“The most valuable commodity I know of is Information” – Gordon Gekko
Information is a new currency of business. A new business can be built by using information and a well-reputed business can be destroyed by misusing information. Information is one of the most important assets to keep secure.
The Consequence of Lack of Information Security
Leakage of critical information (e.g. financial data, Passcode, Strategic information etc.)
Damage to physical infrastructure
Reoccurring of incidents that stop operational activities
Misuse of information leads to damage databases, public health, national security
Violation of individual rights and many more
“We are not in an information age anymore. We’re in the information management age.” – Chris Hardwick
Now, it is clear why the protection of information is necessary. To protect the information, many organizations (e.g. ISO, ISACA etc.) and the governments of various countries from various regions (e.g. Europe, USA etc.) design many standards, frameworks and models.
10 Popular Standards/Framework for Information Security
1. ISO/IEC 27001:2013
ISO/IEC 27001:2013 is an international standard developed by International Organization for Standardization (ISO) which provides guidelines to establish, implement, manage and continually improve Information Security Management Systems (ISMS).
The purpose of ISMS is to safeguard confidentiality, integrity and availability aspects of information.
ISO/IEC 27001:2013 is the basic standard to implement to practice security measures in an organization.
Any organization across the globe can go for the ISMS implementation regardless of its type of business, size, structure etc.
2. National Electronic Security Authority (NESA)
NESA is a government body of UAE which provides a set of guidelines to protect the critical information infrastructure of UAE and to improve national cyber security.
NESA controls are very similar to ISMS.
The unique points of NESA are,
Threat based approach
Control Categories, Highest (P1) to Lowest (P4)
A tiered approach to ensuring compliance
NESA is applicable for the organizations which are situated in Europe or those who are handling European data.
3. National Institute of Standards and Technology (NIST)
The United States Congress developed the NIST framework.
The purpose of NIST is to provide a set of good practices to improve the cyber security practices of US-based organizations.
NIST Provides five points structure to improve cyber security practices,
NIST is applicable for the organizations which are situated in the US or those who are handling the US data.
4. Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) provides a set of guidelines to ensure all the organizations that process, store, or transmit credit card information maintain a secure environment.
A PCI DSS compliant company can claim that its systems are secure and its customers can trust it with their sensitive payment card information.
Any organization across the globe, which accepts, stores, transmits, or processes cardholder information should comply with the PCI DSS.
5. ISO/IEC 27701:2019
ISO/IEC 27701:2019 is an extension of ISO 27001 developed by ISO.
It provides the guidelines to establish, implement, maintain and continually improve the Privacy Information Management System (PIMS).
The purpose of PIMS is to secure Personally Identifiable Information (PII) by designing,
Rights of PII Principal
Robust Cross border transfer mechanism
Data Controller Rules
Data Processor Rules
Any organization across the globe can go for the PIMS implementation regardless of its type of business, size, structure etc.
6. General Data Protection Regulation (GDPR)
To protect personal data, the European Government developed the GDPR framework in April 2016.
The purpose of GDPR is to harmonise data protection directives and to strengthen citizens’ fundamental rights to personal data protection.
Any organization across the globe which handles European data needs to comply with GDPR.
7. Health Insurance Portability and Accountability Act (HIPAA)
The United States Congress enacted the HIPAA to safeguard the health information or Protected Health Information (PHI) of patients.
HIPAA is applicable for the organizations which are situated in the US or those who are handling the US data.
8. ISO/IEC 27018:2014
ISO 27018:2019 is an extension of ISO 27701 developed by ISO. It provides guidelines to protect Personally Identifiable Information (PII) stored in a cloud platform.
Any organization across the globe can go for the ISO 27018 implementation regardless of its type of business, size, structure etc.
9. ISO/IEC 27032:2012
ISO/IEC 27032:2012 developed by ISO to secure cyberspace information by providing a guide for cyber security.
ISO 27032 and ISO 27001 are closely related to each other.
ISO/IEC 27032:2012 standard is not for certification but, any organization across the globe can practice the guidelines to improve its cyber security.
10. Service Organization Criteria (SOC) 2
Created by the American Institute of CPAs (AICPA), SOC 2 characterizes standards for overseeing client information in light of five “trust administration standards”.
SOC 2 is an internationally recognized standard specifically designed for service providers storing customer data in the cloud. SOC 2 applies to practically every SaaS organization, just as any organization that utilizes the cloud to store its clients’ data.
7 Common Benefits of Implementing These Standards/Frameworks
Establish a benchmark and get a competitive advantage by following best security practices
Improve customer confidence by maintaining effective security posture and efficient processes
Ensure the organization’s reputation by minimizing the chances of security breaches
Avoid penalties by meeting the legal obligations
Distinguish and treat the potential privacy issues at a beginning phase
A better understanding of data management
Increase awareness of privacy and data protection across the organization