Compliance Standards: An In-Depth Multi-Chapter Guide
Compliance standards do not exist for their own sake. Just as laws give societies the proper direction to function, most compliance standards help enterprises operate their businesses securely within the boundaries of widely accepted rules and principles.
Ensuring adherence to compliance standards is more than a tick-box exercise: Failure to prioritize the security and privacy controls these standards provide can wreck any business. Besides the infamous high costs of data breaches, probably the biggest potential hit for most organizations is a loss of trust.
This article starts with an overview of common compliance standards and then runs through each standard’s principles and ways to stay compliant. It concludes with a discussion of best practices for success.
Overview of key compliance standards
| Compliance standard | Description | Associated industries | Relevant regions |
|---|---|---|---|
| General Data Protection Regulation (GDPR) | Ensures data protection and privacy for individuals within the EU | All | EU |
| Health Insurance Portability and Accountability Act (HIPAA) | Safeguards medical information and patient data | Healthcare (providers, clearinghouses, and business associates) | US |
| Payment Card Industry Data Security Standard (PCI DSS) | Standardizes the secure handling of credit card information | Retail, finance | Global |
| Sarbanes-Oxley Act (SOX) | Mandates that companies follow various rules about financial disclosure and reporting | Publicly traded companies | US |
| ISO 27001 (Information Security Management Systems) | A widely used standard for implementing information security controls in an organization | Any industry | Global |
| Service Organization Control (SOC) 2 | Assurance for the implementation of controls for security and privacy | Service providers such as IT vendors, cloud and data center providers, and B2B SaaS companies | Global |
| Network and Information Security (NIS) and NIS2 Directives | A framework for EU member states to use for streamlining cyber resilience | NIS: public infrastructure; NIS2: any private organization (to some extent) | EU |
| Digital Operational Resilience Act (DORA) | Requires all EU financial institutions to ensure that they can withstand all types of IT-related disruptions and threats | Finance, IT services
|
EU
|
| National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) | A security framework applicable to any business that aims to reduce its cybersecurity risks | Originally for critical infrastructure; applicable to any industry | US, Global |
| NIST Special Publication 800-53 | A catalog of security and privacy controls | Any industry | US, Global |
| Center for Internet Security (CIS) Controls / Benchmarks | Recommended practices for securing systems, devices, and networks | Any industry | Global |
Too many standards?
The good news is that standards and regulations focused on security and privacy have many congruences. Both sides address sensitive information: Security focuses on the integrity, confidentiality, and availability of information, while privacy indicates responsibility for processing personal data.
However, while they have commonalities, each standard has its own scope, depth, and applicability. The best starting point for understanding them is getting acquainted with the mandatory regulations for the region and industry in which your organization operates. Then build up your IT and security frameworks by using additional recommended standards and best practices.
Let’s look at the standards in more detail.
General Data Protection Regulation (GDPR) and other privacy beasts
Probably the most stringent regulation in the world concerning personal data, GDPR compliance is not to be taken lightly, considering that the average cost of a data breach reached an all-time high of $4.45 million in 2023.
Any company having a presence or interaction in one of the states or countries where privacy laws are enacted must get acquainted with them and ensure that any personal data processing is compliant.
Purpose: GDPR regulates the lawful processing of personal data across the EU.
Principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
How to stay compliant:
- Appoint a data privacy officer.
- Identify assets that process personal data.
- Conduct a Privacy Impact Assessment (PIA) for any new process or system.
- Implement data retention policies.
- Limit copies of production data and anonymize information.
- Create privacy notices and data processing consents.
- Implement data breach escalation and reporting procedures.
For more information: You can consult the GDPR at this official link.
Other countries
Many countries have developed their own approaches to personal data, or personally identifiable information (PII), as it is called in the US.
United States:
- The US has a close equivalent of GDPR in the California Consumer Privacy Act (CCPA). Several other US laws deal with different privacy scopes.
- EU and US definitions of personal data differ. The US has other data protection laws that are limited to financial or health information (see HIPAA in the next section, for example).
- The Children’s Online Privacy Protection Act (COPPA) is another US regulation with which operators of websites and online services directed to children under 13 must comply.
- The US Privacy Act demands that federal agencies not collect personal data without consent.
Other countries:
- Canada uses the Personal Information Protection and Electronic Documents Act (PIPEDA). One difference from the GDPR is that it only applies to the private sector.
- Australia follows the Australian Privacy Act, which had requirements for data breach reporting added in 2018. A law reform is expected in 2024.
- Latin American, Asian, and African countries have distinct privacy regulations. Some existed before GDPR, some were inspired by it, and some are still missing completely. There is some catchup to do overall, with common issues being limited scopes, no responsible authority, or delayed enactments.
- In the United Kingdom, after Brexit, the GDPR was retained in domestic law as the UK GDPR.
Health Insurance Portability and Accountability Act (HIPAA)
Continuing with privacy laws, HIPAA has a significant differentiator: It is focused on personal health information (PHI)). HIPAA is strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act, pushing healthcare providers to adopt electronic health records and to apply security and privacy safeguards to these records.
Purpose: HIPAA is comprehensive legislation widely recognized for its requirements to protect the privacy of patients.
Principles:
- Privacy Rule
- Security Rule
- Transaction Rule
- Identifiers Rule
- Enforcement Rule
- Breach Reporting Rule
How to stay compliant:
- Process PHI only for the purposes of treatment, payment, and operations, and limit the amount of information to the minimum necessary.
- Adopt measures to protect PHI from unauthorized access, alteration, or disclosure (e.g., encrypt PHI, implement need-to-know principles, and physically protect devices processing PHI).
- Implement business associate agreements (BAAs) with partners.
- Notify patients of any breach concerning their PHI.
- Observe US Ministry of Health and Human Services (HHS) reporting requirements.
For more information: You can study HIPAA further on this official site.
Payment Card Industry Data Protection Standard (PCI-DSS)
Next, we look at the global information security standard to protect cardholder data and reduce credit card fraud. Depending on the company’s volume of transactions, a reassessment needs to be done annually or quarterly, either internally or by a certified Qualified Security Assessor (QSA).
Purpose: Protect cardholder data
Principles:
- Building and maintaining a secure network and systems
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
How to stay compliant by implementing the 12 PCI DSS requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt the transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data based on business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
For more information: Learn more about PCI on the official site.
Sarbanes-Oxley Act (SOX): Staying True to the Public
The SOX Act was passed in 2002 to improve the behavior of publicly traded companies, some of which were engaged in scandals for fraud and untruthful financial reporting. This act enforces punishment at the highest levels in the organization (including imprisonment) for such misconduct.
Purpose: Prevent publicly traded companies from engaging in fraudulent accounting and financial practices
Principles:
- Public company accounting oversight board
- Auditor independence
- Corporate responsibility
- Enhanced financial disclosure
- Analyst conflicts of interest
- Commission resources and authority
- Studies and reports
- Corporate and criminal fraud accountability
- White-collar crime penalty enhancements
- Corporate tax returns
- Corporate fraud and accountability
How to stay compliant:
- Implement SOX internal controls; SOX 404 controls are well known, but sections 302, 409, 802, and 906 are relevant as well.
- Focus on the integrity component of the CIA Triad. Implement completeness, accuracy, and timeliness (CAT) controls in the design of financial systems.
- Implement non-repudiation controls.
- Observe data retention requirements for financial records.
For more information: Read the SOX Act on this government website.
ISO 27001 (Information Security Management Systems): The One Size That Fits All
Currently in its third version (ISO 27001:2022), this standard provides any company with the elements needed to set up an information security management system (ISMS). An ISO certification demonstrates that all applicable information security controls have been effectively implemented.
Purpose: Implement an effective ISMS for any organization, regardless of its type, industry, or size
Principles:
- The CIA triad: confidentiality, integrity, and availability
- 10 clauses to implement and maintain an ISMS
- 93 controls grouped into categories: organizational, people, physical, and technological
How to stay compliant:
- Develop, implement, and maintain an ISMS framework.
- Perform regular security risk assessments and treat identified risks.
- Maintain a Statement of Applicability (SoA).
- Implement and test applicable controls.
- Measure security through metrics, and report on KPIs.
- Adopt an independent audit program.
- Capture and correct security deviations.
For more information: The ISO27001 standard can be purchased directly from ISO. We strongly recommend acquiring ISO 27002 (Control Implementation Guidelines) as well.
Service Organization Control (SOC) 2: What’s Your Type?
SOC 2 reports assure customers of the suitability of measures implemented to provide security and privacy for their information. SOC 2 reports are the best way to demonstrate trust in the various outsourced services that a company may have.
SOC2 has two types: Type 1, which evaluates a point in time, and Type 2, which looks at compliance over a period of up to 1 year.
Purpose: An assurance report where an auditor issues an opinion on an organization’s design and the operating effectiveness of stated controls at a point in time (SOC2 Type 1) or over a defined timeframe (SOC2 Type 2)
Principles (Trust Services Criteria):
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
How to stay compliant:
- Map your internal security controls against a relevant control framework, such as the one from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
- Test your controls and manage any required improvements.
- Perform an annual third-party SOC2 assessment.
For more information: Check out the official SOC 2 website.
Network and Information Security (NIS) and NIS2 Directives: Harmonizing security across EU member states
Going back to the European compliance landscape for a while, NIS offered a framework that member states must utilize to dictate cybersecurity compliance requirements for public and private companies. While member states have until October 2024 to adapt NIS2 requirements into local laws, any company can already prepare to get acquainted with the general requirements.
Purpose: Achieve a common cybersecurity approach among EU member states
Principles:
- Risk-based approach
- Third-party risk across the organization’s supply chain
- Incident management
- Incident reporting obligations
How to stay compliant:
- Implement a risk management framework.
- Set up an incident response plan and a computer security incident response team (CSIRT).
- Create an outsourcing policy.
- Execute the European Banking Authority (EBA) schedule in third-party arrangements.
For more information: Read more about the NIS and NIS2 directives on this official website.
Digital Operational Resilience Act (DORA): The (financial) explorer
DORA will come into force in January 2025, bringing with it rigorous requirements for EU financial institutions and IT vendors. Why both? A major incident affecting a bank can have systemic consequences, and any bank’s systems and network infrastructure rely heavily on IT providers.
Both industries are already preparing to be compliant with DORA. Note that at the time of writing this article, additional technical standards have been drafted that aim to clarify provisions encountered in the act.
Purpose: Ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks
Principles:
- Chapter I: General provisions; proportionality principle
- Chapter II: ICT risk management
- Chapter III: ICT-related incident management, classification, and reporting
- Chapter IV: Digital operational resilience testing
- Chapter V: Managing ICT third-party risk
- Chapter VI: Information-sharing arrangements
How to stay compliant:
- Map all IT assets and their dependencies, and ensure a proactive approach for any end-of-life / end-of-support systems.
- Use IT systems, tools, and protocols that are adequately scaled, resilient, and have enough capacity to support operations.
- Implement solid network controls: isolation and segmentation, intrusion detection, and response.
- Employ a range of system tests, including external penetration tests, physical security reviews, and the testing of backup and restoration procedures.
- Have a solid business continuity plan (BCP), a dedicated crisis management team (CMT), and prompt incident management and crisis communication procedures.
Device42’s CMDB provides a single source of truth within your organization to help you stay compliant.
For more information: DORA can be consulted here.
NIST Cybersecurity Framework (CSF) and Special Publication 800-53: Implementing DoD state-of-the-art standards
Going back to the US, the NIST (not to be confused with NIS) creates standards for US federal agencies and private companies. The most widely adopted standards are the NIST Cybersecurity Framework and Special Publication (SP) 800-53. Both can be used by any organization that aims to achieve compliance with a globally recognized security standard.
Purpose: Provide a comprehensive list of security and privacy controls adequate to any organization’s information protection needs
Principles:
- Identify
- Protect
- Detect
- Respond
- Recover
How to stay compliant:
- Identify each and every system, tool, device, and data flow; asset management can become seamless with Device42.
- Apply preventive controls, e.g., access controls, firewalls, web filtering, and encryption.
- Use detective controls, e.g., activity monitoring, intrusion detection, and vulnerability scans.
- Apply corrective controls like data backups and disaster recovery.
- Have an incident response team and adequate procedures.
For more information:
- The NIST Cybersecurity Framework is available on this official NIST webpage.
- NIST SP 800-53 can be read on this NIST webpage.
Center for Internet Security (CIS) Controls and Benchmarks: Security at all layers
Finally, CIS Controls are prescriptive configurations for systems and devices. Configurations play an essential part in achieving compliance, and CIS offers Benchmarks to follow for systems provided by numerous vendors.
Purpose: Provide rules for system hardening and secure deployment of systems
Principles—18 controls (and sub-controls) addressing:
- Applications
- Data
- Devices
- Network
- Users
How to stay compliant:
- Implement the CIS controls.
- Note: CIS controls comply with many standards and regulations enumerated in this article, but they are not a replacement for them. CIS controls should be used along with any other applicable standard or legislation.
For more information: CIS benchmarks are found on the official CIS website.
Best Practices
There is no way around compliance standards. Each organization, no matter its maturity, location, or services offered, needs to demonstrate its compliance posture. Here are some best practices that relate to the compliance standards we went through above.
| Best practice | Summary | Compliance standard addressed |
|---|---|---|
| Conduct regular risk assessments | Continually evaluate potential security risks to stay ahead of vulnerabilities. | ISO 27001, SOX, SOC 2 |
| Implement role-based access control (RBAC) | Restrict system access to authorized users based on their roles to minimize the exposure of sensitive data. | HIPAA, PCI DSS, ISO27001 |
| Monitor and audit compliance | Regularly review logs and perform audits to ensure ongoing compliance with standards. | GDPR, SOX |
| Ensure employee training and awareness | Educate staff about the importance of compliance and how to adhere to relevant standards. | All standards |
| Implement adequate governance | Have management understand and support the IT framework, ISMS, and continuity strategies. | ISO27001, DORA |
| Ensure incident management capabilities | Implement the seven steps for incident management: detection, response, mitigation, reporting, recovery, remediation, and lessons learned. | Most standards |
| Use data anonymization in test environments | While data masking techniques may be sufficient for other sensitive data, personal data needs anonymization. | GDPR |
| Secure IoT devices | The many IoT devices found in critical infrastructure services need secure connections, monitoring, and alerting capabilities. | NIS, CIS |
| Implement automated integrity controls | Ensure that financial data cannot be altered. | SOX |
| Address risks across the IT supply chain | Expand due diligence controls to Tier 2 and Tier 3 IT providers. | DORA |
Device42 offers multiple features that can be leveraged to assist with implementing compliance standards best practices:
- Auto-discovery of IT assets: Simplifies the process of inventory tracking, a common requirement in many compliance standards like ISO 27001.
- Data center and network visualization: Provides a clear overview of physical and virtual assets, aiding in compliance with data management and security standards like GDPR.
- Dependency mapping: Helps you understand data flow and system dependencies, which can be critical for HIPAA compliance, where the flow of patient data needs to be secured and documented. Dependency mapping lists all services (whether running or not), users, protocols, and ports.
- IP Address Management (IPAM): Aids in network security, thereby aligning with compliance standards like PCI DSS that require secure data transmission.
Discover assets automatically including hardware, software, and cloud infrastructure
Visualize application dependencies
Meet your compliance and audit requirements comprehensively and confidently
Conclusion
Compliance standards have different purposes and coverage. No single standard can yield a perfect security program.
Despite being unforgiving with data breaches, regulations such as GDPR or HIPAA are based on high-level principles. By combining them with standards like ISO27001 or NIST SP 800-53, a company can better understand and apply practices for securing its environment.
At the core of all privacy and security compliance standards lies one concept: protection. This starts with knowing your information assets in and out. Today, it’s nearly impossible to achieve compliance without leveraging automated tools. Device42 can get you started with asset discovery and inventory, establish an ongoing dependency mapping, and ensure that your protection efforts reflect your environment day after day to keep you compliant.