The ISO 27001 standard requires organizations to assess the risks to their information assets and select appropriate security controls to mitigate those risks. This standard also provides a list of security controls to be used by the organizations. ISO 27002 provides guidelines on how to implement the security controls listed in ISO 27001:2013. ISO 27001:2013 allows organizations to integrate requirements from multiple regulations (e.g. SOX, HIPAA) into a single Information Security Management System (ISMS) and manage it as a single system, as opposed to, managing multiple systems in isolation.
ISO 27001:2013 is applicable to all types of businesses regardless of size, complexity and geographic location. This is especially important for the businesses dealing with confidential information including banking and financial firms, healthcare organizations and IT services companies.
Why ISO/IEC 27001?
- Assures compliance to a range of regulatory requirements like HIPAA, FISMA, GLBA, etc.
- Establishes general controls required for SOX, SSAE 16 type audits
- Globally recognized as a standard for ISMS
- Applicable to all organizations regardless of size, type or nature
- Continual assessment helps to keep security controls effective
- Increased customer confidence
- Ability to quickly detect and isolate any security breach
General Data Protection Regulation (GDPR)
The GDPR requires safeguards and measures for protecting personal data, ensuring safe data processing, and managing notifications of potential breaches.
It applies to organizations collecting, processing, and storing EU citizens’ personal data or EEA. This regulation also applies to:
- Organizations with a physical presence in at least one-member state of the European Union.
- Organizations located outside of the EU, if they offer services, monitor, or process data subjects which belong in the European Union, even if the company location is not in the European Union.
There is a considerable amount of overlap between the controls provided in GDPR with the controls provided in Annex A of ISO 27001. Additional controls from GDPR can be added to the Statement of Applicability (SOA) of ISO 27001 registration audit. Registration scope statement will mention that the SOA includes controls from GDPR.
Want to learn more about GDPR? Take a look at our March 2018 recorded webinar.
NIST 800 Series
National Institute of Standards and Technology (NIST) has published series of special publications on Information Security Standards for Federal Government sectors.
Most commonly referred publications are:
• NIST SP 800-53: Recommended Security Controls for Federal Information Systems
• NIST SP 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations
NIST standards are developed for the government organizations to secure their information systems. There is no certification scheme available based on the NIST standards. Contractors are now required to comply with NIST SP 800-171 with target deadlines. Very often the government also requires contractors to comply with NIST SP 800-53.
If organization is not willing to go for ISO 27001 registration, DQS can conduct independent conformity assessment against the NIST standard. After successful assessment, DQS will issue a “Letter of Conformance (LOC)” and detailed assessment report as evidence of conformance to the applicable NIST standard. The assessment report and LOC will be valid for one year. Reassessment will be required for continuous evidence of conformance.