ISO 27001 in the banking industry: “One standard to rule them all”

Why should banks go with ISO 27001? If you know the “Lord of the Rings” saga, the headline of this article probably sounds familiar. “One ring to rule them all” refers to the magic ring with the power to control all other magic rings. Am I saying that ISO 27001 does magic in the banking industry? Well… no, unfortunately not. But when “forged” well, an ISO 27001-based Information Security Management System (ISMS) can be used to manage all the different information security frameworks banks are subject to.

What is ISO 27001?


ISO 27001 is a globally recognized standard published by the International Organization for Standardization (ISO), which provides a framework that companies of any size and industry can utilize to implement a custom-made and effective Information Security Management System.

The framework is not designed to just manage IT security, but to manage information security holistically across the company by implementing both technical and non-technical controls.

ISO 27001 was developed by the world’s best information security experts and is the most popular information security standard worldwide.

Information and regulation in banks

Massive amounts of data are processed and stored by banks, most of it sensitive or very sensitive in nature. Banks must control all that data in line with contractual requirements, but at the same time also be compliant with many laws and regulations governing the security and privacy of all this data.

A few laws and standards that are common, or new, are:

  • SOX – Sarbanes-Oxley Act
  • Payment Card Industry Data Security Standard – PCI-DSS
  • PSD2: Payment Service Directive 2
  • New York State Department of Financial Services – NYDFS
  • Privacy
    • GDPR (EU General Data Protection Regulation)
    • CCPA (California Consumer Privacy Act)
    • LGPD (Lei Geral de Proteção de Dados – Brazilian data protection law)
  • And many other (country-specific) laws and regulations

(Read more...)

*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: