Is your business compliant?

Being compliant to a specific regulatory industry or legal standard is a common requirement for businesses. When those standards deal with security, one has to look closer: does achieving compliance really equate to being secure? I would argue that it does not.

First, “being secure” sounds like an absolute statement, but no one can be absolutely secure. Second, compliance to standard ABC or XYZ just equates to more or less fulfillment of the requirements of the selected standard -- not to being secure.

Does the standard really address your business’ security requirements, or is it driven by someone else's requirements, such as PCI, which concerns itself only with protecting credit card data? Or SOX, which is meant to ensure that companies can provide accountability? There are plenty of compliance standards, all with a rather specific focus.

Businesses often struggle to satisfy those standards that they must comply with in their area of business. Since they have to be compliant, there is no choice. And when the effort for compliance requires a business to set up processes, write additional documentation, and invest in infrastructure (e.g., businesses starting out from scratch), other security requirements that would be in the company’s best interest are neglected. Compliance to the standard becomes the sole security focus. So the net effect is a potentially reduced overall security through compliance to some specific security requirements.

Contrast that to the compliance standards in ISO 27001 where you do not have to be compliant to intricate or potentially irrelevant details. Rather, you are forced to think about your security requirements as defined by the business you are in. An ISMS standard like ISO 27001 helps you to identify your specific security requirements as they relate to your business. It gives you control over how you manage your security requirements and risks. While the compliance requirements for a specific business can not be ignored, the way they are met can be influenced quite a bit. Security compliance requirements typically can be met easily if a business has a good overall security posture with adequate processes that are adjusted to changing business requirements and evolving threats in a PDCA cycle. If a business pursues security as an intrinsic goal instead of bolting on a compliance patchwork, the compliance requirements can be met easily without much extra work. And, the overall security level of the business is higher than when aiming just for compliance and jumping through hoops to met it.

by Andreas Siegert