There are many data security standards other than ISO 27001

Frequently, cyber security standards other than ISO 27001, and the 47+ subsidiary standards of the ISO 27000 series, are incorporated into Information Security Management Systems (ISMSs).  Auditors of ISMS, and those negotiating with customers on information security issues, need knowledge of, and the use/application of, these standards. While our ISO 27001 training courses don't cover these standards, we discuss here some of the most common standards that you will encounter.

Table of Contents

1. PCI-DSS or the Payment Card Industry Data Security Standard
2. COBIT
3. Other Information Security Standards
   • SOC - System and Organization Controls
   • SOX – The Sarbanes–Oxley Act of 2002
   • HIPAA - The US Health Insurance Portability and Accountability Act
   • COSO - The Committee of Sponsoring Organizations of the Treadway Commission
   • FISMA – The Federal Information Security Management Act of 2002
   • FIPS – Federal Information Processing Standards

PCI-DSS or the Payment Card Industry Data Security Standard

PCI-DSS basically addresses payment account data security. If the industry your company belongs to does not receive, process and transmit payments online, you do not need to have this standard in your organization.

COBIT

COBIT, or Control Objectives for Information and Related Technology, is not a standard as such, but is a framework that links IT initiatives to business requirements, organizes all IT activities into an accepted business practice model, identifies information resources to be utilized and leveraged, and defines the management control objectives.

While COBIT may contain ISO and PCI-DSS standards, COBIT is more concerned with the compliance aspect of doing things to ensure that all activities, acquisitions and management activities fall within the accepted norms of doing things. 

It is accepted globally as a guidance tool for the good governance of the business for IT and related technologies.

Other Information Security Standards

In addition, there are a number of regulatory requirements/standards that may apply depending on where products and services are being delivered.  These include:

• SOC - System and Organization Controls, defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services.

The reports focus on controls grouped into five categories called Trust Service Principles. Additional AICPA guidance materials specify three types of reporting.  The 5 Trust Service Principles are ...

• • Privacy,
  • Security,
  • Availability,
  • Processing Integrity and
  • Confidentiality.  

And the three types of SOC reports are SOC 1 (Internal Control over Financial Reporting - ICFR), SOC 2 (Trust Services Criteria) and SOC 3 (Trust Services Criteria for General Use Report). These Reports continue to be very popular and are frequently asked for by prospective customers.

• SOX – The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

There are also a number of provisions of the Act that also apply to privately held companies, for example, the willful destruction of evidence to impede a Federal investigation.

The Act, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom.

It sets out the responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.

• HIPAA - The US Health Insurance Portability and Accountability Act of 1996 maintains health insurance coverage for workers and their families when they change or lose their jobs.
  Title II of HIPAA, the Administrative Simplification (AS) provisions, set out policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information.

• COSO -  The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

In 2013, COSO updated the document ‘Internal Control-Integrated Framework’. COSO’s goal in updating the framework was to increase its relevance in the increasingly complex and global business environment so that organizations worldwide can better design, implement, and assess internal control.

• FISMA – The Federal Information Security Management Act of 2002 is a US federal law that recognises the importance of information security to the economic and national security interests of the United States.
  FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security."

• FIPS – Federal Information Processing Standards are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors.

They establish requirements for various purposes, such as ensuring computer security and interoperability and are intended for cases in which suitable industry standards do not already exist.

Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).

Familiarizing Yourself with Other Information Security Standards

Whether you are part of a Certification Body Audit Team or a member of an internal Audit Team, you will need, as part of the document review in preparation for the audit, to familiarize yourself with the other security data standards to which the organization subscribes.  

Such standards where they apply (by choice or by contractual obligation)  must be incorporated into the ISMS and included in the Audit Scope.  And this in addition to any applicable ISO standards from the ISO 27000 series other than ISO 27001 and ISO 27002, which automatically apply.

Yes, you can expect to spend considerable time reading yourself into an ISO 27001 audit. Or prepare yourself for negotiations with a security-conscious customer or prospect (or you might choose to use the services of an expert).

Related Articles

• ISO 27001:2022 - facts about the new version
• ISO 27001 Implementation in 31 Steps
• Free ISO 27001 Implementation Handbook (100+ pages)

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.