iso 27014 et 38500
DESCRIPTION
ISO 27014 et 38500TRANSCRIPT
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Hugh H. Penri-Williams CFE CIA CCSA CRMA PIIA CISA CISM CGEIT CRISC ITIL-F C31000
ISO/IEC 27014:2013 & 38500:2008 Governance of Information
Technology vs.
Governance of Information Security
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 2
Disclaimer!
Reminder for documents bought from ISO, e.g.: Licensed to GLANIAD 1865/HUGH PENRI-WILLIAMS Single user licence only, copying and networking prohibited
Unless indicated otherwise the opinions and views expressed in this presentation are those of the author alone and do not reflect the official policy or position of ISO, AFAI, ISACA, ITGI, The IIA, IFACI, Alcatel-Lucent, ACFE, S.W.I.F.T. or any other organization.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 3
Who or What does ISO* represent? The International Organization for Standardization consists of the national standards institutes of 164 countries (e.g. AFNOR FR, ANSI / NIST US, BSI GB, DIN DE) with a Central Secretariat in Geneva CH for coordination.
ISACA/ITGI has Category A (originally C in 2008) Liaison status within the ISO/IEC Joint Technical Committee 1 Information technology:
ü SubCommittee7 Develops guidance for Software & Systems Engineering
ü SC27 Develops guidance for IT Security Techniques, including the 27000 family / series of Security Standards
ü SC40 Develops guidance for IT Service Management & IT Governance
ISACA members who are ISO Subject Matter Experts are invited to volunteer to participate on future review teams for ISO exposure drafts.
*Greek for ‘equal’, NOT an acronym! IEC = International Electrotechnical Committee also liaisons with other standards bodies like ITU = International Telecommunication Union
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
4
ISO/IEC JTC 1/SC 27 Working Groups WG1 Information security management systems* ü 27000**, 27001, 27002, 27005, etc. WG2 Cryptography and security mechanisms ü 10116, 18033, 29192, etc. WG3 Security evaluation, testing and specification ü 15048, 15446, 18045, 29147, etc. WG4 Security controls and services* ü 27033, 27035, 27036, 27040, 27050, etc. WG5 Identity management and privacy technologies ü 24745, 24760, 29100**, 29190, etc.
*ISACA Liaison Representatives participate **available FREE of charge on ISO website
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
5
The ISO Process Cycle
Ø Study Period Ø New Work Item Proposal Ø Working Drafts (1st, 2nd,…) Ø Committee Drafts (1st, 2nd,…) Ø Final Committee Draft Ø Draft International Standard Ø Final Draft International Standard Ø Publication!
Subsequently, revisions are foreseen every 5 years (most recently it took 8 years for 27001 & 27002!)
Another route results in publication of a Technical Report (TR nnnnn)
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
6
ISO/IEC 27014 Development 1/2
Study Period agreed Kyoto JP April 2008, ‘Call for contributions’ issued July 2008 (particularly involved early on were Japan & Korea – who then became co-editors, CA, ZA, BE, SE & Liaisons: Information Security Forum & ISACA)
Results presented in Limassol CY Oct. 2008 (situation was touch & go, ISACA persuaded WG1 Convenor to call informal meeting on future of ISG)
NWIP voting results February 2009 32 with 5 Questions of which Q2 “Do you support as a NWI” received 28 YES & 4 Abstentions
Then 3 WDs (during meetings in Beijing CN May & Redmond US Nov. 2009, Melaka* MY Apr. & Berlin DE Oct. 2010) before voting on 1st CD Feb. 2011: Approval 14 plus with comments 5 = 19, Disapproval 4, Abstention 13! The whole project could have nearly failed again at this stage, just like in Cyprus!
DIS improvements made in Singapore Apr., finalised in Nairobi KE Oct. 2011 *seriously impacted by absence of European delegations due to Icelandic volcano – used Skype!
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
7
ISO/IEC 27014 Development 2/2
November 2011 DIS voting result
*P-Members voting: 24 in favour out of 27 = 89 % (requirement >= 66.66%) {AU, UK, US} Member bodies voting: 3 negative votes out of 35 = 9 % (requirement <= 25%)
FDIS improvements made in Stockholm SE May & in Rome IT Oct. 2012
November 2012 FDIS voting result
P-Members voting: 19 in favour out of 20 = 95 % (requirement >= 66.66%) {US} Member bodies voting: 1 negative vote out of 32 = 3 % (requirement <= 25%)
Finally published May 2013 = 5 year effort for 11 pages! *Participating i.e. voting vs. Observing members
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
CG Defined (source OECD)
u involves a set of relationships between an organization’s management, its board, its shareholders and other stakeholders
u also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined
8
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Many other definitions exist but with certain common elements, describing governance as the policies, processes and structures used by an organisation:
v To direct and control its activities v To achieve its objectives v To protect the interests of its stakeholders v Consistent with appropriate ethical standards
9
Governance
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
The board should fulfil certain key functions, including:
1. Reviewing and guiding corporate strategy, annual budgets and business plans; setting performance objectives; monitoring corporate performance; and overseeing major capital expenditures, acquisitions and divestitures.
2. Monitoring the effectiveness of the company’s governance and risk management practices and making changes as needed
3. Selecting, compensating, monitoring and, when necessary, replacing key executives and overseeing succession planning.
4. Aligning key executive and board remuneration with the longer term interests of the company and its shareholders.
5. Ensuring the integrity of the organisation’s accounting and financial reporting systems;
6. Ensuring a formal and transparent board nomination and election process.
The Responsibilities of the Board
10
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 11
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Governance does not exist as a set of distinct and separate processes and structures. Rather, there are relationships among governance, risk management, and internal controls: § Effective governance activities consider risk when setting
strategy. Conversely, risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management).
§ Effective governance relies on internal controls and communication to the board on the effectiveness of those controls.
§ Control and risk also are related, as control is defined as “any action taken by management, the board and other parties to manage risk and increase the likelihood that established goals will be achieved.”
12
Internal Governance Elements
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Internal Governance Elements
13
Stakeholders
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
IT Governance Definition
14
IT Governance is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.
IT governance is the responsibility of the board of directors and executive management.
by the IT Governance Institute®
“Technology is a tool to accomplish
business, not an end in itself”
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
15
COBIT: Governance of Enterprise IT
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
ISACA Contribution to Study Period
16
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Ideas that were floated 2/2
17
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Conclusion: ISG must differentiate itself from ITG because of Risks from Non-IT factors
18
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 19
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 20
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
21
Why were they created?
ISO 38500 1.3 Objectives
The purpose of this standard is to promote effective, efficient, and acceptable use of IT in all organizations by: • assuring stakeholders (including consumers, shareholders, and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT; • informing and guiding directors in governing the use of IT in their organization; and • providing a basis for objective evaluation of the corporate governance of IT.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
22
Why were they created? ISO 27014 4.1 General
Governance of information security needs to align objectives and strategies for information security with business objectives and strategies, and requires compliance with legislation, regulations and contracts. It should be assessed, analysed and implemented through a risk management approach, supported by an internal control system.
The governing body is ultimately accountable for an organisation’s decisions and the performance of the organisation. In respect to information security, the key focus of the governing body is to ensure that the organisation’s approach to information security is efficient, effective, acceptable and in line with business objectives and strategies giving due regard to stakeholder expectations. Various stakeholders can have different values and needs.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 23
What do they have in common?
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
ISO 27014 ISO 38500
24
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 25
What distinguishes them from each other?
38500 fast tracked from AS8015; 27014 completely new!
Only one mention in 38500 of ‘security’, namely as a bullet under 1.4.2 in respect of breaches: security standards!
38500 only refers to ISO Guide 73:2002 because revised Guide & ISO 31000 only published in 2009!
27014 refers to new Guide 73 & ISO 31000 plus 27005 and ITGI’s Security Governance Framework, and, of course to 38500 itself!
27014 gives examples in Annex of IS summary & detailed status reports; 38500 has none.
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 26
What distinguishes them from each other?
ISO 38500 Principles*
1: Responsibility
2: Strategy
3: Acquisition
4: Performance
5: Conformance
6: Human Behaviour
ISO 27014 5.2 Principles**
1 Establish organisation-wide information security
2 Adopt a risk-based approach 3 Set the direction of
investment decisions 4 Ensure conformance with
internal and external requirements
5 Foster a security-positive environment
6 Review performance in relation to business outcomes
* Mere headings vs. ** action-oriented
statements!
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
GTAG-‐15 Informa/on Security Governance
§ What is Informa/on Security Governance?
§ Why Should the CAE Be Concerned About Informa/on Security Governance?
§ The Internal Audit Ac/vity’s Role in Informa/on Security Governance
§ The Internal Audit Ac/vity’s Responsibili/es Related to Informa/on Security Governance
§ Audi/ng Informa/on Security Governance
Resources (1/3)
27
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
GTAG-‐17 Audi/ng IT Governance Some of the key areas of IT governance internal auditors should address are: § Chief IT Officer (e.g. Chief Informa/on Officer;
Chief Technology Officer; Chief Informa/on Security Officer) related roles and responsibili/es.
§ Accountability and decision-‐making. § IT performance monitoring and repor/ng
metrics, including financial management of IT opera/ons and projects.
§ CxO4 level of understanding of how IT supports and enables the achievement of the organiza/on’s strategy and objec/ves.
§ Alignment between IT and the organiza/on. § IT governance risks and controls.
Resources (2/3)
28
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams
Information technology is the Elephant in the Room – especially the boardroom. Organizations depend on it for routine operations and future performance, and IT problems can have serious consequences. Yet many organizations lack effective oversight of IT, and are at risk of surprises. This book aims to help build shared understanding that leads to a well-integrated system for governance of IT from the boardroom to the coalface, framed around the guidance in ISO/IEC 38500.
Resources (3/3)
29
by Mark Toomey also author of The Infonomics Letter (free)
ISO/IEC 27014:2013 & 38500:2009 – AFAI Délégation Sud-Est 13/11/14 - Hugh H. Penri-Williams 30
Annex I
Bibliography FR Cadre de référence international des pratiques professionnelles de l’audit interne [CRIPP] / IIA, IFACI trad. – 2013
IT Gouvernance / F. Georgel – 2009
La Gouvernance des Systèmes d’Information / Audit & Contrôle internes IFACI N°206 - sept. 2011
Prise de position IFA/IFACI sur le rôle de l’audit interne dans le gouvernement d’entreprise. – IFA ; IFACI – 2009