ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Governance of information security

Similar documents
ISO/IEC INTERNATIONAL STANDARD. Information technology Cloud computing Overview and vocabulary

Sýnishorn ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

ISO/IEC INTERNATIONAL STANDARD. Information technology Cloud computing Reference architecture

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Overview and vocabulary

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

ISO/IEC TR TECHNICAL REPORT. Information technology Telecommunications and information exchange between systems Managed P2P: Framework

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Lightweight cryptography Part 2: Block ciphers

ISO/IEC INTERNATIONAL STANDARD. Systems and software engineering Measurement process. Ingénierie des systèmes et du logiciel Processus de mesure

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management system implementation guidance

ISO/IEC Information technology Security techniques Network security. Part 5:

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security incident management

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

This document is a preview generated by EVS

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Information technology Dynamic adaptive streaming over HTTP (DASH) Part 2: Conformance and reference software

ISO/IEC INTERNATIONAL STANDARD. Information technology Icon symbols and functions for controlling multimedia software applications

ISO/IEC 1001 INTERNATIONAL STANDARD. Information technology File structure and labelling of magnetic tapes for information interchange

ISO/IEC INTERNATIONAL STANDARD. Information technology EAN/UCC Application Identifiers and Fact Data Identifiers and Maintenance

ISO/IEC INTERNATIONAL STANDARD. Information technology MPEG extensible middleware (MXM) Part 3: MXM reference software

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.

Information technology Guidelines for the application of ISO 9001:2008 to IT service management and its integration with ISO/IEC :2011

ISO/IEC INTERNATIONAL STANDARD. Information technology Learning, education, and training Content packaging Part 2: XML binding

ISO/IEC INTERNATIONAL STANDARD. Information technology Multimedia Middleware Part 6: Fault management

ISO/IEC INTERNATIONAL STANDARD. Information technology Guideline for the evaluation and selection of CASE tools

ISO/IEC INTERNATIONAL STANDARD. Information technology Keyboard layouts for text and office systems Part 2: Alphanumeric section

ISO/IEC First edition Reference number ISO/IEC 20005:2013(E) ISO/IEC 2013

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Hash-functions Part 2: Hash-functions using an n-bit block cipher

INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques IT network security Part 2: Network security architecture

ISO/IEC TR TECHNICAL REPORT. Information technology Database languages SQL Technical Reports Part 1: XQuery Regular Expression Support in SQL

GUIDE 63. Guide to the development and inclusion of safety aspects in International Standards for medical devices

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Multimedia service platform technologies Part 2: MPEG extensible middleware (MXM) API

ISO/IEC INTERNATIONAL STANDARD. Information technology Abstract Syntax Notation One (ASN.1): Information object specification

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Key management Part 4: Mechanisms based on weak secrets

ISO/IEC TR TECHNICAL REPORT

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC Systems and software engineering Systems and software Quality Requirements and Evaluation (SQuaRE) Planning and management

ISO INTERNATIONAL STANDARD. Information and documentation International standard name identifier (ISNI)

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology JPEG 2000 image coding system Part 14: XML representation and reference

ISO/IEC INTERNATIONAL STANDARD. Information technology Vocabulary Part 37: Biometrics

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Modes of operation for an n-bit block cipher

ISO/IEC INTERNATIONAL STANDARD. Information technology ASN.1 encoding rules: Specification of Octet Encoding Rules (OER)

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Mobile item identification and management Mobile AIDC application programming interface

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

ISO/IEC Information technology Icon symbols and functions for controlling multimedia software applications

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Colour test pages for measurement of office equipment consumable yield

ISO/IEC INTERNATIONAL STANDARD. Information technology Open distributed processing Reference model: Foundations

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Encryption algorithms Part 4: Stream ciphers

ISO/IEC INTERNATIONAL STANDARD. Information technology Automatic identification and data capture techniques Bar code master test specifications

ISO/IEC TR TECHNICAL REPORT

ISO INTERNATIONAL STANDARD. Glass in building Silvered, flat-glass mirror. Verre dans la construction Miroir argenté en verre plat

ISO/IEC TR TECHNICAL REPORT. Systems and software engineering Life cycle management Part 1: Guide for life cycle management

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Biometric data interchange formats Part 9: Vascular image data

ISO/IEC INTERNATIONAL STANDARD

ISO INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Multimedia service platform technologies Part 5: Service aggregation

This document is a preview generated by EVS

INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Software engineering Software measurement process. Ingénierie du logiciel Méthode de mesure des logiciels

ISO/IEC Information technology Sensor networks: Sensor Network Reference Architecture (SNRA) Part 2: Vocabulary and terminology

ISO/IEC INTERNATIONAL STANDARD

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Conformity assessment Supplier's declaration of conformity Part 1: General requirements

ISO/IEC INTERNATIONAL STANDARD. Information technology Multimedia service platform technologies Part 3: Conformance and reference software

Transcription:

INTERNATIONAL STANDARD ISO/IEC 27014 First edition 2013-05-15 Information technology Security techniques Governance of information security Technologies de l'information Techniques de sécurité Gouvernance de la sécurité de l'information Reference number ISO/IEC 27014:2013(E) ISO/IEC 2013

COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reserved

CONTENTS Page Summary... iv Foreword... v 1 Scope... 1 2 Normative references... 1 3 Definitions... 1 4 Concepts... 2 4.1 General... 2 4.2 Objectives... 2 4.3 Desired Outcomes... 2 4.4 Relationship... 2 5 Principles and processes... 3 5.1 Overview... 3 5.2 Principles... 3 5.3 Processes... 5 5.3.1 Overview... 5 5.3.2 Evaluate... 5 5.3.3 Direct... 6 5.3.4 Monitor... 6 5.3.5 Communicate... 6 5.3.6 Assure... 7 Annex A (informative) An example of information security status... 8 Annex B (informative) An example of detailed information security status... 9 Bibliography... 11 ISO/IEC 2013 All rights reserved iii

INTERNATIONAL STANDARD <ISO/IEC 27014> ITU-T RECOMMENDATION <X.1054> Summary Information technology Security techniques Governance of information security This Recommendation International Standard provides guidance on the governance of information security. Information security has become a key issue for organisations. Not only are there increasing regulatory requirements but also the failure of an organisation s information security measures can have a direct impact on an organisation s reputation. Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information security to ensure the objectives of the organisation are achieved. In addition, governance of information security provides a powerful link between an organisation s governing body, executive management and those responsible for implementing and operating an information security management system. It provides the mandate essential for driving information security initiatives throughout the organisation. Furthermore, an effective governance of information security ensures that the governing body receives relevant reporting - framed in a business context - about information security-related activities. This enables pertinent and timely decisions about information security issues in support of the strategic objectives of the organisation. iv ISO/IEC 2013 All rights reserved

Foreword The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a world-wide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.1054. ISO/IEC 2013 All rights reserved v

COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reserved

CONTENTS Page Summary... iv Foreword... v 1 Scope... 1 2 Normative references... 1 3 Definitions... 1 4 Concepts... 2 4.1 General... 2 4.2 Objectives... 2 4.3 Desired Outcomes... 2 4.4 Relationship... 2 5 Principles and processes... 3 5.1 Overview... 3 5.2 Principles... 3 5.3 Processes... 5 5.3.1 Overview... 5 5.3.2 Evaluate... 5 5.3.3 Direct... 6 5.3.4 Monitor... 6 5.3.5 Communicate... 6 5.3.6 Assure... 7 Annex A (informative) An example of information security status... 8 Annex B (informative) An example of detailed information security status... 9 Bibliography... 11 ISO/IEC 2013 All rights reserved iii

INTERNATIONAL STANDARD <ISO/IEC 27014> ITU-T RECOMMENDATION <X.1054> Summary Information technology Security techniques Governance of information security This Recommendation International Standard provides guidance on the governance of information security. Information security has become a key issue for organisations. Not only are there increasing regulatory requirements but also the failure of an organisation s information security measures can have a direct impact on an organisation s reputation. Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information security to ensure the objectives of the organisation are achieved. In addition, governance of information security provides a powerful link between an organisation s governing body, executive management and those responsible for implementing and operating an information security management system. It provides the mandate essential for driving information security initiatives throughout the organisation. Furthermore, an effective governance of information security ensures that the governing body receives relevant reporting - framed in a business context - about information security-related activities. This enables pertinent and timely decisions about information security issues in support of the strategic objectives of the organisation. iv ISO/IEC 2013 All rights reserved

Foreword The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a world-wide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.1054. ISO/IEC 2013 All rights reserved v

COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reserved

CONTENTS Page Summary... iv Foreword... v 1 Scope... 1 2 Normative references... 1 3 Definitions... 1 4 Concepts... 2 4.1 General... 2 4.2 Objectives... 2 4.3 Desired Outcomes... 2 4.4 Relationship... 2 5 Principles and processes... 3 5.1 Overview... 3 5.2 Principles... 3 5.3 Processes... 5 5.3.1 Overview... 5 5.3.2 Evaluate... 5 5.3.3 Direct... 6 5.3.4 Monitor... 6 5.3.5 Communicate... 6 5.3.6 Assure... 7 Annex A (informative) An example of information security status... 8 Annex B (informative) An example of detailed information security status... 9 Bibliography... 11 ISO/IEC 2013 All rights reserved iii

INTERNATIONAL STANDARD <ISO/IEC 27014> ITU-T RECOMMENDATION <X.1054> Summary Information technology Security techniques Governance of information security This Recommendation International Standard provides guidance on the governance of information security. Information security has become a key issue for organisations. Not only are there increasing regulatory requirements but also the failure of an organisation s information security measures can have a direct impact on an organisation s reputation. Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information security to ensure the objectives of the organisation are achieved. In addition, governance of information security provides a powerful link between an organisation s governing body, executive management and those responsible for implementing and operating an information security management system. It provides the mandate essential for driving information security initiatives throughout the organisation. Furthermore, an effective governance of information security ensures that the governing body receives relevant reporting - framed in a business context - about information security-related activities. This enables pertinent and timely decisions about information security issues in support of the strategic objectives of the organisation. iv ISO/IEC 2013 All rights reserved

Foreword The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a world-wide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.1054. ISO/IEC 2013 All rights reserved v

COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reserved

CONTENTS Page Summary... iv Foreword... v 1 Scope... 1 2 Normative references... 1 3 Definitions... 1 4 Concepts... 2 4.1 General... 2 4.2 Objectives... 2 4.3 Desired Outcomes... 2 4.4 Relationship... 2 5 Principles and processes... 3 5.1 Overview... 3 5.2 Principles... 3 5.3 Processes... 5 5.3.1 Overview... 5 5.3.2 Evaluate... 5 5.3.3 Direct... 6 5.3.4 Monitor... 6 5.3.5 Communicate... 6 5.3.6 Assure... 7 Annex A (informative) An example of information security status... 8 Annex B (informative) An example of detailed information security status... 9 Bibliography... 11 ISO/IEC 2013 All rights reserved iii

INTERNATIONAL STANDARD <ISO/IEC 27014> ITU-T RECOMMENDATION <X.1054> Summary Information technology Security techniques Governance of information security This Recommendation International Standard provides guidance on the governance of information security. Information security has become a key issue for organisations. Not only are there increasing regulatory requirements but also the failure of an organisation s information security measures can have a direct impact on an organisation s reputation. Therefore, the governing body, as part of its governance responsibilities, is increasingly required to oversee information security to ensure the objectives of the organisation are achieved. In addition, governance of information security provides a powerful link between an organisation s governing body, executive management and those responsible for implementing and operating an information security management system. It provides the mandate essential for driving information security initiatives throughout the organisation. Furthermore, an effective governance of information security ensures that the governing body receives relevant reporting - framed in a business context - about information security-related activities. This enables pertinent and timely decisions about information security issues in support of the strategic objectives of the organisation. iv ISO/IEC 2013 All rights reserved

Foreword The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a world-wide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups that, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology that fall within ITU-T's purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. ISO (the International Organisation for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organisations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27014 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.1054. ISO/IEC 2013 All rights reserved v

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback