Musing on ISO/IEC 27014 and infosec governance

























This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security", partly to update ISO27001security.com but mostly out of my fascination with the topic.

Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture":
"Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important. 
To establish a positive information security culture, top management should require, promote and support coordination of interested party activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs. Information security responsibilities should be integrated into the roles of staff and other parties, and they should support the success of each ISMS by taking on these responsibilities."
Not bad that although, personally, I would have mentioned senior management setting 'the tone at the top', in other words influencing the entire corporate culture through their leadership, decisions, direction and control, particularly in the way they behave.

For example, even though management may formally insist upon ethical behaviour as a policy matter, if managers in fact act unethically, push the boundaries of ethicality through their decisions and priorities, or simply tolerate (turn a blind eye to, fail to address) unethical/dubious activities, that can severely erode if not destroy the value of the policy. Workers observant enough to spot the disconnect between theory and practice are, in effect, enabled or even encouraged to decide for themselves whether to comply with the policy. 

In a disciplinary situation, management's failure to enforce compliance with any policy (by themselves or others) might be a viable defence for a worker accused of policy noncompliance. Aside from those that are literally unworkable and unenforceable, an unenforced policy can be a liability, a risk at least.

One way to address this issue is to separate out and bolster the compliance, oversight and assurance activities. It is perfectly reasonable to expect and require managers to comply fully with the organisation's policies and directives, otherwise why would they mandate them? Therefore, there should be suitable processes in place to identify and deal with noncompliance by anyone, not least management. Putting such arrangements in place is a governance activity. 

Another complementary approach is for management to avoid formalising policies that they don't truly support. If they aren't willing to 'walk the talk', it is unreasonable for them to insist that workers comply. Being role models is an important part of leadership and governance.

A third technique is for management to think-through the compliance, and assurance aspects when formulating policies, documenting them either within the policies themselves or in separate policies on accountability, compliance, monitoring and assurance - which is the approach we've taken with our policy templates and accompanying security awareness materials

And so our cunning plan falls into place. Policies are merely Lego bricks in a bigger governance structure - a strangely cuboid knobbly one.

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more