The New York Department of Financial Services’ (NYDFS) Cybersecurity Requirements began its 180-day transition period on March 1, and financial institutions across the state are making sure they have the measures in place to comply with the Regulation.
Adopting ISO 27001 is one way to achieve compliance. It is the international standard that describes best practice for an information security management system (ISMS), and can be used as a framework to help meet the Cybersecurity Requirements.
How ISO 27001 can help
Clauses 4.2 and 4.3 of ISO 27001 essentially require the ISMS to meet all legal, regulatory, and contractual requirements, which naturally includes the NYDFS Cybersecurity Requirements. As such, compliance with ISO 27001 should streamline NYDFS compliance because it’s already understood, has plenty of resources, and provides a structure for NYDFS compliance.
In our free green paper, NYDFS Cybersecurity Requirements – Part 2: Mapped Alignment with ISO 27001, we break down the Regulation and how ISO 27001 can be used to meet its various requirements.
For instance, the green paper explains how Section 500.02 of the Regulation (Cybersecurity Program) aligns with ISO 27001 – in particular clauses 4 to 6. Likewise, it details how two clauses of ISO 27001 – 5.3 (Organizational roles, responsibilities and authorities) and 9.2 (Internal audit) – are reflected in the Regulation’s requirement to appoint a chief information security officer.
Benefits of ISO 27001
In addition to addressing the Cybersecurity Requirements, an ISO 27001-compliant ISMS can provide further benefits. It will:
- Identify, monitor, and maintain the optimum mix of controls for the changing environment in which you operate.
- Safeguard the integrity of publicly available information as well as the appropriate protection of nonpublic information.
- Adopt whichever control set(s) you deem appropriate – NIST, COBIT®, etc.
- Identify, manage, and reduce the threats that your information faces.
- Improve company culture, help employees to understand risks, and put in place security controls as part of their everyday working practices.
- Improve your security strategy, making your business more productive by setting out information risk responsibilities clearly.
If you are looking to demonstrate your compliance with ISO 27001 and the Cybersecurity Requirements, you can take advantage of a number of IT Governance resources.