This post explains the concept of information security compliance and related topics.
Compliance is one of the three sub-areas covered in Information Security area of GRC (Governance, Risk and Compliance).
Sources of IT Security Compliance
Compliance comes from the following sources.
Compliance sources:
- Regulations
- Standards
- Contracts
- Internal policies
You can find a list of general IT security compliance regulations and Standards on this post.
IT Security Compliance Regulations and Standards
There are many regulations and standards that may apply to our organization.
You can read more about IT security regulations on this post.
IT Security Compliance Standards
You can read about IT security standards for organizations on this post.
International IT Security Compliance Standards:
- Card Payment
- Payment Card Industry Data Security Standard (PCI DSS)
- PA-DSS
- PCI PIN
- Point-to-Point Encryption (P2PE)
- 3-D Secure (3DS)
- Finance
- Service Organization Control (SOC)
- SWIFT Assessment
- IT Systems Management
- ISO/IEC 27001: Information Security Management
- ISO/IEC 27032: Guideline for Cybersecurity
- ISO 22301: Business Continuity
- OWASP SAMM (Software Assurance Maturity Model)
- International Trade Management
- Authorised Economic Operator (AEO) for Customs
How to manage Compliance within an Organization
The first step would be to identify all the compliance obligations we have in our organization, taking into account the four possible sources we already commented.
An observatory on compliance is a service that provides information about and incoming new compliance sources. The organization can develop processes to check sources of compliance (from official publications, professional organizations, specialized media, etc.) or hire this service.
There are compliance management standards and guidelines as seen in the next section.
Compliance Management Standards and Guidelines
Compliance management standards and guidelines:
- 37301
- Unified Compliance Framework (UCF)
ISO 37301
ISO 37301 “Compliance management systems — Requirements with guidance for use” is a standard issued by the International Standards Organization (ISO). It focuses on building a Compliance management system (CMS).
Unified Compliance Framework (UCF)
Unified Compliance Framework (UCF) is a private framework.
Unified Compliance Framework Official website
Tools to manage Information Security Compliance
You can find a list of tools to manage IT security compliance on this post.