China Standardization

京公网安备 11011402011482号

Hot Spots
CIGRE 2022 Technical Exhibition Session
Your Position:Home > News >
A governance framework for cyber security
IEC 2022-08-25

According to a joint study from Stanford University and the security firm Tessian, 85% per cent of data breaches are caused by human error. That is why an effective cyber security strategy must address not only processes and technology but also people.

Ensuring those practices and procedures are properly maintained relies on an efficient governance model, such as the one outlined in ISO/IEC 27014. This standard defines cyber security governance as the "system by which an organization's information security systems are directed and controlled".

It is the job of all managers in an organization to implement the relevant policies and principles in their departments. Unfortunately, senior executives in some organizations continue to believe that cyber security is a problem for the IT department.

An organization's CEO plays an important role in defining the values of an organization. He or she has the power and influence to make cyber security an important part of the organizational culture.

Lack of awareness about risk issues is a sign of a weak cyber security culture. It can be easily remedied with training and capacity building activities, which should start at the new employee induction stage.

ISO/IEC 27014 recommends training and awareness programs to establish a positive information security culture. The standard recommends roles and responsibilities for executive management and boards of directors in all types and sizes of organizations.

The objectives of the standard are to "align security program and business objectives and strategies, deliver value to stakeholders and the board, and ensure information risks are adequately managed".

The standard defines six overarching governance principles, which are defined as "accepted rules for governance action or conduct that act as a guide for the implementation of governance":

  1. establish organization-wide information security
  2. adopt a risk-based approach
  3. set the direction of investment decisions
  4. ensure conformance with internal and external requirements
  5. foster a security-positive environment
  6. review performance in relation to business outcomes

It also defines five governance processes, which are "a series of tasks enabling the governance of information security and their interrelationships": evaluate, direct, monitor, communicate and assure. Together, these principles and processes form the governance of information security.

IEC develops cyber security standards and conformity assessment for both information technology (IT) and operational technology (OT). These include two of the world's best-known cyber security standards: IEC 62443 for cyber-physical systems and ISO/IEC 27001 for IT systems.

IEC 62443 also calls for regular training for all employees to minimize the risks caused by human error.

Conformity assessment provides further security by ensuring that the standards are implemented correctly: IECEE certification for IEC 62443 and IECQ for ISO/IEC 27001.

(Source: IEC)

Home Page