Risk frameworks provide systematic guidelines to organisations, regarding risk management principles that should be applied in order to meet certain levels or types of information security compliance. These include industry-specific standards such as the PCI DSS (Payment Card Industry Data Security Standard) which applies (at some level) to “ANY organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data” and, in the US, the second section of the HIPAA (Health Insurance Portability and Accountability Act) which companies such as health insurers and medical service providers must comply with. There is, of course, also a growing ecosystem around personal data and privacy regulations such as GDPR and CCPA, and frameworks exist to help organisations manage their responsibilities and obligations in this area. Compliance and certification with all these frameworks, that are concerned with sensitive and personal information, is generally mandatory.
The US NIST frameworks, the British UK Cyber Security Essentials, and the internationally recognised ISMS (Information Security Management System) ISO 27001 are industry best practices frameworks, and cover information security at a more general level. Indeed, ISO 27001 recognises that a truly comprehensive treatment of information security will cover low-tech aspects such as noting the location of personal information that is physically stored in filing cabinets, and the requirement to do background checks on certain employees.
There are normally three main stages involved in the complete application of a risk framework. Firstly, the organisation needs to investigate its relevant infrastructure and processes, with a view to the necessary modifications and additions needed in order to comply with the framework requirements or ‘control objectives’. These actions are then carried out in an implementation phase that renders the organisation compliant with the framework. Finally, at the certification stage, an accredited certification body audits the organisation to verify that it meets the various compliance requirements. The certification is renewed on an annual basis by follow-up audits.
Implementation of a respected general risk framework such as ISO 27001 is an effective way to demonstrate – externally and internally – that your organisation has a robust and well-organised approach to information security. Although it is not a legal requirement to comply with this type of framework, some organisations (including the British government ‘HMG’, and some large enterprises) are now insisting that their suppliers do so. This is because applying an information security framework to your business significantly reduces ‘supply chain/third party risk’ of the type that has caused a number of high profile data breaches in recent years, along with other security problems. It can also help with GDPR compliance.
Vendors such as TrustArc and KnowBe4 offer powerful tools that can help your organisation assess its alignment with any of the above frameworks, and navigate the implementation and compliance process.