Compliance or Conformity

-

Compliance is not security, or is it?







There is a view (anecdotal)  that compliance is not security. To be more precise, information and cyber security.

For those aware of this standard, ISO/IEC 27001:2013 (information security management system, requirements) asks those organisations seeking certification to conform to its requirements.
On the other hand, the Payment Card Industry (PCI) security standards, and for example the Data Security Standard (PCI DSS), requires compliance.

Conformity or compliance; in the cases above they both seek to achieve something similar; security, in the context of information and cyber security, by ensuring that important data assets are protected (specifically card holder data for PCI DSS, and ‘other’ sensitive and critical information/data for ISO/IEC 27001:2013).

Having generalised with the use of the word ‘other’ for 27001, in truth if card holder data were in scope then in fact ‘other’ would include cardholder data. But, if by ‘other’ it is meant confidential company financial data (not card holder data), or perhaps special categories of personal data (not card holder data) then PCI DSS does not come into play.

However, in both cases, the objective is to manage the risk to what can be suggested as being sensitive and (or) critical data. In one it asks us to conform to requirements, the other it asks us to be compliant.

Many a tech company and cyber security company, having jumped onto the (EU) GDPR bandwagon back in 2016, offered solutions to enable an organisation to become compliant to the Regulation.

The bandwagon jumping antics of many of these businesses is an entirely different topic of conversation; in the meantime, how do they in fact determine that their customers are compliant to the (EU) GDPR simply by offering a technical solution?

Coming back to the original question of compliance and security; (EU) GDPR has a number of Articles (and recitals) directing controllers and processors to manage risk (likelihood and severity) and to respond by implementing appropriate technical and organisational controls.

In part only (many more non-security related obligations must be met), and in order to reach a degree of compliance, the risk associated with the processing of personal data by a controller and processor from an information and cyber security standpoint must be managed and levels of risk treated in some fashion to assist in complying with the Regulation.

ISO deprecated the use of the word compliance from its management system vocabulary preferring the use of the word conform or conformity, and forgetting that in fact conformity means, ‘compliance’ with standards, rules or laws (thank you Google), the simple answer is; given the context of information and cyber security, compliance is a valid word to use and given the context, compliance can indeed be used with the word security.

KanSecurity (NL)

Popular posts from this blog

Risk and micro, small business

-
Image
Risk; why is it so difficult? Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem. Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk.  That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application .  However, for the micro or small business the best approach is to keep things simple, for the moment at least. Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following: Source (what is the source of the thing that could happen - internal or external parties) Event (what is going to occur) Cause
Read more

Risk and Certification

-
Image
Risk too...for Certification The previous discussion on information and cyber security risk was focused toward the micro and small business; the purpose being an attempt to get their ball-rolling on looking at risk. Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) needs the business to seriously focus on information and cyber security risk. In fact, clause 6 (Planning) and its sub-clauses are all focused on risk; this is the 'plan' element of the plan, do, check, act (PDCA) dance. On the other hand, clause 8 (Operation) and in particular 8.2 and 8.3 are all about carrying out risk assessment and treatment, the 'do' element of PDCA. The International Organisation for Standardisation (ISO) does not dictate to your business any particular process or methodology for risk. But, whatever process you adopt it must produce consistent, valid and comparable results (clause 6.1.2b).  If not, the syst
Read more

Sleepless nights, and business owners

-
Image
What keeps the business owner up at night? I am talking about owners of the micro, small, and in some cases medium sized business; those owners who on a daily basis put their heart and soul into building their business and doing all they can to keep it running successfully; making profit; keeping customers happy; employing people etc. The farthest thing from their minds will be information and cyber security.  It could even be suggested that the mere mention of the subject is likely to result in a furrowed brow followed by, this is what I pay the IT Service Provider to look after. It is not surprising then that the evangelist, having worked in the information and cyber security space for many years, comes across disinterest; disregard; and perhaps just a bit of indifference when the subject is raised. That is not meant to insult the business owners, it’s simply a fact of the evangelist's life. For 20 years and more so many thoughts around how to change mind-sets h
Read more