Cyber security compliance should be near the top of every organisation’s agenda. With a host of data protection risks and sizeable penalties for violating data protection laws, the stakes have never been higher.
The GDPR (General Data Protection Regulation) alone has created more than £1.3 billion in regulatory penalties, and that’s just the tip of the iceberg. Depending on your organisation’s size and sector, you could be subject numerous pieces of legislation, and it’s not just financial penalties that you need to be worried about.
Non-compliance can have several other significant consequences, including a hit to your reputation and damage to your relationship with third parties.
In this blog, we explain how cyber security compliance works and the steps you can take to ensure that you’re meeting your legal requirements.
What is cyber security compliance?
An organisation that has achieved cyber security compliance has met various rules regarding the way sensitive information is protected.
Those rules usually refer to those set by regulatory authorities, laws or industry groups. Depending on the nature of the compliance requirements, meeting those rules can be a legal obligation or a voluntary set of requirements needed to achieve certification.
For example, the GDPR is one of the most broadly encompassing set of cyber security requirements, and all organisations within its scope must comply.
By contrast, ISO 27001 contains a set of best practices for information security management. There is no legal requirement to adopt the framework, but compliance is mandatory if you wish to gain an ISO 27001 certificate or if you have signed a contract with a third party stating that you will follow its guidelines.
Contractual agreements such as this are common, because data breaches and other security weaknesses can have a significant impact throughout the supply chain.
Creating legal requirements on what steps must be taken to protect sensitive data at the outset of a partnership ensures that you mitigate avoidable errors.
Additionally, some regulations – such as the GDPR – state that data controllers can be held accountable for security incidents that occur at data processors. It’s therefore in their best interest to create contracts ensuring that third parties have adequate protections in place, otherwise they could face a sizeable penalty.
Key cyber security compliance requirements
The GDPR is a law that governs how organisations process personal data. Following Brexit, there are now two GDPRs: the EU GDPR and the UK GDPR. The two versions are more or less the same, although UK regulators have proposed further changes to the domestic legislation.
The GDPR is a far-reaching piece of legislation that contains many requirements. However, they can be broadly described as requiring organisations to better protect EU residents’ personal data and to give them greater control over the way their information is used.
To meet these requirements, organisations must implement a series of technical and organisational measures.
This includes the adoption of technology to prevent cyber attacks and data breaches, as well as the introduction of policies and processes to ensure that proper procedures are followed at all times.
ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). By implementing its requirements, organisations create a comprehensive and efficient system for managing the data they collect and the threats they face.
Unlike the other sets of regulations and legislations listed here, ISO 27001 is not a legal requirement by default. However, many organisations will only work with third parties that have certified to ISO 27001.
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.
All merchants and service providers that process, transmit or store cardholder data must comply with the PCI DSS.
The Standard results from a collaboration between the major payment brands (American Express, Discover, JCB, Mastercard and Visa), and is administered by the PCI SSC (Payment Card Industry Security Standards Council).
Organisations that provide tech services and systems to third parties should be familiar with SOC 2.
Service organisations are usually required to gain SOC 2 compliance in order to partner with or provide services to other companies.
To achieve SOC 2 certification, organisations must implement controls on system monitoring, data breach alerts, audit procedures and digital forensics.
SWIFT CSP and CSCF
SWIFT (the Society for Worldwide Interbank Financial Telecommunication) provides the global messaging system that financial organisations use to transmit information and instructions securely.
Its CSP (Customer Security Programme) helps financial organisations ensure their cyber security defences are adequate and up to date.
As part of the CSP, SWIFT established the CSCF (Customer Security Controls Framework) to help organisations in the financial services industry implement a baseline of security.
Last updated in July 2021, the SWIFT CSCF comprises a set of 21 mandatory and 10 advisory security controls for the operating environment of SWIFT users.
How to build a cyber security compliance programme
The steps you take to achieve cyber security compliance will depend on the requirements to which you are subject. However, there is a lot of overlap between many rules and regulations, because there are generally accepted best practices for effective information security and data protection.
For many organisations, it’s useful to build a cyber security compliance programme that takes into account every set of requirements rather than looking at each set of rules separately.
Organisations can build a cyber security compliance programme by following these five steps.
1. Build a compliance team
Your first task is to create a team to oversee your compliance project. Having clear ownership over the project ensures that relevant personnel know their responsibilities, and gives them authorisation to take necessary steps.
The team should include experts from relevant parts of your organisation. These should generally be managers or other people in high-level positions, and you should include people from across various departments.
Each member of the team should have a solid grasp of the organisation’s compliance requirements. It might be worth enrolling them on training courses to better understand relevant regulations and their requirements.
2. Outline your compliance requirements
Now it’s time to begin planning your compliance programme, and the process starts by logging each requirement that you must meet.
You can do this by creating a checklist from each set of rules that you are subject to. A crucial part of this process is to identify requirements from different regulations that are the same or similar.
Doing so can reduce the amount of work you must do and also highlights potential problems. If you implement a controls to meet one requirement and later learn that it hinders your ability to meet another set of rules, that could land you in trouble.
Writing out your compliance requirements is one of the more laborious and time-consuming aspects of the process, so you might want to look for support. With Vigilant Software’s Compliance Manager, you will receive a curated list of information security clauses from UK law to help speed along the process.
3. Establish a risk assessment process
Many cyber security regulations state that organisations must take reasonable steps to protect sensitive information. The only way to determine what controls are necessary is by completing a risk assessment.
The process helps organisation understand areas of weakness and where their priorities must lie. It begins by identifying information assets, the locations where sensitive data is stored and the ways that the information can be accessed.
Next, you must determine an acceptable level of risk. You will soon find that there are too many risks to mitigate against all of them, so you should set a threshold at which weaknesses must be addressed.
Once you’ve done this, you can complete the assessment itself. There are several ways to conduct a risk assessment; you can, for example, begin with assets and determine how they might be compromised, or you can take each threat and track how it will affect different parts of the organisation.
Whichever way you proceed, the assessment should consider risk impact. This is a way of measuring risks based on the probability of them occurring and the damage they will cause. Doing so enables you to compare risks and identify which ones you must prioritise.
Finally, you should determine the most appropriate course of action for each risk. You can treat the risk by applying a security control; modify the risk to reduce its likelihood or probability; transfer the liability with, for example, cyber insurance; or tolerate the risk if it is not likely to cause a significant problem.
4. Implement relevant controls
This is the point at which you perform practical steps to meet your compliance requirements. In some cases the rules are prescriptive and state exactly what you must do. For example, you might be required to implement a specific technical control or create a policy.
However, at other times your course of action will depend on the results of your risk assessment. In those cases, it’s essential that you document the findings of that assessment along with a justification on why you made the choices you did.
5. Monitor and respond
The compliance programme doesn’t stop once you have implemented your controls, because your organisation – and your requirements – are constantly evolving.
The team must monitor the controls they have implemented to ensure that they work as intended and to identify any room for improvement.
They must also keep an eye out for new risks or changes in the regulatory environment.
Simplify cyber security compliance with Compliance Manager
Cyber security compliance can be a minefield that takes time, money and advice to navigate. Although there is no sidestepping your requirements, you can simplify the process with our Compliance Manager.
Compliance Manager is a comprehensive tool for managing information security and data protection requirements.
It provides a curated list of information security clauses from UK law and a collection of GDPR articles, each accompanied by implementation guidance.
You can also add your own requirements or controls that are applicable to your organisation.
Compliance Manager’s interactive database lists the applicable clauses from each law and provides guidance on implementing them, mapped against the appropriate best-practice controls from Annex A of ISO 27001, the international standard for information security management systems.