If you have a familiarity with any information security frameworks and certifications, it’s more than likely you have heard of International Organisation for Standardisation (ISO) and possibly the International Electrotechnical Commission (IEC). From my experience, the most commonly referred to business-level security related certifications are ISO/IEC 27001 and ISO/IEC 27002. These industry-recognized certifications for information security management systems (ISMS) have been either required or mentioned for all Request for Proposals (RFP) I have ever worked on. Simply put, these certifications indicate that organizations have theoretically taken preemptive action to design their infrastructure with foundational security practices in mind.
As with other security-minded persons, I do not believe being compliant makes you secure, it’s also important to note, organizations can choose to limit the scope of compliance within their infrastructure. However, compliance shouldn’t be seen as a negative, either, and an organization should not be put down for actively seeking to enhance its infrastructure and align it with best practice. Having worked with organizations going through the certification process for 27001, I can attest to some essentials of a security program addressed within these required controls.
Most recently, ISO and IEC have come out with a new addition, ISO/IEC 27701:2019 (27701). This is not a completely new framework; consider it more like an expansion pack to a game. It adds amendments and controls that address privacy by design and by default. The language varies slightly from the General Data Protection Regulation (GDPR), but 27701 was designed in response to GDPR’s privacy needs with the idea of transforming an organization’s ISMS into a Privacy Information Management System (PIMS). Instead of referring throughout to “information security management,” 27701 reminds organizations to also consider “Information security and privacy management.”
At this time, organizations cannot become certified with 27701 but can receive (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/what-is-iso-27701/