richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO27x/Governance model for Policies and Controls.md

18 KiB
Raw Blame History

Governance model for the ISMS, it's Policies and Controls

Based on ISO 27001 and ISO 27002, a governance model for your ISMS should be structured around Top Management's accountability while delegating the tactical execution to specific information security roles.

See Basic ISMS governance model for a compacted version

Related to the Policies Lifecycle

Here is a suggested governance model mapping the lifecycle of security policies (commissioning, drafting, approving, etc.) to the specific roles mandated by the standards.

1. Top Management

Primary Mandate: Commissioning, Approving, and Signing Off.

In the ISO 27001 framework, Top Management holds the ultimate accountability. They do not necessarily write the policies, but they must authorize them to ensure they align with business strategy.

  • Commissioning: Top management must ensure the information security policy is established and compatible with the strategic direction of the organization.
  • Signing Off / Approving: They must formally approve the information security policy. Any changes to the high-level policy must also be approved by them.
  • Resourcing: They are responsible for ensuring the resources needed for the ISMS are available.

 see C.5.1, A.5.1

2. Information Security Manager / Competent Personnel

Primary Mandate: Drafting, Advising, and Reviewing.

This role (often assigned to a CISO, Security Manager, or a specialized committee) functions as the architect of the system.

  • Drafting: The development of policies should be allocated to personnel with the appropriate technical competency. They draft the "Information Security Policy" (high-level) and "Topic-Specific Policies" (e.g., Access Control, Backup).
  • Advising / Consulting: This role provides subject matter expertise. They may seek advice from external subject matter experts or special interest groups to ensure policies match best practices and current threats.
  • Reviewing: They must review policies at planned intervals or when significant changes occur (e.g., new technologies, new risks) to ensure continued suitability.

3. Line Management / Function Owners

Primary Mandate: Consulting and Enforcing.

Managers throughout the organization (HR, IT, Operations) act as the bridge between the policy and the employees.

  • Consulting: While the security team drafts policies, line managers should be consulted to ensure the policies are practical and do not conflict with operational efficiency.
  • Enforcing: Management requires all personnel to apply information security in accordance with the established policies. They are responsible for ensuring their teams are properly briefed on these roles. see A.5.4

4. All Personnel and Interested Parties

Primary Mandate: Acknowledging and Adhering.

  • Acknowledging: Once a policy is published and communicated, recipients (employees and relevant external parties) should be required to acknowledge they understand and agree to comply.
  • Adhering: Personnel must apply the policies in their daily work. see A.5.4

Governance Workflow: The Policy Lifecycle

To operationalize this model, you can organize your governance activities into the following lifecycle stages, as supported by ISO 27002:

Governance Activity Responsible Role
1. Commissioning Top Management directs that a policy be created to address business needs, risks, or regulations.
2. Drafting Security Manager/Specialist writes the content. This includes creating Topic-Specific Policies (e.g., Access Control, Clear Desk).
3. Consulting Subject Matter Experts (Legal, HR, IT) review the draft to ensure technical feasibility and legal compliance.
4. Approving Top Management formally signs off. For lower-level Topic-Specific Policies, approval may be delegated to an appropriate level of management (e.g., IT Director approving the Backup Policy).
5. Communicating Security Manager/HR publishes the policy in a format accessible to all employees and relevant external parties.
6. Acknowledging All Personnel sign or digitally acknowledge that they have read and understood the policy.
7. Reviewing Security Manager re-evaluates the policy at planned intervals or after significant changes (e.g., a security incident).
These can be deducted from C.5.1, A.5.1, C.0.1, and C.0.2

Analogy: The Legislative Process

To visualize this governance model, consider the passing of a Law (Policy) in a city:

  • Top Management is the City Council/Mayor: They commission the law ("We need a law to stop speeding") and give the final signature to make it valid (Approving). They don't usually write the legal text themselves.
  • The Security Manager is the Drafting Committee/Legal Counsel: They research traffic data, write the specific legal text, and ensure it doesn't contradict existing laws (Drafting/Advising).
  • Line Managers are the District Captains: They make sure their specific precincts know about the new law and enforce it (Enforcing).
  • Employees are the Citizens: They must read the notification of the new law and drive within the speed limit (Acknowledging/Adhering).

Roles and Responsibilities mentioned in ISO 27001

Based on ISO 27001 and the supporting guidance in ISO 27002 and ISO 27000, the standards identify several distinct ownership and management roles necessary for the effective governance of information security.

These roles are categorized into high-level governance, specific ownership accountabilities, and operational responsibilities.

1. Top Management

Top management is defined as the person or group of people who directs and controls the organization at the highest level. They hold the ultimate accountability for the ISMS.

  • Responsibilities: They are responsible for establishing the information security policy, ensuring it is compatible with the strategic direction of the organization, and ensuring necessary resources are available.
  • Delegation: Top management must ensure that responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.
  • Review: They must review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.

(More on Leadership Responsibilities here).

2. Ownership Roles

The standards distinguish between general management and "ownership," which implies specific accountability for risks and assets.

A. Risk Owners

  • Definition: A risk owner is a person or entity with the accountability and authority to manage a specific risk.
  • Key Mandate: ISO 27001 explicitly requires the organization to identify risk owners during the risk assessment process.
  • Authority: Risk owners are responsible for approving the information security risk treatment plan and accepting any residual information security risks.

B. Asset Owners

  • Definition: While not strictly defined in the vocabulary standard (ISO 27000), ISO 27002 requires that an inventory of assets be maintained and that "ownership" of these assets be assigned to an individual or group.
  • Responsibilities: The asset owner is responsible for the proper management of an asset over its entire lifecycle. Specific duties include:
    • Ensuring assets are inventoried and classified.
    • Establishing requirements for acceptable use.
    • Reviewing access restrictions and classifications periodically.
    • Authorizing proper disposal or deletion of data.
  • Delegation: Asset owners may delegate daily tasks (e.g., to a custodian looking after the asset), but the owner remains accountable for the asset's protection.

3. Operational and Specific Security Roles

While ISO 27001 allows organizations to define roles based on their needs, the standards specifically reference or imply the following functional roles:

  • Information Security Management Function: ISO 27001 requires the assignment of responsibility for ensuring the ISMS conforms to requirements and for reporting on its performance to top management. In practice, this is often the Information Security Manager or CISO.
  • Privacy Officer: ISO 27002 suggests that compliance with privacy regulations is often best achieved by appointing a responsible person, such as a privacy officer, to provide guidance to personnel.
  • Project Management / Steering Committee: ISO 27002 advises that information security should be integrated into project management, with follow-ups performed by governance bodies such as a project steering committee.
  • Auditors: ISO 27001 mandates internal audits, requiring the selection of auditors who can ensure objectivity and the impartiality of the audit process.
  • System Administrators / Privileged Users: ISO 27002 highlights the need to identify and manage users with "privileged access rights" (e.g., system administrators) who can override system or application controls.

Summary of Accountability vs. Responsibility

To apply this to your governance model:

  • Top Management provides the mandate and resources.
  • Risk Owners provide the authorization for how risks are handled.
  • Asset Owners define the protection requirements for the data they own.
  • Security Roles/Personnel execute the controls and day-to-day operations.

Roles and Responsibilities regarding Controls

Based on ISO 27001 and ISO 27002, the roles and responsibilities regarding the lifecycle of controls (implementing, monitoring, establishing effectiveness, and evaluating) are distributed across several levels of the organization.

The standards define these responsibilities as follows:

1. Top Management

Top management holds the ultimate accountability for the system's success but delegates specific tasks.

  • Implementing: They must ensure that the resources needed for the ISMS (and by extension, the controls) are available and that ISMS requirements are integrated into the organizations processes.  see C.5.1
  • Monitoring & Effectiveness: They must assign responsibilities for reporting on the performance of the ISMS. see C.5.3
  • Evaluating: They are required to review the ISMS at planned intervals (Management Review) to ensure its continuing suitability, adequacy, and effectiveness. see C.9.2.2, C.9.3.1

2. Risk Owners

Risk owners are central to the decision-making process regarding which controls are applied.

  • Implementing: They are responsible for approving the information security risk treatment plan. This effectively means they authorize the implementation of the controls selected to modify risks.
  • Establishing Effectiveness: They must accept any residual information security risks that remain after controls have been implemented.

see C.6.1.3 and Note 2 for 3.62 risk acceptance.

3. Asset Owners

ISO 27002 places significant operational responsibility on the owners of assets.

  • Implementing: They are responsible for the proper management of an asset over its entire life cycle. This includes ensuring assets are properly classified and protected.
  • Monitoring: They must review access restrictions and classifications periodically to ensure they remain effective.

see A.5.9

4. Managers (Line Management)

Managers play a critical role in enforcing controls within their specific areas of operation.

  • Implementing: Management should require all personnel to apply information security in accordance with established policies and procedures. They are responsible for ensuring personnel are properly briefed on their roles prior to being granted access to information.
  • Monitoring & Effectiveness: Managers should regularly identify and review whether information security requirements are being met within their area of responsibility. If non-compliance is found, managers must identify causes, evaluate the need for corrective action, and implement it.

see A.5.4, A.5.5, A.5.6, A.5.36

5. Information Security Management Function

While individual managers implement controls, a specific security function (often an Information Security Manager) provides oversight and specialized support.

  • Implementing: This role often takes overall responsibility for the development and implementation of information security, supporting the identification of risks and mitigating controls.
  • Monitoring: They may assist in monitoring activities, such as reviewing logs or managing vulnerability processes,.

see A.5.2, A.8.8

6. Internal Auditors and Independent Reviewers

These roles are strictly focused on evaluation and verification.

  • Evaluating: The organization must conduct internal audits to provide information on whether the ISMS conforms to requirements and is effectively implemented and maintained,.
  • Effectiveness: An independent review (by internal audit or external party) assesses the organization's approach to managing information security and its implementation to ensure continuing suitability and effectiveness,.

see C.9.2.1, C.9.2.2, A.5.35

7. All Personnel

  • Implementing: All employees are required to apply information security in accordance with established policies and procedures.
  • Monitoring: They contribute to monitoring by reporting observed or suspected information security events (e.g., ineffective controls, human errors, or non-compliance) through established channels,.

see A.5.4, A.5.5, A.5.6, A.6.8

Summary Table of Responsibilities

Role Implementation Monitoring & Effectiveness Evaluation
Top Management Provides resources and mandate. Reviews performance reports. Conducts Management Review.
Risk Owner Approves the risk treatment plan. Accepts residual risk. Reviews risk status.
Asset Owner Ensures proper protection of assets. Periodically reviews access and classification. Verifies asset inventory accuracy.
Line Manager Enforces policies with staff. regular reviews of compliance; initiates corrective action. Reports review results to independent reviewers.
Internal Auditor N/A (Must remain independent). N/A Tests conformity and effectiveness.

Analogy: The City Infrastructure

To visualize these roles regarding controls (e.g., traffic lights and speed bumps):

  • Top Management (City Council): Allocates the budget for road safety and reviews annual safety reports to see if the city is safer (Evaluation).
  • Risk Owner (City Planner): Decides that a specific intersection is dangerous and authorizes the installation of traffic lights (Implementing/Approving Treatment).
  • Asset Owner (Road Maintenance Chief): Ensures the traffic lights are actually installed, cataloged, and working correctly on a daily basis (Implementing/Monitoring).
  • Line Manager (Precinct Captain): Ensures their officers are enforcing traffic laws and that the officers themselves obey speed limits (Monitoring Compliance).
  • Internal Auditor (Inspector General): Independently checks if the traffic lights meet legal codes and if the police are actually issuing tickets as reported, without fixing the lights themselves (Evaluating).