Information Security Compliance

This post explains the concept of information security compliance and related topics.

Compliance is one of the three sub-areas covered in Information Security area of GRC (Governance, Risk and Compliance).

Sources of IT Security Compliance

Compliance comes from the following sources.

Compliance sources:

  1. Regulations
  2. Standards
  3. Contracts
  4. Internal policies

You can find a list of general IT security compliance regulations and Standards on this post.

IT Security Compliance Regulations and Standards

There are many regulations and standards that may apply to our organization.

You can read more about IT security regulations on this post.

IT Security Compliance Standards

You can read about IT security standards for organizations on this post.

International IT Security Compliance Standards:

  • Card Payment
    • Payment Card Industry Data Security Standard (PCI DSS)
    • PA-DSS
    • PCI PIN
    • Point-to-Point Encryption (P2PE)
    • 3-D Secure (3DS)
  • Finance
    • Service Organization Control (SOC)
    • SWIFT Assessment
  • IT Systems Management
    • ISO/IEC 27001: Information Security Management
    • ISO/IEC 27032: Guideline for Cybersecurity
    • ISO 22301: Business Continuity
    • OWASP SAMM (Software Assurance Maturity Model)
  • International Trade Management
    • Authorised Economic Operator (AEO) for Customs

How to manage Compliance within an Organization

The first step would be to identify all the compliance obligations we have in our organization, taking into account the four possible sources we already commented.

An observatory on compliance is a service that provides information about and incoming new compliance sources. The organization can develop processes to check sources of compliance (from official publications, professional organizations, specialized media, etc.) or hire this service.

There are compliance management standards and guidelines as seen in the next section.

Compliance Management Standards and Guidelines

ISO 37301

ISO 37301 “Compliance management systems — Requirements with guidance for use” is a standard issued by the International Standards Organization (ISO). It focuses on building a Compliance management system (CMS).

Unified Compliance Framework (UCF)

Unified Compliance Framework (UCF) is a private framework.

Unified Compliance Framework Official website

Tools to manage Information Security Compliance

You can find a list of tools to manage IT security compliance on this post.

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *