Frequently, cyber security standards other than ISO 27001, and the 47+ subsidiary standards of the ISO 27000 series, are incorporated into Information Security Management Systems (ISMSs). Auditors of ISMS, and those negotiating with customers on information security issues, need knowledge of, and the use/application of, these standards. While our ISO 27001 training courses don't cover these standards, we discuss here some of the most common standards that you will encounter.
PCI-DSS basically addresses payment account data security. If the industry your company belongs to does not receive, process and transmit payments online, you do not need to have this standard in your organization.
COBIT, or Control Objectives for Information and Related Technology, is not a standard as such, but is a framework that links IT initiatives to business requirements, organizes all IT activities into an accepted business practice model, identifies information resources to be utilized and leveraged, and defines the management control objectives.
While COBIT may contain ISO and PCI-DSS standards, COBIT is more concerned with the compliance aspect of doing things to ensure that all activities, acquisitions and management activities fall within the accepted norms of doing things.
It is accepted globally as a guidance tool for the good governance of the business for IT and related technologies.
In addition, there are a number of regulatory requirements/standards that may apply depending on where products and services are being delivered. These include:
SOC - System and Organization Controls, defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services.
The reports focus on controls grouped into five categories called Trust Service Principles. Additional AICPA guidance materials specify three types of reporting. The 5 Trust Service Principles are ...
And the three types of SOC reports are SOC 1 (Internal Control over Financial Reporting - ICFR), SOC 2 (Trust Services Criteria) and SOC 3 (Trust Services Criteria for General Use Report). These Reports continue to be very popular and are frequently asked for by prospective customers.
There are also a number of provisions of the Act that also apply to privately held companies, for example, the willful destruction of evidence to impede a Federal investigation.
The Act, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom.
It sets out the responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.
In 2013, COSO updated the document ‘Internal Control-Integrated Framework’. COSO’s goal in updating the framework was to increase its relevance in the increasingly complex and global business environment so that organizations worldwide can better design, implement, and assess internal control.
They establish requirements for various purposes, such as ensuring computer security and interoperability and are intended for cases in which suitable industry standards do not already exist.
Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
Whether you are part of a Certification Body Audit Team or a member of an internal Audit Team, you will need, as part of the document review in preparation for the audit, to familiarize yourself with the other security data standards to which the organization subscribes.
Such standards where they apply (by choice or by contractual obligation) must be incorporated into the ISMS and included in the Audit Scope. And this in addition to any applicable ISO standards from the ISO 27000 series other than ISO 27001 and ISO 27002, which automatically apply.
Yes, you can expect to spend considerable time reading yourself into an ISO 27001 audit. Or prepare yourself for negotiations with a security-conscious customer or prospect (or you might choose to use the services of an expert).
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.