ISO IEC 27014-2020 (2022) PDF

Full title and description

ISO/IEC 27014:2020 — Information security, cybersecurity and privacy protection — Governance of information security. This international standard provides guidance on concepts, objectives and processes for governing information security across an organization, enabling governing bodies and top management to evaluate, direct, monitor and communicate information-security-related activities.

Abstract

ISO/IEC 27014:2020 offers practical guidance for governing bodies, senior leadership and those responsible for oversight of information security (including oversight of ISMS implementations based on ISO/IEC 27001). It describes governance objectives, roles and responsibilities, governance processes (direction, evaluation, monitoring and communication), and the relationship between governance and management of information security. The document is applicable to organizations of all types and sizes and complements other ISO/IEC information security standards.

General information

• Status: Published / Current.
• Publication date: 15 December 2020.
• Publisher: Joint ISO/IEC standard produced under ISO/IEC JTC 1/SC 27 (published by ISO and IEC).
• ICS / categories: 35.030 (IT security / information security); (national adoptions may include additional ICS codes such as management systems categories).
• Edition / version: Edition 2 (2020).
• Number of pages: 15 (official ISO/IEC publication length; page counts can vary by national adoption/publication).

Scope

This standard provides guidance on the governance of information security across an entity. It focuses on the roles and responsibilities of the governing body and top management, the objectives of governance, and the processes needed to direct, evaluate, monitor and communicate information-security matters. It addresses governance both where an ISMS based on ISO/IEC 27001 exists and where information security is managed outside the scope of an ISMS, and is intended to be applicable to all types and sizes of organizations.

Key topics and requirements

• Governance objectives for information security (direction, risk-based decision-making, conformance, culture, performance assurance).
• Roles and responsibilities of the governing body, top management and management regarding information security.
• Processes for evaluation, direction, monitoring and communication of information-security matters.
• Integration and alignment between governance and management activities, including interaction with an ISMS (ISO/IEC 27001).
• Guidance on reporting, assurance and oversight mechanisms to demonstrate that information-security objectives support organizational objectives.
• Consideration of context, interested parties, legal and regulatory obligations, and risk-based approaches to decision-making.
• Annex material illustrating types of ISMS relationships and governance scenarios.

Typical use and users

Intended users include governing bodies, boards of directors, C-suite executives (CEO, CIO, CISO), senior management, information security governance committees, internal and external auditors, compliance and risk teams, and consultants advising on governance and oversight. The standard is used to establish or improve governance arrangements for information security, to frame board-level reporting, and to align security governance with enterprise governance and regulatory requirements.

Related standards

Directly related ISO/IEC standards include ISO/IEC 27001 (requirements for an ISMS), ISO/IEC 27002 (security controls guidance), ISO/IEC 27005 (information security risk management), and the earlier ISO/IEC 27014:2013 (superseded). Other governance and IT management standards commonly referenced alongside 27014 include ISO/IEC 38500 (IT governance) and relevant sector or national governance guidance.

Keywords

information security governance, governance of information security, ISMS oversight, top management, board reporting, risk-based governance, accountability, assurance, ISO/IEC 27014, cybersecurity governance

FAQ

Q: What is this standard?

A: ISO/IEC 27014:2020 is an international guidance standard that defines concepts, objectives and governance processes for information security so governing bodies and senior management can provide direction and oversight.

Q: What does it cover?

A: It covers governance objectives, required oversight activities (evaluate, direct, monitor, communicate), roles and responsibilities, alignment with ISMS activities, assurance and reporting practices, and considerations for legal, regulatory and stakeholder requirements.

Q: Who typically uses it?

A: Boards, senior executives, CISOs, governance committees, auditors, and consultants use it to design, assess or improve information security governance arrangements and board-level reporting structures.

Q: Is it current or superseded?

A: ISO/IEC 27014:2020 is the current edition published in December 2020 and it replaces the earlier 2013 edition (ISO/IEC 27014:2013). National adoptions or translations may carry different publication dates or page counts.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of information security standards and complements ISO/IEC 27001 (ISMS requirements), ISO/IEC 27002 (controls guidance) and other related documents in that family.

Q: What are the key keywords?

A: Governance, information security, ISMS oversight, board, top management, accountability, risk-based decisions, assurance, reporting.