Compliance: Take the “leg up”
The best legislation, regulation, and directives are enacted to address issues.
Written by Debra Buchanan, Senior Information Security Consultant @ Watchcom
In other words, laws, regulations, and directives provide a shortcut to an organization’s risk assessment and treatment of risks with ratings higher than their acceptable levels. By starting with those that are relevant to their business sector (e.g., energy, transportation, hospitality, manufacturing, services, etc.) and their business processes (e.g., HR, finance, legal, security, IT, procurement, audit, R&D, etc.) an organization can take advantage of previous lessons learnt from other issues occurring nationally or internationally.
Not only does the history, purpose, and/or intent of a law, regulation, or directive identify the risk, it identifies the risk rating (almost certain) which originally required the country or international union to act, but they also tell you how to prevent realizing it.
Therefore, I believe ISO’s definition of a Statement of Applicability (SoA) is missing a lot of key elements that explain why a control is required. The reason I don't agree is because the legislation, regulation, best practice (a.k.a. higher authority) is not indicated; only the requirements to meet compliance are. If I tell you (as an Executive) that the EU GDPR and NOR Privacy Act mandate that any collection of personal data must be controlled, then the controls I list for privacy compliance has more meaning / context.
Knowing the why is the lion’s share to being compliant, because without buy-in from top management resources will never be approved.
A real SoA must list all applicable:
- Regulations and directives,
- Contract clauses with third parties,
- Organization’s strategy, risk register, policies, procedures, and instructions,
- Industry and Practice Standards (i.e., ISO, BSI, NIST, RFC, etc.) and their prescribed controls,
- Manufacturer, Vendor, and Provider instructions and guidance (a.k.a. best practice guidance).
This is how the organization can understand why a risk and its controls are relevant, as well as why they are in scope of an audit’s SoA. Additionally, the last bullet will identify most of the third parties that are part of the organization’s supply chain; another shortcut.
Take the “leg up”!
Don’t look at compliance as a cost of doing business but as a shortcut to good due care and due diligence. Doing so will save precious, limited resources. It is not just good for the organization, but will go a long way to prevent harm to people and intellectual property, negative press articles, fines, security incidents and data breaches, but also prosecution.
A risk-based approach
Deloitte’s 2022 State of Compliance Survey indicates that compliance is still low. Given that we have moved to a risk-based approach to doing business, why is compliance still low?
I did some research into why some laws and regulations were enacted and found there is a clear risk-based approach; many laws, regulations, and directives were enacted to respond to many risk realizations (a.k.a. issues).
Below are a few selected examples.
Laws on security, privacy, intellectual property, consumer protection, procurement, etc. were all enacted due to issues resulting in tangible and intangible harm.
United States (US)
- Sarbanes Oxley Act (SOX) – Issues from Enron and Worldcom caused US Congress to enact this law.
- Healthcare Insurance Portability and Accountability Act (HIPAA) – Issues for employees with pre-existing health conditions to get health insurance and issues with sharing Protected Health Information (PHI) caused US Congress to enact this law.
- Occupational Safety and Health Act (OSHA) – In the 1960s, accidents and deaths increased in the US causing political pressure on Congress to enact this law. European Union (EU)
- National Information Security Directive - Directive (EU) 2022/2555 (NIS2) replaces Directive (EU) 2016/1148 to collaboratively fight threats to the European Union from the malicious use of digital technology (e.g., IT, OT, IoT, IIoT, ICS, etc.).
United Kingdom (UK)
- Education Act – To improve knowledge by making education free to all children up to the age of 15.
- National Health Service Act – To improve the health of its citizens by making healthcare affordable.
- Norwegian Security Act – Because of threats to Norway, this law is to:
- Protect Norway's sovereignty, territorial integrity and democratic system of government, and other national security interests,
- Prevent, detect, and counter activities which present a threat to security,
- Ensure that security measures are implemented in accordance with the fundamental legal principles and values of a democratic society.
This includes empowering Norway’s National Security Authority (NSM) to provide information and guidance regarding security (e.g., physical, personnel, cyber, and management).
New Zealand (NZ)
- New Zealand Intelligence and Security Act – Like the Norwegian Security Act, this act was passed to protect New Zealand, its citizens, and residents.
- Additionally, it empowers the New Zealand Security Intelligence Service (NZSIS) and the Government Communications and Security Bureau (GCSB) to publish information, guidance, and to provide support to New Zealand agencies, companies, and citizens regarding security.
If your organization needs help with compliance questions, including understanding what a full SoA should look like, feel free to contact us for a chat.