Compliance means conforming to a rule, such as a specification, policy, standard or law. Some compliances are generic in nature catering to all kinds of organizations and sizes, example ISO 27001:2013, NIST-CSF whereas few are more industry specific like PCI-DSS which caters to the payment gateway providers. Adhering to a Compliance ensures best practices are adopted.
Organizations adopt compliances to improve their information security practices or as it is mandated by regulations or both. In many cases, organizations adopt more than one compliance depending upon nature of business and geography.
Typically, the process of adhering to a compliance includes the following steps.
*Certification is not mandatory for certain compliances.
The compliance efforts are usually done manually, led by qualified subject matter experts (either internal audit teams or external consultants). Depending on the size of the company and their current cybersecurity practices, the whole process may take up to several months to a year. Compliance is an ongoing process, even post certification, one must follow the standard and needs to be audited on a regular basis.
Each compliance has well defined set of information security controls broadly categorized into three aspects
Crux of any compliance is to adopt tried and tested controls to ensure a good cyber hygiene. And to do this optimally, by following a risk-based approach.
Compliance management should not be just gap assessment against the controls.
An ideal compliance management would involve
Iterate over the above process. By doing so, you are de-risking the organization and at the same time achieving compliance.
Once compliance/certification is achieved, it is important to continue the practices established and be compliant all the time.
For regulations like GDPR, there is no certification, but the organization needs to self-regulate and be able to demonstrate their preparedness at any given time.
Seconize DeRisk Center is a Risk and Compliance Management product which automates the Risk Assessment across assets and applications in the cloud and on-premise.
Given a specific standard and scope
Typically, organizations comply to more than one regulation or standard. Auditing each one, is resource intensive and not very productive.
Seconize Generic Compliance Framework maps one standard to another. Once a standard like ISO 27001:2013 is audited the controls can be mapped to another standard like PCI-DSS. Saving enormous amount of time and effort.
Seconize DeRisk Center supports the following regulations/compliances/standards.