Many data security standards other than ISO 27001 remain in common use
Frequently, data security standards other than ISO 27001, and the 47+ subsidiary standards of the ISO 27000 series, are incorporated into Information Security Management Systems (ISMSs). Auditors on ISMS, and those negotiating with customers on information security issues, need knowledge of, and the use/application of these standards. The most commonly encountered standards are:
PCI-DSS basically addresses payment account data security. If the industry your company belongs to does not receive process and transmit payments online, you do not need to have this standard in your organization.
COBIT or Control Objectives for Information and Related Technology, is not a clear standard per se, but is a framework that links IT initiatives to business requirement s, organizes all IT activities into an accepted business practice model, identifies information resources to be utilized and leveraged, and defines that management control objectives.
While COBIT may contain ISO and PCI-DSS standards, COBIT is more into the compliance aspect of doing things, to ensure that all activities, acquisitions and management activities fall within the accepted norms of doing things.
It is accepted globally as a guidance tool for good governance of the business for IT and related technologies.
In addition, there are a number of regulatory requirements/standards that may depending on where products and services are being delivered. These include:
- SOX – The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms.
There are also a number of provisions of the Act that also apply to privately held companies, for example, the willful destruction of evidence to impede a Federal investigation.
The Act, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom.
It sets out the responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.
- HIPAA - The US Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs.
Title II of HIPAA, the Administrative Simplification (AS) provisions, set out policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information.
- COSO - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
In 2013, COSO updated the document ‘Internal Control - Integrated Framework’. COSO’s goal in updating the framework was to increase its relevance in the increasingly complex and global business environment so that organizations worldwide can better design, implement, and assess internal control.
- FISMA – The Federal Information Security Management Act of 2002 is a US federal law that recognises the importance of information security to the economic and national security interests of the United States.
FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." It requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB).
- FIPS – Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors.
They establish requirements for various purposes such as ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist.
Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
SOC - System and Organization Controls, defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles. Additional AICPA guidance materials specify three types of reporting. The 5 Trust Service Principles are Privacy, Security, Availability, Processing Integrity and Confidentiality. And the three types of SOC reports are SOC 1 (Internal Control over Financial Reporting - ICFR), SOC 2 (Trust Services Criteria) and SOC 3 (Trust Services Criteria for General Use Report).
WHAT TO DO
Whether you are part of a Certification Body Audit Team or a member of an internal Audit Team, you will need, as part of document review in preparation for the audit, to familiarize yourself with the other security data standards to which the organization subscribes.
Such standards where they apply (by choice or by contractual obligation) must be incorporated into the ISMS and included in the Audit Scope. And this in addition to any applicable ISO standards from the ISO 27000 series other than ISO 27001 and ISO 27002, which automatically apply.
Yes, you can expect to spend considerable time reading yourself into an ISO 27001 audit. Or preparing yourself for negotiations with asecurity-concious customer or prospect (or you might choose to use the services of an expert).
Note: First published Nov 16; revised Oct 20.