7 Considerations Before Adopting Security Standards
Here's what to think through as you prepare your organization for standards compliance.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd32a775c01e422bf/64f0d5055f01116d280361b9/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
ISO 27001. PCI DSS. GDPR. When it comes to business and security standards, it's easy to get lost in the alphabet soup of acronyms.
How can you discern which ones are right for your organization? Start by asking some high-level questions as to what you hope to accomplish by adopting them – and how adhering to standards can help your growth, says Khushbu Pratap, a senior principal analyst at Gartner who covers risk and compliance.
"The most important questions to ask [are]: Are your customers asking for it, and do your stakeholders think a particular standard is important?" says Pratap.
Assuming the answers are yes, there are additional factors to think through before moving ahead with a strategy for compliance. The seven practical tips outlined in this feature will help. Heavily regulated organizations typically have special teams that work on these standards, but even for them, use this list as a chance to take a step back and better target your standards compliance and certification teams.
The ISO 27001 standard, recognized internationally for offering a strong baseline of security controls for organizations, is so comprehensive that most companies wind up not using the vast majority of what it offers. To get the most bang for the buck, Gartner's Pratap advises companies take a step back and think about which aspect of the standards they are going to tackle and how it will help the business. Do they want to use the standard for multifactor authentication? Email encryption? Or to have a common language and understanding of security and risk?
Much will depend on the organization's industry. For example, banking and defense contractors may focus on encryption, while a medical practice might key in more on stronger authentication for patient portals.
Companies need to ask how the standards will make them stronger organizations and put them in a position to grow the business, says Gartner's Pratap. For example, security teams need to communicate to top management new opportunities that will present themselves because of a new certification. For example, PCI DSS could increase business because the company can now process credit cards, while compliance with GDPR can potentially make the business more attractive to EU customers and other businesses worldwide.
Regulatory frameworks also help organizations improve the compliance process every time they prepare for an audit or review internal controls, Threat Stack's Ullian adds. Over time, companies can automate by using outside tools designed to streamline a manual work process for a compliance audit. These tools often include internal auditing functions that can help ensure a company maintains continuous compliance, avoiding a rush to make changes when audit time comes around.
According to Gartner's Pratap, a base price for an assessment runs about $50,000. This excludes training, hiring consultants, and conducting pen tests where required. Threat Stack's Ullian says cost and ROI are important factors in any compliance program, but it's also important to remember that for compliance regulations such as GDPR and PCI, the cost of noncompliance can be an order of magnitude higher than even the most detailed and expensive compliance programs. Companies need to think in terms of the benefits of compliance, she suggests. For optional compliance frameworks, the cost must be weighed against the benefits it provides, such as faster sales cycles and reduced risk of security incidents.
Gartner's Pratap says companies should train at least two team members to become subject-matter experts on the selected certifications. Most standards-authoring bodies or certification bodies will offer training courses. At the very least, consulting partners will offer "train the trainer" services to internal teams. Follow up by implementing the requirements of the chosen security standard and prepare employees to conduct self-audits. This helps prepare documentation and evidence and organizes read-only access to infrastructure in the scope of the audit.
Security certification audits are typically an annual routine, Gartner's Pratap says. However, it's important to think of the effort that goes into keeping the certificate valid as a continuous process that involves improvement of the security practices and learning from past experiences. Keep security compliance activities accountable by diligently maintaining records. If a company does that, it's more apt to maintain the certification.
Security certification audits are typically an annual routine, Gartner's Pratap says. However, it's important to think of the effort that goes into keeping the certificate valid as a continuous process that involves improvement of the security practices and learning from past experiences. Keep security compliance activities accountable by diligently maintaining records. If a company does that, it's more apt to maintain the certification.
ISO 27001. PCI DSS. GDPR. When it comes to business and security standards, it's easy to get lost in the alphabet soup of acronyms.
How can you discern which ones are right for your organization? Start by asking some high-level questions as to what you hope to accomplish by adopting them – and how adhering to standards can help your growth, says Khushbu Pratap, a senior principal analyst at Gartner who covers risk and compliance.
"The most important questions to ask [are]: Are your customers asking for it, and do your stakeholders think a particular standard is important?" says Pratap.
Assuming the answers are yes, there are additional factors to think through before moving ahead with a strategy for compliance. The seven practical tips outlined in this feature will help. Heavily regulated organizations typically have special teams that work on these standards, but even for them, use this list as a chance to take a step back and better target your standards compliance and certification teams.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024