/IEC 27002)

• Properly prioritized and distributed effort to areas

with greatest impact and business benefit

• Complete and customised solutions covering organization,

process

as well as technology

• A continuous improvement culture

PLAN

ACT

CHECK

DO

Strategy

Risk

System of

controls

Metrics

Audits

Tactical

Risk

System of Controls

Metrics

Audits

Operational

RiskSystem

of controls

Metrics Audits

Risk Management (ISO/IEC 27005)

• Identified risks and agreed upon risk profiles

• Understanding the impact of risk exposures

• User awareness of risk

• Risk management plan and priorities for taking action

• Risks and information security measurements (ISO/IEC

27004)

• Regular risk reviews

PLAN

ACT

CHECK

DO

Strategy

Risk

System of

controls

Metrics

Audits

Tactical

Risk

System of Controls

Metrics

Audits

Operational

RiskSystem

of controls

Metrics Audits

Measuring Performance (ISO/IEC 27004)

• Defined set of metrics

• Measurement process with feedback on progress made

• Reviews and audits (ISO/IEC 27007 + 27008)

• Independence assurance

PLAN

ACT

CHECK

DO

Establish ISMS security programme

Strategy, policy and standards Implement ISMS

organisationalsecurity and technical controls

Monitor, review and measure ISMS performance

Certification and assurance

security

capabili

ty

ISMS evolution

Governance is good as the

organisation’s

• risk management

• effectiveness of its system of controls

• review and audit of its information

security

• Governance of e-city is about risk, control,

audit, information security and system,

process and network resilience, and people

safety and security

Many organizations do not

approach security by deploying

sound, commonly accepted

practices; rather, they fix

problems as they occur and try to

keep up with the security risks

that accompany change and

growth. As a result, establishing

an ESP can be an especially

daunting task.

Fortunately, there are several

widely accepted security best

practices and standards. The

International Organization for

Standardization (ISO) leads the

way with ISO 17799 and ISO

27001.

1.3.9 Inconsistent Deployment of

Best Practices and Measures

This guide is designed to help business leaders

implement an effective program to govern

information technology (IT) and information security.

Implementing

Information Security

Governance based on

ISO/IEC 27001

Prof. Edward Humphreys(Hagenberg University of Applied

Sciences, Austria & Beijing

Institute of Technology)