Compliance is no check mark sport – it is a constant gardening exercise. Here are some of the essential points for keeping your compliance in good shape, Guidance for a successful security program:
- Keeping up to date with standards, regulatory requirements, and future changes can be a good way of staying ahead. Be knowledgeable about many different standards and security best practices, while ensuring that you are going beyond just meeting compliance. Why? Standards are not updated fast enough to correlate with the ever evolving threat landscape and security best practices.
- In the case of the organization not have to meet information security standards or issue reports such as ISO 27001, SOC 2, NIST, PCI DSS or others, it is still a good idea to follow the frameworks such as ISO 27001 or NIST as they provide good guidance and a foundation on security best practices for your ISMS.
- Continually monitoring the effectiveness of your controls and implementing security measures that not only meet standard or regulatory requirements, however going beyond to increase the security posture of your organization is a great way to ensure your ISMS is up to date and the controls are actually helpful for you and your business units. If the organization has multiple frameworks that it needs to be certified against, evaluate whether the policies, processes, and controls can be used to meet the objectives of multiple standards at once. This cross-reference can save you valuable time.
Compliance is only a small part of the security function and being compliant or certified must be taken with a grain of salt as compliance to standards does not mean you are completely secure or that your vendors are secure as the scope and quality of controls can significantly differ.