In cyber security, governance is the set of processes, policies and structures designed to align IT security with organisational objectives, in order to protect systems and data while ensuring regulatory compliance.
Key concepts :
- Governance framework Global structure that defines the roles, responsibilities and decision-making processes for cyber security.
- Security policy IT policy: A set of rules and procedures governing the use of information systems and user behaviour.
- Risk management Process for identifying, assessing and dealing with threats and threats to security vulnerabilities.
- Compliance Compliance with applicable information security laws, regulations and standards.
- Raising awareness Training users in good safety practice to reduce the risks associated with the human factor.
Main frameworks and standards commonly used for cybersecurity governance
- ISO/IEC 27001 This is the international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining and continuously improving an ISMS.
- NIST Cybersecurity Framework Developed in the United States, this framework provides guidelines for improving the cyber security of critical infrastructures. It is widely adopted throughout the world.
- COBIT (Control Objectives for Information and Related Technologies) A framework for the governance and management of enterprise information technology, developed by ISACA.
- CIS Controls A set of 20 priority security checks to defend against the most common cyber attacks.
- PCI DSS (Payment Card Industry Data Security Standard) Data security standard for the payment card industry.
- SOC 2 (Service Organization Control 2) An audit framework for service providers, focusing on security, availability, integrity of processing, confidentiality and protection of privacy.
- RGPD (General Data Protection Regulation) Although it is a regulation rather than a standard, it has a significant impact on the governance of cyber security in Europe.
Main certifications for cybersecurity governance
- CISM (Certified Information Security Manager) Professional certification for information security managers, issued by ISACA.
- CISSP (Certified Information Systems Security Professional) A widely recognised certification for cybersecurity professionals, issued by (ISC)².