Many data security standards other than ISO 27001 remain in common use
Frequently, data security standards other than ISO 27001, and the 47+ subsidiary standards of the ISO 27000 series, are incorporated into Information Security Management Systems (ISMSs). Auditors on ISMS, and those negotiating with customers on information security issues, need knowledge of, and the use/application of these standards. The most commonly encountered standards are:
PCI-DSS basically addresses payment account data security. If the industry your company belongs to does not receive process and transmit payments online, you do not need to have this standard in your organization.
COBIT or Control Objectives for Information and Related Technology, is not a clear standard per se, but is a framework that links IT initiatives to business requirements, organizes all IT activities into an accepted business practice model, identifies information resources to be utilized and leveraged and defines that management control objectives.
While COBIT may contain ISO and PCI-DSS standards, COBIT is more into the compliance aspect of doing things, to ensure that all activities, acquisitions and management activities fall within the accepted norms of doing things.
It is accepted globally as a guidance tool for good governance of the business for IT and related technologies.
Other Information Security Standards
In addition, there are a number of regulatory requirements/standards that may depend on where products and services are being delivered. These include:
- SOX – The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.
- There are also a number of provisions of the Act that also apply to privately held companies, for example, the willful destruction of evidence to impede a Federal investigation.
The Act, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom.
It sets out the responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.
- HIPAA - The US Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs.
Title II of HIPAA, the Administrative Simplification (AS) provisions, set out policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information.
- COSO - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
- FISMA – The Federal Information Security Management Act of 2002 is a US federal law that recognises the importance of information security to the economic and national security interests of the United States.
FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security."
- FIPS – Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors.
They establish requirements for various purposes such as ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist.
Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
SOC - System and Organization Controls, defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services.
The reports focus on controls grouped into five categories called Trust Service Principles. Additional AICPA guidance materials specify three types of reporting. The 5 Trust Service Principles are Privacy, Security, Availability, Processing Integrity and Confidentiality. And the three types of SOC reports are SOC 1 (Internal Control over Financial Reporting - ICFR), SOC 2 (Trust Services Criteria) and SOC 3 (Trust Services Criteria for General Use Report).
Familiarizing Yourself with Other Information Security Standards
Whether you are part of a Certification Body Audit Team or a member of an internal Audit Team, you will need, as part of document review in preparation for the audit, to familiarize yourself with the other security data standards to which the organization subscribes.
Such standards where they apply (by choice or by contractual obligation) must be incorporated into the ISMS and included in the Audit Scope. And this in addition to any applicable ISO standards from the ISO 27000 series other than ISO 27001 and ISO 27002, which automatically apply.
Yes, you can expect to spend considerable time reading yourself into an ISO 27001 audit. Or prepare yourself for negotiations with a security-conscious customer or prospect (or you might choose to use the services of an expert).
Note: First published Nov 16; revised Oct 20.