The coming year will bring a ‘storm of change’ in information security compliance, creating fresh challenges for board directors, CIOs and business owners seeking to ensure business resilience, says IT Governance Limited
Alan Calder, Founder and Executive Chairman of the global cyber security services provider, says: “A raft of new standards and regulatory controls are about to be launched in response to the rising tide of infosecurity threats. While these measures are to be welcomed, organisations will have their work cut out in preparing themselves to achieve compliance.
“The UK government has announced its intention to back a new kite-mark standard for cyber security, with further details promised in early 2014. Around the same time, the European Commission will unveil a new directive on data privacy, while the Obama Administration will introduce a nationwide cyber security framework in the United States. Add to these changes the multiple compliance challenges arising from recent updates of standards, such as ISO 27001
and PCI DSS
, and you quickly have a considerable governance task in terms of planning, resourcing and training.”
IT Governance highlights five forthcoming changes in particular as requiring urgent attention from senior management:
The UK government’s proposed kite-mark standard for cyber security, which is intended to provide a common set of guidelines for managing cyber risks and help stimulate the adoption of good cyber practices among businesses. Following an initial announcement by the Department for Business, Innovation and Skills on 26 November, further details and a formal launch are promised by the Department in early 2014.
The EU’s draft General Data Protection Regulation (GDPR), which will supersede the EU Data Protection Directive, is expected to be formally adopted in mid-2014 and to take effect in 2016 after a transition period of two years. The GDPR aims to harmonise data protection regulations throughout the EU, strengthen online privacy rights and boost Europe’s digital economy.
The latest update to the ISO 27001 best practice information security standard, ISO 27001:2013, which was issued in October 2013 and is expected to progressively come into force during 2014 and 2015.
President Obama’s planned cyber security framework for private companies and infrastructure networks, which is planned for finalisation in February 2014.
Calder says: “For any organisation working nationally or internationally, there is every chance of being affected by some or possibly all of these forthcoming changes. Therefore, as senior managers contemplate the coming year, they have little time to waste in reviewing their current governance processes and preparing for the new requirements soon to arise.
“While the new measures are varied in nature and application, a common thread running through them is the need for a best practice approach to managing data assets. ISO 27001 helps address some of the challenges that are typical for data protection and PCI DSS compliance and enables the adoption of a holistic approach to security. Moreover, it supports a risk-based approach to security and facilitates the governance aspect which is so crucial. We therefore see compliance with ISO 27001 as the fundamental enabler to help organisations meet their regulatory obligations and the expectations of their customers.”