In smaller organisations, the accurate setup of direction and control of information security is relatively simple, especially when the scope of ISMS covers the entire organisation. For larger, geographically dispersed or more complex organisations, the situation is more complicated. In these cases, it is common that the ISMS covers only a part of the entity (organisation or group of organisations), or there are more than one ISMS within a single entity, or one ISMS covers more than one entity. There is a fundamental need for the correct setting of responsibilities for the governance and management of information security.
Information security
Information security governance is the means by which an entity’s governing body performs the general direction and control of activities that affect information security. The administrative body implements its governance objectives by evaluating the requirements (external requirements and requirements of its management), directing the entity and monitoring its activities.
Information security management seeks to achieve the entity’s objectives, which result from the requirements expressed in the strategies and policies of the governing body. Cooperation between the governing body and management is, therefore, necessary for proper functioning.
The ISO/IEC 27001 specifies requirements for the establishing, implementation, maintenance and continuous improvement of an information security management system in the context of an organisation. Although ISO/IEC 27001 does not use the term governance, it specifies the number of requirements that are administrative activities. For example:
- Article 4 requires the organisation to identify relevant stakeholders and define the boundaries and scope of the ISMS;
- Article 5 specifies that senior management must set information security policies and objectives, integrate security into the organisation’s processes, provide sufficient resources, direct and support persons to contribute to the effectiveness of the ISMS, etc.;
- Article 6 requires the organisation to identify risks and opportunities related to the context and objectives of the organisation, to assess and treat information security risks and to set information security objectives relevant to individual functions and levels of management;
- Article 7 obliges the organisation to identify and secure the necessary resources, to ensure that the competencies of persons are appropriate and that information security communications are suitable;
- Article 8 imposes the need to plan, implement and manage the processes and measures needed to meet information security requirements, including outsourced activities;
- Article 9 focuses on evaluating the performance of the ISMS through monitoring and measurement, internal audit and regular review of the ISMS;
- Article 10 then addresses the obligation to identify non-conformities and ensure their treatment, as well as the need to identify and realize opportunities for the continuous development of the ISMS.
Objectives of entity governance and information security governance
ISO/IEC 27014 defines the objectives of entity governance and information security governance. These objectives include:
- establishing integrated and comprehensive information security throughout the entity;
- compliance and decision-making based on specific risks;
- consideration of information security requirements in acquisition activities;
- ensuring compliance with the requirements of internal and external stakeholders;
- promoting a positive information security culture;
- ensuring that information security performance meets current and future entity requirements.
Requirements of the governance body on the ISMS
Given the business and information security objectives of the entity, the governing body should require the implementation of one or more ISMSs. The objectives of individual ISMSs can be the same as the goals of the parent entity or different. It depends on the size, complexity or geographical structure of the whole entity. If the goals are different, they should not be contradictory.
The governing body should require that each ISMS be consistent with the entity’s strategies, policies and processes. It is also usually appropriate to apply a consistent approach to information security risk management throughout the entity.
The governing body should:
- approve the creation of each ISMS;
- define the scope for each ISMS;
- guide each ISMS, including setting objectives, requirements, determining roles, and providing resources;
- decide on acceptable levels of residual risk or risk treatment;
- to support the communication of relevant information to stakeholders and all persons within the scope of the management system.
Scenarios
ISO/IEC 27014 describes in detail three possible scenarios for establishing an ISMS within an entity or entities:
- an ISMS organisation is an entire entity;
- the ISMS organisation is part of a larger entity;
- the ISMS organisation includes parts of several entities.
Type A: The ISMS covers the entire entity
This is the simplest case where aligning an organisation’s information security goals with the entity’s overall objectives will be easy. The reason is that one body is responsible for both groups of objectives, ie the governing body of the entity is also the top management of the ISMS organisation.
However, where the sole role is responsible for the governance and management of information security, it must be ensured that the responsibilities for policy setting and its implementation are adequately separated from each other. This can be more difficult for very small organisations.
Type B: The ISMS is part of a larger entity
In some cases, one or more ISMSs are part of a larger entity. The governance activities apply to the whole entity and the governing body thus manages more than one ISMS. The information security objectives of individual ISMSs may be consistent with the business objectives of the ISMS organisation or the business objectives of the parent entity, depending on the relationship between the ISMSs and the parent entity.
The relationship and staffing of the governing body and senior management of each ISMS organization can change – they can be the same, have only some people in common, or have no people in common.
Type C: The ISMS includes parts of several entities
There may be cases where the ISMS organisation is managed and controlled by senior management, but the ISMS covers more than one entity. This occurs when a larger entity manages a group of entities or when one ISMS shares multiple governing bodies. In both cases, the ISMS information security objectives must be aligned with the common business objectives that the entities have in common.