ISO 27001 and ISO 27002 are two of the most common standards for information security management today. These standards provide a comprehensive framework for organizations looking to protect their data through robust policies and best practices.
Initially developed by the International Organization for Standardization (ISO), these standards lay out principles and practices that ensure organizations take appropriate measures to protect their data. From asset management and access control to incident response and business continuity, these standards provide detailed guidelines to help organizations secure their networks.
ISO 27001 is an international standard that provides a systematic approach to risk assessment, control selection, and implementation. It includes requirements for establishing an Information Security Management System (ISMS).
ISO 27002 is a code of practice that outlines more specific and detailed security controls. When implemented together, these two standards provide organizations with a comprehensive approach to information security management.
The standard covers areas such as the responsibility between cloud service providers and their clients, security policies, human resources security, asset management, access control, cryptography, physical and environmental security, and compliance among other things. It aims to help both parties in understanding and implementing effective cloud-specific security measures. This guidance is particularly useful in the context of the broader ISO/IEC 27000 family of standards, which support the establishment, implementation, maintenance, and continuous improvement of an information security management system (ISMS).
This standard establishes guidelines and provides measures for public cloud computing service providers to protect personally identifiable information (PII) in accordance with privacy principles such as consent, data minimization, restriction of purpose, and data quality and relevance. It also addresses transparency requirements and offers practical guidance on how to handle personal data in the cloud respecting the privacy rights of individuals.
ISO 27701 is an international standard focusing on privacy information management. It extends the ISO 27001 and ISO 27002 frameworks for information security management by adding specific requirements that organizations must meet to manage privacy risks associated with the processing of personal information. ISO 27701 helps organizations establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).
The National Institute of Standards and Technology (NIST) is a governmental agency responsible for advancing technology and security standards within the United States. NIST's Cybersecurity Framework provides guidelines for organizations to identify, protect, detect, respond to, and recover from cyber attacks. The framework was created in 2014 as guidance for federal agencies, but the principles apply to almost any organization seeking to build a secure digital environment.
Now in its second version, NIST's framework is a comprehensive set of best practices for organizations looking to improve their security posture. It includes detailed guidance on risk management, asset management, identity and access control, incident response planning, supply chain management, and more.
Developed by the Information Systems Audit and Control Association (ISACA), Control Objectives for Information and related Technology (COBIT) is a comprehensive framework designed to help organizations manage their IT resources more effectively. This framework offers best practices for governance, risk management, and security.
The COBIT framework is divided into five categories: Plan & Organize, Acquire & Implement, Deliver & Support, Monitor & Evaluate, and Manage & Assess. Each category contains specific processes and activities to help organizations manage their IT resources effectively.
COBIT also includes detailed data security and protection guidelines, covering access control, user authentication, encryption, audit logging, and incident response areas. These guidelines provide organizations with a comprehensive set of measures that can be used to protect their systems from cyber threats.
The General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures and practices for citizens of the European Union (EU). The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens — including U.S. businesses.
The framework includes 99 articles pertaining to a company’s compliance responsibilities including a consumer’s data access rights, data protection policies and procedures, data breach notification requirements (companies must notify their national regulator within 72 hours of breach discovery), and more.
Fines for non-compliance are high; up to €20,000,000 or 4% of global revenue, and the EU is not shy about enforcing them.