In the digital era we live in, where information security has become one of the top priorities, global enterprises face the complex challenge of keeping data secure and improving their security posture while also complying with a ton of requirements coming from different sources (e.g., laws, external party questionnaires, contractual obligations). There is an abundance of information security standards and frameworks available to help, but how does an enterprise make sure it can align to several of them at the same time, practically, efficiently and effectively?
It is, indeed, very difficult and time-consuming to comply with every single standard or requirement. And although certain requirements may seem similar, there are always little things that separate them and require special attention. To make compliance more efficient, the implementation of a global information security management system (ISMS) through the definition of a baseline is crucial. It will take some time at first, but it will lead to significant efficiencies in the medium and long term.
Choosing a Baseline
There are four steps needed to develop a baseline:
- Identify and document all information security compliance requirements at a global and country level—When completing this step, consider:
-
- Country (or broader) laws that affect or dictate specific information security measures (i.e., controls)
- Requirements coming from standards due to the nature of the business and services provided, such as the Payment Card Industry Data Security Standard when processing cardholder data
- Client requirements and their recognition of standards and frameworks (e.g., clients requiring the enterprise to be International Organization for Standardization (ISO) 27001-certified or providing a service organization controls (SOC) 2 report)
- Internal policies and procedures that have been developed in accordance with leadership’s appetite for risk and relevant threat assessments
- Voluntary certifications the leadership has decided to pursue as part of their information security strategy
- Define your proprietary controls baseline—In defining this baseline, a relevant standard such as National Institute of Standards and Technology (NIST) standards, ISO 27001 or a Secure Controls Framework standard should be used as a starting point, and then it can be tailored to the enterprise. When choosing the base standard, consider:
-
- Geographies the enterprise has a larger footprint in (e.g., NIST and SOC 2 reports are more popular in the United States, and ISO 27001 is more popular in Europe)
- What most clients are asking for or recognize as best practice
- The enterprise culture to ensure the required sponsorship from the leadership
- Map each control to the different compliance requirements you identified in step 1—This way, when a self-assessment or internal or external audit is run against the baseline, an evidentially effective control of the baseline will show evidence of effectiveness against the mapped compliance requirement.
- Ensure any compliance requirement identified as not having a mapped control in the baseline is added.
Developing a Blueprint to Pursue Global ISMS Certifications
Certifying the global ISMS is helpful to show to interested parties that the information security approach is indeed working and independent certification bodies are attesting to that. As certification bodies will look for compliance against one standard at a time (at least in most cases), the development of a blueprint that presents the journey of the control baseline being implemented in every country the global ISMS operates in will help evidence compliance with that standard in every country. To develop the blueprint:
- Define control implementation criteria for each control of the baseline. Make sure to include design and implementation effectiveness criteria.
- Define specific, measurable, attainable, reliable and timely (SMART) indicators for each control and their effectiveness criteria to be able to report against as evidence of compliance.
- Define timed tasks against the criteria and indicator reporting requirements and assign owners for implementation. Make sure that tasks required to run continuously or periodically (e.g., quarterly) are documented and the owners are made responsible for always collecting the evidence and measurements.
- Contact the lead auditor from the certification body and present to them the blueprint for implementing the global ISMS using the control baseline to get their agreement that this is sufficient for evidencing compliance with the standard they will be auditing against.
Complying with every single requirement that comes your way is challenging. Implementing the suggested control baseline and blueprint should aid in more straightforward implementation of a global ISMS across the enterprise and the ability to monitor and evidence compliance against only one framework—yours. This will allow efficiencies in managing interested parties, including clients and certification bodies, which is something an enterprise’s leadership is always striving for.
Editor’s note: For further insights on this topic, read Sarantos Kefalas’s recent Journal article, “Solving Standards Implementation Issues With a Global ISMS,” ISACA® Journal, volume 4, 2023.