ISO IEC 27014:2013.pdf free

ISO IEC 27014:2013.pdf free.Information technology一Security techniques一Governance of information security
Governance of information security should ensure that information security activities are comprehensive and integrated.Information security should be handled at an organisational level with decision-making taking into account business,information security, and all other relevant aspects. Activities concerning physical and logical security should be closely coordinated.
To establish organisation-wide security, responsibility and accountability for information security should be established across the full span of an organisation s activities. This regularly extends beyond the generally perceived“borders’ of the organisation e.g. with information being stored or transferred by external parties.
Governance of information security should be based on risk-based decisions. Determining how much security is acceptable should be based upon the risk appetite of an organisation, including loss of competitive advantage,compliance and liability risks, operational disruptions, reputational harm, and financial loss.
To adopt an information risk management appropriate to the organisation, it should be consistent and integrated with the organisation’s overall risk management approach. Acceptable levels of information security should be defined based upon the risk appetite of an organisation, including the loss of competitive advantage, compliance and liability risks,operational disruptions, reputational harm, and financial losses. Appropriate resources to implement information risk management should be allocated by the governing body.
Governance of information security should establish an information security investment strategy based on business outcomes achieved, resulting in harmonization between business and information security requirements, ,both in short and long term, thereby meeting the current and evolving needs of stakeholders.
To optimize information security investments to support organisational objectives, the governing body should ensure that information security is integrated with existing organisation processes for capital and operational expenditure, for legal and regulatory compliance, and for risk reporting.
Governance of information security should ensure that information security policies and practices conform to relevant mandatory legislation and regulations, as well as committed business or contractual requirements and other external or internal requirements.
To address conformance and compliance issues, the governing body should obtain assurance that information security activities are satisfactorily meeting internal and external requirements by commissioning independent security audits.ISO IEC 27014 pdf download.