PCI DSS. SOC 1 and 2. COBIT® 5. NIST CSF. NIST SP 800-53. NY SHIELD. NYDFS. ISO 27001. What are they and what do they have in common? Why should you care? How do you choose between them?
They are an incomplete list of information/cybersecurity frameworks and standards, which represent attempts by various organizations to help companies protect the data they collect, store, and process. And the main reason you should care is that they’ll help you keep your organization in business, and your job.
In law and economics, the probability of a crime being committed is based on the probability of getting caught. The potential rewards and the severity of the punishments. For criminal hackers, the probability of getting caught is slight and the rewards can be enormous. One type of ransomware alone, Ryuk, is estimated to have earned its users $3 billion. The question isn’t if you will get hacked, but when.
But what can you do about it? Organizations often mistakenly believe that the only solution is to use technology, and that the best protection is to buy the latest equipment. However, most hacks involve the most vulnerable part of the organization: your staff.
It is also about knowledge. Technology can be great if it is properly configured and maintained, but often it isn’t – with disastrous consequences.
Which security framework is the most useful?
So which framework or standard is the best? The problem with most of them is that they were not designed for your business. The PCI DSS (Payment Card Industry Data Security Standard), as the name implies, was created for the benefit of the payment card industry, not your organization. SOC, popular in the U.S., was designed to benefit the people who created it: accountants. COBIT is a framework created by ISACA® for information. NIST was created by the U.S. government. Only ISO 27001 was created by global industry to suit global needs.
ISO 27001 stands out because it is not a stand-alone system. It is part of a system made up of more than 21,580 standards, with members in 162 countries and 788 technical bodies for standard development. Whatever your organization does and wherever it does business, there is an ISO standard to help you.
The most important part of the ISO infrastructure is the certification process. Customers don’t know how well you make a product or how strong your cybersecurity infrastructure is unless it is certified. Certification is a demanding process executed by internationally accredited independent bodies. It requires constant maintenance, audits, and recertification, so that your customers or regulators anywhere in the world are assured of the most robust protections for data.
Why ISO 27001?
The most important thing to remember about any ISO system is that unlike other standards, it is an information security management system. It is not a checklist like the PCI DSS or SOC. It requires the organization to manage its system and constantly improve it. Indeed, Clause 9 requires three things: the organization that implements the standard to measure and monitor the system (9.1), the organization to audit the system (9.2), and the organization’s management to review the audits and take appropriate action (9.3). Institutionalizing these three actions mandates that the system is constantly reviewed. Issues should not be forgotten or ignored. If the organization is to maintain its certification, it must act.
Of course, all the other clauses are important too, but what ISO offers ensures that the system that is created is created for your organization. Not for your credit card provider. Not for your accountants. Clause 6.1.2 requires that the organization determines its risks and opportunities, and then chooses the controls it needs (Clause 6.1.3). Many organizations believe that the controls listed in ISO 27001 Annex A are exclusive and mandatory. Nothing could be further from the truth. The Standard requires that the organization select controls appropriate for its regulatory environment, business requirements, and risks.
ISO 27001 is great for cybersecurity, but that isn’t why organizations choose it. They implement it for one reason: It is even better for their customers and partners, resulting in the organization getting more business.
So really there is only one choice. To protect information and to increase business for any organization anywhere, ISO 27001 ensures that they implement and keep the best standard for them.