Standards play an important role in data protection and data security. They set the benchmark by which an organisation can assess it’s level of risk and competence and can protect itself. Here we review the key standards you are likely to come across.
ISO 27001 – the international standard for information security.
ISO 27001 has been around for a long time. In my view, it is the foundation of any Data Protection data security implementation. The great benefit of ISO 27001 is that it is a risk-based model with risk management at its heart. It doesn’t say what you should have or how you should do it rather it implements an information security management system that is founded in and based on risk, makes suggestions on the kind of controls you should have and allows you to chose if they apply and how you will implement them. With an annexe referred to as Annex A or often called the ISO27002 standard it sets out 114 controls of pure gold. Implementing these 114 controls will set you on a good path to securing your business.
The reason it comes first as this is the go-to of any organisation assessing another. If someone wants to work with you and share data with you in all likelihood they are going to ask for ISO 27001 certification. Makes sense really as it means they don’t have to audit you, someone else already has.
It comes with its downsides though. In in his article how much does ISO 27001 cost, Stuart discusses the costs and points out that a true certification to UKAS standard is likely to cost around £8,0000 year 1 in just certification costs. Not for the faint-hearted and really only when you have a compelling business case to certify. That isn’t to say you can’t implement and work to the standard, and really you should. It will tick a lot of the boxes for GDPR and the principle of Integrity and confidentiality.
PCI DSS – Payment Card Data Security Standard
PCI DSS again has been around for some time. A standard for anyone that stores, processes or transmits card data. Unlike ISO 27001, PCI DSS is a rule-based system, not risk-based. So the controls that are defined are black and white, you implement them and you have them or you don’t. If you don’t, then you do not meet the standard. There are similarities in places to ISO 27001 and it builds upon many of the controls but in addition, it adds in a lot of technical controls. Depending on how you are handling card data the controls require can go from in the region of 20 to in the region of over 300. My advice to anyone would be, outsource your payment processing and make it someone else’s problem.
This one is a bit left field for UK based business and one that only really comes up when dealing internationally and usually with the US. Whilst ISO 27001 is an international standard it struggles to get recognition in the US who prefer SOC compliance. It comes in 2 flavours called SOC 1 and SOC 2 and which applies to you is dictated by the customer or person asking for it. SOC 1 covers solutions that can directly impact the financial reporting of a company and SOC 2 covers General IT controls. Add it a spicy approach to audit and you have either a Type 1 audit or a Type 2 audit. Type 1 is a point in time audit and Type 2 is a continuous audit. Some nuance here in that SOC doesn’t dictate a set of controls rather it is down to you to decide the controls and then evidence them. Sounds easy right? Kind of but the output is a letter of compliance that sets out the controls you have chosen so having the easy ones, non-relevant ones or not many of them is going to cost you a lot of money for something of very little value.
There are other standards out there. They seem to pop up all the time. Cyber Essentials, Cyber Essentials Plus, COBIT and SOX and even now there is a mini battlefield as people vie to define the latest standard for GDPR and GDPR certification. We watch and see who wins that battle. What is going to be true is that as with everything else ISO 27001 is going to be the foundation of it. IMHO.
Author: Stuart Barker
Stuart specialises in fintech and financial services companies with over two decades of experience delivering legal and regulatory compliance for data. He specialises in getting and keeping companies compliant for data security which usually means ISO 27001, PCI DSS, SOC 1 and SOC 2 certification and regulations like the FCA regulations for data security.
He started, built and successfully sold a cybersecurity business. Now he advises companies and builds data security capability allowing them to meet the needs of their customers, the needs of their funders and the needs of the law. Usually in that order.
He is also a driver in addressing isolation, wellbeing and mental in business and building emotionally intelligent people networks.