In today’s world, many organisations in both private and public sectors are required to adhere to a plethora of rules, regulations and standards, some of which relate to cyber security and information assurance, such as the Data Protection Act, PCI DSS, ISO/IEC 27001, BS 25999:2006 and so on. For the majority of organisations, these requirements can appear both daunting and probably very expensive to meet without any visible benefit – except perhaps the avoidance of fines!
I believe that if you need to adhere to a set of rules, there will always be a way to do so which improves your business process at the same time. My approach to achieving compliance has this ethos driven through it… the core mantra is that “compliance” should be one of the RESULTS of a security improvement initiative rather than the core objective. Too many organisations have found to their cost that compliant does not mean secure.
Where you are seeking to achieve compliance with PCI DSS, ISO/IEC 27001, BS 25999:2006 or any other standard, regulatory framework or statutory obligations, an important first step is to conduct a compliance gap analysis. This task requires a modest investment to establish the aspects of the relevant standards for which compliance is mandatory, desirable or advisable and establishes your organisation’s current state of compliance against each requirement. The second stage of the process is to establish a time-bound, risk-based and cost-effective remediation programme to bring you to the state of compliance you require.
- Identify Relevant Standards: Identify relevant legal and regulatory requirements and standards applicable to the business and process under scrutiny;
- MoSCoW Analysis: For each requirement assess whether the organisation MUST implement it, SHOULD implement it, COULD implement it or WON’T implement it.
- Gap Analysis: Based on the MoSCoW analysis, identify where requirements to be addressed are not currently being addressed and specify what remedial actions need to be taken;
- Remediation Plan: Schedule of activities, deliverables and key milestones required to remediate outstanding compliance issues and other related changes implied by the gap analysis. The goal of the plan is to ensure that affected processes not only achieve compliance but become more intrinsically secure and perform better than prior to remediation.