This website uses cookies. View our cookie policy
Close
USA
Select regional store:
Please enter more than 3 characters
Save 15% on ISO 27001 products and services by taking our 3 minute survey. T&Cs apply. Start the survey >>
Compliance

Governance and Regulatory Compliance

Organizations face an ever increasing list of statutory, regulatory, contractual and legal compliance obligations.

Compliance issues should concern the board, not just the IT department, and include issues of Data Governance, the Data Protection Act, Operational Risk, Information Security, Best Practice and Basel II/III.

Learn more about regulatory compliance and which affect your organization.

Common Compliance Requirements

In today's complex regulatory environment, organizations must:

  • Grapple with the complexities, costs and overlaps of governance requirements (Combined Code, Turnbull, Sarbanes Oxley, Basel II, etc.);
  • Comply with a wide range of information-related regulation, from the EU GDPR to GLBA, HIPAA, PIPEDA and the Computer Misuse Act; and
  • Deal with an increasing exposure to rapidly mutating, sophisticated threats to their information and information assets, which exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and the behavioural characteristics of employees.

The table below lists the most common compliance regulations that organisations have to comply with, what security areas they cover and the compliance requirements:

Regulations Who Needs to Comply Security Areas Covered Compliance Requirements

HIPAA

US healthcare organizations and partners

Creating, storing and transmitting electronic protected health information

All major "Best Practice Security" areas

Sarbanes Oxley (SOX) & Acctg Standards COSO, COBIT®, SAS

US public companies

Defined to secure the public against corporate fraud and misrepresentation

All major "Best Practice Security" areas

PCI DSS
(Also Covered by Breach Laws)

Merchants who take credit cards

Privacy of Customer Financial Data

Varies by size of merchant, requires Best Practices plus 3rd Party Quality Risk Assessments

GLBA - Federal Law 106 - 102 FDIC/FFIEC Guidelines FACT U.S. Patriot Act (2001)

US financial institutions

Financial Services Act - Privacy of Personal Info. Safety of Internet based Products & Services Fair and Accurate Credit Transactions Anti – Terrorism

"Best Practices", Security Two-Factor Authentication, ensure Accuracy & Safety Identity Verification

Breach Laws in 31 US States Including California SB 1386

Any company storing, or accessing private consumer data

Consumer Privacy - Security Breach Acts

All major "Best Practices Security" areas

EU Data Protection Act and Privacy Regulations

Any EU organisation holding personal data

Personal data

All major best practice areas

Federal Information Security Management Act of 2002 (FISMA)

US Federal agencies

Information and IT systems

NIST has developed its six-step Risk Management Framework (RMF) to enable agencies to achieve compliance

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) has been devised to increase security around card transactions. Acknowledged the world over, compliance to the PCI Standard is mandatory for card-accepting organizations. The standard requires merchants to demonstrate a secure IT network that protects card holder data, maintain a vulnerability management programme, implement access control measures and regularly test their networks. 

Sarbanes Oxley Act

From 2002, the Sarbanes-Oxley Act (SOX) enforces US organizations to demonstrate corporate governance compliance. SOX requires management to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. This has a huge dependency on the IT infrastructure and IT systems.

Basel Accords (Basel II & III)

Basel III is the latest instalment of the Basel Accords, which set out a regulatory standard for the financial industry. Basel III has been developed in response to the global financial crisis which started in 2008. Its predecessor, Basel II, was created to ensure that banks put aside enough capital to safeguard against operational, financial, and economic risks. In essence Basel II stated that the greater risk a bank exposed itself to, the greater capital it should hold. 

Compliance & Best Practice

ISO 27001, ITIL® and COBIT are all potentially part of a best-practice approach to regulatory and corporate governance compliance.

The challenge for many organizations is to establish a coordinated, integrated framework that draws on all three of these standards. The Joint Framework, combining COBIT and ITIL, is a good starting place.

ISO27001, the international standard for an information security management system (ISMS), also sets out a best practice approach. This standard links to all the IT-related regulations and provides completely independent structured guidance for a risk-based approach to securing the confidentiality, availability and integrity of corporate information. It also provides the general control environment within which the specific controls of an internal control structure can most effectively operate.

Find out more about ISO27001 and how it can help with compliance on our designated ISO27001 page.

Speak to an expert

For more information on our CISM products and services, speak to one of our experts today.

Request a call back from one of our experts

Call us: +1 877 317 3454

Email our customer service team