New standards emerge for cybersecurity compliance

Data breaches and privacy breaches make everyone look bad: no matter how sophisticated the attacker is, the business that receives such intrusions always looks woefully unprepared, if not worse. although she could not have controlled all the factors she faced. submissive and had the right talent at hand.

Intruders are increasingly savvy, persistent, and patient – and it’s nearly impossible to follow the contours of new threats (actors and technology). Companies also cannot control every movement of their employees and business partners.

But companies need to help their employees create a bigger barrier around corporate data by following new information security standards.


Cybersecurity certification schemes can take many forms. Your organization may meet certain international or US standards which mean that it uses certain best practices for an information security management system, which sends a strong message to the consuming public and other stakeholders.

ISO 27001

This is where the International Organization for Standardization comes in with its international standard of best practices for an Information Security Management System (ISMS) called ISO / IEC 27001: 2013.

An ISMS is a system of procedures, records, technologies, and people that control, monitor, audit, and improve the security of your organization’s information. The system must be adapted to the specific characteristics and risk factors applicable to the company in question.

In this sense, ISO 27001 offers a checklist that a company can use and that is adapted to its digital configurations, regulatory requirements, etc. The controls described in the standard are guarantees that it can implement to protect its digital properties.

The list of 14 ISO 27001 controls includes sections on organizational issues, legal and human resources issues, and physical security, among others.


Cyber ​​Security Maturity Model (CMMC) Certification is a new Department of Defense (DoD) certification scheme intended to serve as a verification mechanism to ensure that its contractors are implementing appropriate cybersecurity processes. to protect federal contractual information.

Whether it is a prime contractor, subcontractor, or subcontractor, every organization doing business with DoD will need to be CMMC certified before being awarded a contract that meets CMMC requirements. .


Developed by the American Institute of CPAs, another certification scheme is SOC 2, which defines criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and confidentiality. In accordance with specific business practices, each organization designs its controls to comply with one or more of the SOC 2 trust principles.

Information security services often rely on SOC 2 reports to assess a vendor’s security risk.

Advertise membership

Companies would do well to advertise their adherence to the certification schemes outlined above (and others not named here) and describe their requirements to their major suppliers. Amazon, for example, enters some detail on its website about the certifications and statements of compliance that its business partners have claimed and how Amazon verifies these claims.

Certification ≠ Improvement

An important note here is that having achieved certification does not mean perfection and infallibility, especially as time passes, a company’s risk profile changes, its technology and best practice strategies age, and its staff are changing.

Finally, training employees who are not cybersecurity experts is essential, and these certifications – like the ones described above for organizations – are plentiful. They help ensure that employees have developed cybersecurity hygiene essential to the livelihood of the organization, detect phishing emails and avoid ransomware downloads, and ask questions before they click on anything, even at distance, suspect.

Compliance officers have a role to play in assessing their organization’s needs in terms of the security benchmarks and ongoing training it offers to its employees. And they should also seriously consider taking cybersecurity-based training designed specifically for them and their unique role in mind.

Source link

Leave a Reply

Your email address will not be published.