The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO 17799 and 27001, COBIT4, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 94, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage.
So, here are three ways you might use the matrix:
- ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;
- ISMS coverage by laws/standards/regs: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.
- Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of non-compliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.
A lot of work must have gone into compiling the matrix. Make the most of it.
There's further information on ISMS best practices at our ISO 27001 Security website.
A webinar explains the ITCi's Unified Compliance Project which is making excellent plans to simplify, harmonize and perhaps even unify the IT compliance problem across laws, standards and regs.
More information security links here