Depending on the market a company is operating in, it may be subject to obligatory IT compliance standards. A key example here is the EU’s GDPR which has hundreds of pages’ worth of requirements and is considered one of the toughest privacy laws anywhere in the world with violations adding up to hundreds of millions of euro.
On the other side of the Atlantic, the California Consumer Privacy Act of 2018 compels businesses to provide customers with notices explaining their privacy practices. Another mandatory compliance and certification standard is in place for cloud providers intending to sell their services to the US government. They must comply with the Federal Risk and Authorization Management Program (FedRAMP) where they undergo an independent security assessment conducted by a third-party organisation. Once compliance is assured, they can obtain an Authority to Operate.
Elsewhere, there are numerous standards that are not legally binding aimed at showcasing the strength and quality of a company’s IT security and compliance framework. These are some of the best known:
SOC: SOC compliance is a type of certification where a service organisation has completed a third-party audit showing that it has certain controls in place. There are three different types depending on the overall goal. SOC 1 is exclusively focused on controls affecting customers’ financial reporting. SOC 2 is less specific and assesses service provider controls for TrustServices criteria such as security, availability, confidentiality and privacy. SOC 3 is similar but at a higher compliance level. Whereas SOC 2 is geared towards the audience of client companies and their shareholders, SOC 3 is aimed at the general public.
ISO/IEC 27001: The Geneva-based International Organization for Standardization (ISO) has published over 24,500 international standards related to technology and manufacturing since 1947. ISO standards are some of the best known and they constitute industry-best practice. ISO/IEC 27001 is highly relevant for companies given that it outlines requirements for the establishment, implementation, maintenance and continual improvement of an information security management system with the aim of making corporate assets more secure.
NIST CSF: In the US, the National Industry for Standards in Technology (NIST), a non-regulatory agency house in the US Department of Commerce, has published numerous IT security standards such as the well-known Cybersecurity Framework (CSF). Alongside ISO 27001, NIST CSF provides a solid standard for the design and implementation of a strong IT security system across many industries. It has also been translated into many languages and is used outside the US by governments and different organisations.
PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations handling credit cards from the five major providers – American Express, Discover, JCB, Mastercard and Visa. It was created in the early 2000s to increase controls around cardholder data to reduce credit card fraud. The standard specifies 12 requirements for compliance that are organised into six groups called control objectives. Validation of compliance involves evaluation and confirmation that controls and procedures have been properly implemented as per the standard’s policies.
ISO/IEC 27001 and PCI DSS are standards for which it is possible to assess and provide attestation of conformity which means that companies can get certified. NIST CSF is different in this regard, however, as it is only a guidance.