Many data security standards that pre-date ISO 27001 remain in common use
Frequently, data security standards other that ISO 27001 are incorporated into ISMSs (Information Security Management Systems) and auditors on ISMS need knowledge of, and the application of these standards. The most commonly encountered standards are...
PCI-DSS basically addresses payment account data security. If the industry your company belongs to does not receive process and transmit payments online, you do not need to have this standard in your organization.
COBIT or Control Objectives for Information and Related Technology, is not a clear standard per se, but is a framework that links IT initiatives to business requirement s, organizes all IT activities into an accepted business practice model, identifies information resources to be utilized and leveraged, and defines that management control objectives. While COBIT may contain ISO and PCI-DSS standards, COBIT is more into the compliance aspect of doing things, to ensure that all activities, acquisitions and management activities fall within the accepted norms of doing things. It is accepted globally as a guidance tool for good governance of the business for IT and related technologies.
In addition, there are a number of regulatory requirements/standards that may deepending on where products and services are being delivered. These include…
- SOX – The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example, the willful destruction of evidence to impede a Federal investigation. The Act, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. It sets out the responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.
- HIPAA - The US Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, the Administrative Simplification (AS) provisions, set out policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information.
- COSO - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. In 2013 COSO updated the document ‘Internal Control - Integrated Framework’. COSO’s goal in updating the framework was to increase its relevance in the increasingly complex and global business environment so that organizations worldwide can better design, implement, and assess internal control.
- FISMA – The Federal Information Security Management Act of 2002 is a US federal law that recognises the importance of information security to the economic and national security interests of the United States. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." It requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB).
- FIPS – Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. They establish requirements for various purposes such as ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
Whether you are part of a Certification Body Audit Team or a member of an internal Audit Team, you will need, as part of Document Review in preparation for the audit, to familiarize yourself with the other security data standards to which the organization subscribes. Such standards must be incorporated into the ISMS and included in the Audit Scope. And this in addition to any applicable ISO standards from the ISO 27000 series other than ISO 27001 and ISO 27002, which automatically apply.
Yes, you can expect to spend considerable time reading yourself into an ISO 27001 audit.