ISO 27014 et 38500

ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams

Hugh H. Penri-Williams CFE CIA CCSA CRMA PIIA CISA CISM CGEIT CRISC ITIL-F C31000

ISO/IEC 27014:2013 & 38500:2008 Governance of Information

Technology vs.

Governance of Information Security

ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 2

Disclaimer!

Reminder for documents bought from ISO, e.g.: Licensed to GLANIAD 1865/HUGH PENRI-WILLIAMS Single user licence only, copying and networking prohibited

Unless indicated otherwise the opinions and views expressed in this presentation are those of the author alone and do not reflect the official policy or position of ISO, AFAI, ISACA, ITGI, The IIA, IFACI, Alcatel-Lucent, ACFE, S.W.I.F.T. or any other organization.


Who or What does ISO* represent? The International Organization for Standardization consists of the national standards institutes of 164 countries (e.g. AFNOR FR, ANSI / NIST US, BSI GB, DIN DE) with a Central Secretariat in Geneva CH for coordination.

ISACA/ITGI has Category A (originally C in 2008) Liaison status within the ISO/IEC Joint Technical Committee 1 Information technology:

ü  SubCommittee7 Develops guidance for Software & Systems Engineering

ü  SC27 Develops guidance for IT Security Techniques, including the 27000 family / series of Security Standards

ü  SC40 Develops guidance for IT Service Management & IT Governance

ISACA members who are ISO Subject Matter Experts are invited to volunteer to participate on future review teams for ISO exposure drafts.

*Greek for ‘equal’, NOT an acronym! IEC = International Electrotechnical Committee also liaisons with other standards bodies like ITU = International Telecommunication Union


4

ISO/IEC JTC 1/SC 27 Working Groups WG1 Information security management systems* ü  27000**, 27001, 27002, 27005, etc. WG2 Cryptography and security mechanisms ü  10116, 18033, 29192, etc. WG3 Security evaluation, testing and specification ü  15048, 15446, 18045, 29147, etc. WG4 Security controls and services* ü  27033, 27035, 27036, 27040, 27050, etc. WG5 Identity management and privacy technologies ü  24745, 24760, 29100**, 29190, etc.

*ISACA Liaison Representatives participate **available FREE of charge on ISO website


5

The ISO Process Cycle

Ø  Study Period Ø New Work Item Proposal Ø Working Drafts (1st, 2nd,…) Ø Committee Drafts (1st, 2nd,…) Ø  Final Committee Draft Ø Draft International Standard Ø  Final Draft International Standard Ø Publication!

Subsequently, revisions are foreseen every 5 years (most recently it took 8 years for 27001 & 27002!)

Another route results in publication of a Technical Report (TR nnnnn)


6

ISO/IEC 27014 Development 1/2

Study Period agreed Kyoto JP April 2008, ‘Call for contributions’ issued July 2008 (particularly involved early on were Japan & Korea – who then became co-editors, CA, ZA, BE, SE & Liaisons: Information Security Forum & ISACA)

Results presented in Limassol CY Oct. 2008 (situation was touch & go, ISACA persuaded WG1 Convenor to call informal meeting on future of ISG)

NWIP voting results February 2009 32 with 5 Questions of which Q2 “Do you support as a NWI” received 28 YES & 4 Abstentions

Then 3 WDs (during meetings in Beijing CN May & Redmond US Nov. 2009, Melaka* MY Apr. & Berlin DE Oct. 2010) before voting on 1st CD Feb. 2011: Approval 14 plus with comments 5 = 19, Disapproval 4, Abstention 13! The whole project could have nearly failed again at this stage, just like in Cyprus!

DIS improvements made in Singapore Apr., finalised in Nairobi KE Oct. 2011 *seriously impacted by absence of European delegations due to Icelandic volcano – used Skype!


7

ISO/IEC 27014 Development 2/2

November 2011 DIS voting result

*P-Members voting: 24 in favour out of 27 = 89 % (requirement >= 66.66%) {AU, UK, US} Member bodies voting: 3 negative votes out of 35 = 9 % (requirement <= 25%)

FDIS improvements made in Stockholm SE May & in Rome IT Oct. 2012

November 2012 FDIS voting result

P-Members voting: 19 in favour out of 20 = 95 % (requirement >= 66.66%) {US} Member bodies voting: 1 negative vote out of 32 = 3 % (requirement <= 25%)

Finally published May 2013 = 5 year effort for 11 pages! *Participating i.e. voting vs. Observing members


CG Defined (source OECD)

u  involves a set of relationships between an organization’s management, its board, its shareholders and other stakeholders

u  also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined

8


Many other definitions exist but with certain common elements, describing governance as the policies, processes and structures used by an organisation:

v To direct and control its activities v To achieve its objectives v To protect the interests of its stakeholders v Consistent with appropriate ethical standards

9

Governance


The board should fulfil certain key functions, including:

1.  Reviewing and guiding corporate strategy, annual budgets and business plans; setting performance objectives; monitoring corporate performance; and overseeing major capital expenditures, acquisitions and divestitures.

2.  Monitoring the effectiveness of the company’s governance and risk management practices and making changes as needed

3.  Selecting, compensating, monitoring and, when necessary, replacing key executives and overseeing succession planning.

4.  Aligning key executive and board remuneration with the longer term interests of the company and its shareholders.

5.  Ensuring the integrity of the organisation’s accounting and financial reporting systems;

6.  Ensuring a formal and transparent board nomination and election process.

The Responsibilities of the Board

10


Governance does not exist as a set of distinct and separate processes and structures. Rather, there are relationships among governance, risk management, and internal controls: §  Effective governance activities consider risk when setting

strategy. Conversely, risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management).

§  Effective governance relies on internal controls and communication to the board on the effectiveness of those controls.

§  Control and risk also are related, as control is defined as “any action taken by management, the board and other parties to manage risk and increase the likelihood that established goals will be achieved.”

12

Internal Governance Elements


Internal Governance Elements

13

Stakeholders


IT Governance Definition

14

IT Governance is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

IT governance is the responsibility of the board of directors and executive management.

by the IT Governance Institute®

“Technology is a tool to accomplish

business, not an end in itself”


15

COBIT: Governance of Enterprise IT


ISACA Contribution to Study Period

16


Ideas that were floated 2/2

17


Conclusion: ISG must differentiate itself from ITG because of Risks from Non-IT factors

18


21

Why were they created?

ISO 38500 1.3 Objectives

The purpose of this standard is to promote effective, efficient, and acceptable use of IT in all organizations by: • assuring stakeholders (including consumers, shareholders, and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT; • informing and guiding directors in governing the use of IT in their organization; and • providing a basis for objective evaluation of the corporate governance of IT.


22

Why were they created? ISO 27014 4.1 General

Governance of information security needs to align objectives and strategies for information security with business objectives and strategies, and requires compliance with legislation, regulations and contracts. It should be assessed, analysed and implemented through a risk management approach, supported by an internal control system.

The governing body is ultimately accountable for an organisation’s decisions and the performance of the organisation. In respect to information security, the key focus of the governing body is to ensure that the organisation’s approach to information security is efficient, effective, acceptable and in line with business objectives and strategies giving due regard to stakeholder expectations. Various stakeholders can have different values and needs.


What do they have in common?


ISO 27014 ISO 38500

24


What distinguishes them from each other?

38500 fast tracked from AS8015; 27014 completely new!

Only one mention in 38500 of ‘security’, namely as a bullet under 1.4.2 in respect of breaches: security standards!

38500 only refers to ISO Guide 73:2002 because revised Guide & ISO 31000 only published in 2009!

27014 refers to new Guide 73 & ISO 31000 plus 27005 and ITGI’s Security Governance Framework, and, of course to 38500 itself!

27014 gives examples in Annex of IS summary & detailed status reports; 38500 has none.


What distinguishes them from each other?

ISO 38500 Principles*

1: Responsibility

2: Strategy

3: Acquisition

4: Performance

5: Conformance

6: Human Behaviour

ISO 27014 5.2 Principles**

1  Establish organisation-wide information security

2  Adopt a risk-based approach 3  Set the direction of

investment decisions 4  Ensure conformance with

internal and external requirements

5  Foster a security-positive environment

6  Review performance in relation to business outcomes

* Mere headings vs. ** action-oriented

statements!


GTAG-‐15 Informa/on Security Governance

§  What is Informa/on Security Governance?

§  Why Should the CAE Be Concerned About Informa/on Security Governance?

§  The Internal Audit Ac/vity’s Role in Informa/on Security Governance

§  The Internal Audit Ac/vity’s Responsibili/es Related to Informa/on Security Governance

§  Audi/ng Informa/on Security Governance

Resources (1/3)

27


GTAG-‐17 Audi/ng IT Governance Some of the key areas of IT governance internal auditors should address are: §  Chief IT Officer (e.g. Chief Informa/on Officer;

Chief Technology Officer; Chief Informa/on Security Officer) related roles and responsibili/es.

§  Accountability and decision-‐making. §  IT performance monitoring and repor/ng

metrics, including financial management of IT opera/ons and projects.

§  CxO4 level of understanding of how IT supports and enables the achievement of the organiza/on’s strategy and objec/ves.

§  Alignment between IT and the organiza/on. §  IT governance risks and controls.

Resources (2/3)

28


Information technology is the Elephant in the Room – especially the boardroom. Organizations depend on it for routine operations and future performance, and IT problems can have serious consequences. Yet many organizations lack effective oversight of IT, and are at risk of surprises. This book aims to help build shared understanding that leads to a well-integrated system for governance of IT from the boardroom to the coalface, framed around the guidance in ISO/IEC 38500.

Resources (3/3)

29

by Mark Toomey also author of The Infonomics Letter (free)


Annex I

Bibliography FR Cadre de référence international des pratiques professionnelles de l’audit interne [CRIPP] / IIA, IFACI trad. – 2013

IT Gouvernance / F. Georgel – 2009

La Gouvernance des Systèmes d’Information / Audit & Contrôle internes IFACI N°206 - sept. 2011

Prise de position IFA/IFACI sur le rôle de l’audit interne dans le gouvernement d’entreprise. – IFA ; IFACI – 2009

ISO 27014 et 38500

Technology

Transcript of ISO 27014 et 38500