ISO 27001 and Regulatory Compliance
Information and information security are increasingly the subject of regulation and statute around the world. Corporate governance and IT governance extend the requirement for effective information security.
Regulatory compliance provides a number of direct, practical reasons for implementing an information security policy and information security management system (ISMS) that is capable of being independently certified (sometimes called ‘registration’) as compliant with the new international information security standard ISO/IEC 27001:2005.
- An ISO/IEC 27001-certificated ISMS will ensure that you are in compliance with the whole range of information-related legislation, including (as applicable) HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA, EU Safe Harbor regulations, and so on;
- An ISO/IEC 27001-certificated ISMS will ensure that you have in place the general control environment on which a successful SOX s404 report depends;
- A certificate tells existing and potential customers as well as regulators that you have defined and put in place effective information security processes, thus helping create a trusting relationship.
- ISO/IEC 27001 certification will cost a fraction of a SAS 70 audit (which typically costs upwards of $100k) and demonstrates the existence of a best-practice based information security infrastructure.
- ISO/IEC 27001 is also an effective response to information risks identified in any COSO-type enterprise risk management framework.
- The certification process also helps the whole organization focus on continuously improving its information security processes.
ISO27001 and FISMA
Paul Kurtz, COO of Good Harbor Consulting, LLC, recently testified before multiple House Subcommittees regarding the future of FISMA - The Federal Information Security Management Act
Congressional Testimony - Paul Kurtz recently testified before multiple Congressional subcommittees regarding his assessment of the Federal Information Security Management Act (FISMA), his view of emerging trends impacting the Federal government and his recommendations for improving Federal IT Security. Key among Paul's recommendations is the acceptance of ISO 27001 certification within the government. Below is an excerpt of Paul's testimony.
"The US government could lead the drive toward a common global standard for the public and private sector to secure information systems by accepting ISO 27001 as equal to FISMA. In addition, acceptance of ISO 27001 certification would improve transparency of Federal information security and reduce the bureaucracy and costs associated with current FISMA compliance procedures."
You can read Paul's full testimony here: http://www.riskbloggers.com/paulkurtz/2007/06/federal-it-security-the-future-of-fisma/
