Which ISO standards are used in data governance?
In the Data View House series of simplifying the language of data, I covered why data is perceived as an asset in my last post. However, the meaning of managing data as an asset with data governance varies from organisation to organisation, depending on the data literacy of the senior leadership team and the organisational culture.
The end goal of a data governance program is to comply with regulations while confidently leveraging the business data for critical business decisions such as improving operational efficiencies or better understanding their customers or markets. Regulatory-driven data governance initiatives seek proven standards for implementing policies and procedures to ensure that business data is managed professionally and complies with the law. For example, adopting the ISO270001 standard for information security establishes auditable adherence to data security obligations listed under the GDPR for a data controller ( one who collects data).
Note that national authorities can publish country-specific amendments of ISO standards and independent standards as well, such as BS 10012:2017+A1:2018 (supersedes BS 10012:2017) , which is a British standard that outlines the specifications for a Personal Information Management System (PIMS) to comply with the data protection requirements imposed by EU’s GDPR. Only ISO standards are in the scope of this writing.
“Standard” as a word can be a noun or an objective with multiple meanings. From the given list of various meanings, the most suitable for data governance standard is “something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality”. The International Standard Organisation (ISO) is the authority that publishes standards with specifications (requirements and controls) for organisations seeking to implement robust data governance practices.
There is an abundance of standards for almost everything if you choose to search the ISO standard library. However, two widely discussed and adopted ISO standards for data governance are ISO 27001 and ISO 8000. IT system engineers and security consultants widely recognise the ISO 27001 standard for information security management systems (ISMS). In comparison, ISO 8000 focuses on data quality management. Along with these two common ISO standards related with data governance, in this blog, I have compiled a list of all ISO standards that I have come across so far in my research.
ISO 8000
ISO 8000 aims to ensure that data used in various contexts (such as business processes, analytics, and decision-making) meets certain quality standards. It covers all the key elements of data — Syntax– Provenance– Completion– Accuracy– Certification, providing a standard to measure as well as certify data quality. An organisation can rely on these specifications to assess its data quality conformance to ISO 8000 standards. The ISO 8000 standards encompass several parts, such as 110, 115, 120. For example, ISO 8000–115:2018 can guide the formation of identifiers for managing master data, such as a product catalogue.
The ISO 8000 standards, with their comprehensive coverage of parts 100 (introduction), 120 (provenance), 130 (accuracy), and 140 (completeness), are a reliable guide for Master Data and used in-conjunction with the ISO 22745 . Parts 1 through 99 address other data quality areas, including Governance. For example, ISO 8000–61:2016 specifies the processes required for data quality management. These processes serve as a trusted reference to enhance data quality and assess process capability or organisational maturity for data quality management. ISO 8000 standards are comprehensive and updated regularly. The best place to start ISO 8000 journey is:
ISO/IEC 38505–1:2017 — A Data Governance Standard
ISO/IEC 38505–1:2017, last reviewed in 2022 and still current (to be replaced by ISO/IEC AWI 38505–1 in future), is actually a standard for data governance that provides a set of guidelines for the governance of the data within an organisation. The standard considers data governance as a subset of IT governance which in turn is a subset of organisational governance and defines clear responsibilities for the governing body and oversight mechanisms. At its core, it provides a model for evaluating, directing and monitoring the handling and usage of data in an organisation. The standard aims to guide the member of governing body on the effective, efficient and acceptable use of data with the emphasis on the need for accountability in all stages of data handling.
In an IT led data governance initiative focused primarily on meeting regulatory compliances; this standard can ensure stakeholders that if its principles are followed, they can have confidence in the organisation’s data governance. It provides a structured framework to conduct a gap analysis between existing data handling policies and procedures and those defined by the standard. The outcome of this gap analysis should be a comprehensive project plan for implementation based on the ISO/IEC TS 38501:2015 Information technology — Governance of IT — Implementation guide.
ISO 22745
ISO 22745 is a standard for master data based on the NATO Codification System (NCS). It is designed for industry and incorporates a modern data architecture. The focus of ISO 22745 is on defining the requirements for master data that is exchanged between organizations. It specifies data requirements for messages containing master data, including syntax, semantic encoding, and portability. Essentially, ISO 22745 ensures that master data (such as product information, specifications, and identifiers) is accurately represented and shared across different systems and organizations.
ISO 22745 and ISO 8000 are both managed by ISO Technical Committee 184/Subcommittee 4 (Industrial Data). While ISO 22745 focuses on master data exchange, ISO 8000 complements it by providing a framework for assessing and improving data quality. In other words, ISO 22745 provides a means to realize the benefits of ISO 8000 by specifying data requirements for master data exchange.
ISO 3166
ISO standards can also be utilised for consistent external reference data in multiple business applications to reduce the time and effort required for data integration and analytical tasks. A straightforward example could be the ISO 3166 standard, which defines codes for country names. Therefore, implementing available international and national extensions and industry-specific ISO standards for reference data (code-set or lookup values) can be part of the deliverables of the data governance program.
ISO/IEC 11179
One more ISO standard worth listing here is the ISO/IEC 11179 metadata registry (MDR) standard, which is widely adopted in the public sector and gradually adopted by the commercial industry. It provides a framework in seven parts for representing metadata for an organization in a metadata registry to make data understandable and shareable. Australian Institute of Health and Welfare — Metadata Online Registry (METeOR) is an excellent example of a metadata registry that follows ISO/IEC 11179 guidelines. However, a third-party compliance assessment has yet to be developed for metadata registry compliance. After some initial analysis, you would realise that ISO/IEC 1119 provides guidance to software developers building the metadata repository. Therefore, if you are implementing a commercial product for metadata management, you can expect the selected product to meet the standard.
ISO 27001: 2022
ISO 27001:2022 (previously ISO 27001:2013) standard is the internationally recognised best practice framework for an Information Security Management System (ISMS). Implementing the ISO 27001 standard is usually a deliverable of information security management under the IT governance program and not solely a data governance deliverable. However, data governance maturity is crucial for complying with ISO 27001 and ensuring data security, confidentiality, and integrity in information management practices. Below is a high-level summary of the critical crossover areas between data governance deliverables that meet the requirements and controls recommended in ISO 27001:2022
- Data Classification
Data governance often involves classifying data based on sensitivity and importance. This classification is crucial for implementing security measures in line with ISO 27001 requirements, where different levels of protection might be necessary for various categories of data. According to ISO 27001:2022 Annex A Control 5.12, organizations must classify information based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. This classification should align with the organization’s unique business activity without causing unnecessary complexity.
2. Access Control
Data governance defines who has access to data, what they can do with it, and under what circumstances. ISO 27001:2022 Annex A Control 5.15 is a preventive control that recommends that organisations implement secure data access to ensure that only authorised individuals can access and modify data.
3. Risk Management
To meet the standard, ISO 27001 requires organisations to identify and assess security risks on business data and information in clauses 6.1, 6.2, 7.5 and 8.3. Data governance helps in understanding the value and sensitivity of data, which is essential for risk assessment and determining the appropriate security measures.
4. Data Protection
To meet ISO 27001 standards, organisations must establish a framework for protecting their information assets, including data, to meet Control 5.33 and 5.34.
ISO 27001:2022 Annex A Control 5.33 — Protection of Records emphasises safeguarding records from loss, damage, or destruction. It empowers organisations to proactively implement measures to prevent these risks and ensure the integrity and availability of their records, giving them a sense of control over potential threats.
ISO 27001:2022 Annex A Control 5.34 — Privacy and Protection of PII provides a comprehensive focus on the privacy and protection of Personally Identifiable Information (PII). It offers preventive measures, guidelines, and procedures to ensure compliance with legal, statutory, regulatory, and contractual obligations related to the storage, privacy, and protection of PII in all its forms, thereby reassuring the audience about the thoroughness of the standards.
It is worth noting the ISO/IEC 27701:2019 standard here that serves as a data privacy extension to ISO 27001. It provides a framework for organisations to establish systems that facilitate compliance with GDPR and other data privacy regulations. Also known as the Privacy Information Management System (PIMS), it outlines guidelines for managing Personally Identifiable Information (PII) by both PII Controllers and PII Processors
5. Audits and Compliance
ISO 27001 includes provisions for regular internal and external audits. Embedded data governance with ongoing business processes and activities can ensure that data-related policies and procedures align with ISO 27001 requirements, making audits efficient and effective.
6. Incident Response
The presence of formal data governance in an organisation plays a vital role in identifying and mitigating data-related incidents. ISO 27001:2022 Annex A Controls from 5.24 to 5.30 (listed below) provides a broader framework for managing information security incidents, events, and weaknesses.
- 5.24 Information Security Incident Management Planning and Preparation
- 5.26 Response to Information Security Incidents
- 5.27 Learning from Information Security Incidents
- 5.28 Collection of Evidence
- 5.29 Information Security During Disruption
- 5.30 ICT Readiness for Business Continuity
7. Data Retention
Publishing and enforcing policies and procedures about data retention and archival are critical deliverables of data governance, which is influenced by business needs and regulatory obligations. ISO 27001:2022 Annex A Technology Control 8.10 — Information Deletion addresses data erasure and destruction within organizations. It emphasizes removing data stored on internal servers, hard drives, arrays, and USB drives once it is no longer necessary. This obligation extends to data related to employees, users, customers, and the organization. Key aspects covered by Control 8.10 include:
Maintenance Activities: Organizations should actively manage the deletion and destruction of data and IT assets.
Specialized Software: Utilization of specialized software for secure data erasure.
Vendor Liaison: Collaboration with vendors specializing in data and device deletion.
8. Employee Training
ISO 27001:2022 Annex A — People Controls 6.3 Information Security Awareness, Education, and Training emphasizesthe importance of information security awareness, education, and training for staff. It highlights the need for suitable instruction, including regular policy refreshers tailored to their specific roles. Organizations can enhance their overall security posture by ensuring that employees are well-informed about security practices. Data governance policies can encompass these training elements, ensuring that employees understand their responsibilities regarding data security.
9. Continual Improvement
ISO 27001:2022 Requirements Clause 10.2 emphasises the need for a culture of continuous improvement in information security. An effective data governance program assists an organisation in evolving data management practices to meet changing security needs and industry best practices.
Conclusion:
Implementation of ISO standards are the gateway to implement auditable adherence to regulatory obligations while also enriching the trust and confidence in the business data for analytical and diagnostic use cases. Therefore, when initiating a data governance program, one should assess desirability, viability and feasibility to leverage ISO standards. Please also note that ISO certification is possible only for standards with listed requirements ( i.e ISO 27001) and not limited to best practices or guidelines ( i.e . ISO 38505) only.
From the Data View House perspective, I see application of ISO standards across the “Datum to Intelligence” journey in four phases, i.e. Origin->Storage->Process->Access and would continue my research to scope out applicable ISO standards across these four phases in my Data View House framework for data management.
