ISO 27001 and New York State Department of Financial Services (NYDFS) Cybersecurity Requirements

What are the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements?

The New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (Cybersecurity Requirements, the Regulation, NYDFS Cybersecurity Regulation) came into effect on March 1, 2017, with mandatory certification reporting commencing on February 15, 2018.

The Regulation requires all New York financial institutions to implement cybersecurity programs as protection from data breaches.

On December 12, 2017, Governor Andrew M. Cuomo instructed the New York Department of State to hold consumer credit reporting agencies accountable to the public through the issue of new regulations. Consumer credit reporting agencies must report to the Department of State’s Division of Consumer Protection and respond within ten days to the agency’s requests, on an emergency (such as a data breach) basis, on behalf of consumers.

The new protections demonstrate how New York State is tightening its cybersecurity regulations to protect consumer data.

---

What is ISO 27001?

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) formed a committee of leading experts to document the requirements for an effective ISMS. This document is known as ISO/IEC 27001:2013 or, more commonly, ISO 27001.

ISO 27001 provides a holistic approach to creating an ISMS that encompasses people, processes, and technology. An ISMS is based on regular risk assessments to ensure that threats are identified and treated in an appropriate manner, in line with the organization’s risk appetite.

---

Why ISO 27001?

ISO 27001’s controls cover all sections of the NYDFS Cybersecurity Requirements, and provide additional security measures to strengthen your ISMS while supporting business objectives. Importantly, ISO 27001 requires extensive documentation, which will help your organization achieve certification through the auditing process.

There are a number of supporting documents that provide additional implementation guidance. A particularly useful document is ISO 27002, which provides detailed guidelines for the 114 information security controls identified in Annex A of ISO 27001.

---

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

  Download your copy of ISO 27001:2022 here

  Download your copy of ISO 27002:2022 here

Achieve certification to ISO 27001

ISO 27001 certification demonstrates to your customers and stakeholders that you take cybersecurity seriously. With the increasing frequency of cyber attacks on the financial services industry, brandishing internationally accepted certification demonstrates the effectiveness of your cybersecurity, giving you a competitive advantage.

Citibank, IBM, Microsoft, and the Federal Reserve Bank of New York are just a few of the leading organizations that have implemented ISO 27001, demonstrating their dedication to cybersecurity and protecting customer data.

Find out more about ISO 27001 certification >>