Compliance & Certification
ISO 27002:2013 Standard
ISO 27002 is the code of practice adopted by many countries around the world, including United Kingdom, Australia and New Zealand, as a common basis for developing organisational security standards and sets the criteria for achieving best practice security management.
Compliance with ISO 27002 and the Standard for Information Systems Security assists with achieving best practice certification and provides evidence that security is taken seriously by management. Trading partners, shareholders, stakeholders and other third parties with a vested interest in your organisation can have confidence that it is acting responsibly in protecting itself from the risk of a serious security breach that could potentially affect profitability and reputation.
The policies included in the system have been fully referenced to ISO 27002. Using these references it is possible to ascertain the extent to which the organisation meets internal compliance objectives, adheres to best practice and satisfies the provisions of the standard.
The ISO 22313 Standard provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that assists Organisations to prepare for, respond to and recover from disruptive incidents when they arise. The Organisation should design a BCMS that is appropriate to its needs and that meets the requirements of its stakeholders. This International Standard is generic and applicable to all sizes and types or Organisation, including large, medium and small sized businesses operating in industrial, commercial, public and not for profit sectors that wish to establish, implement, maintain and improve a BCMS.
ISO 22313 replaces BS25999-1 which was the code of practice for Business Continuity Management and should be referenced in conjunction with ISO 22301 which documents the requirements for Business Continuity Management Systems.
The Policies included in the IT Policy System have been referenced to ISO 22313 where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.
ISO 27017 leverages many of the controls outlined in the ISO 27002 standard and introduces some new recommended controls for organisations, as Cloud Service Customers, and their suppliers, Cloud Service Providers.
The standard provides cloud-specific implementation guidance based to address cloud-specific information security threats and risks considerations.
The ISO 29151 standard specification includes guidelines based on ISO 27002, and adapts this when required to address the privacy safeguarding requirements that arise from the processing of Personally Identifiable Information (PII).
> Consent and choice.
> Purpose, legitimacy and specification.
> Collection limitation.
> Data minimisation.
> Use, retention and disclosure limitation.
> Accuracy and quality.
> Openness, transparency and notice.
> Individual participation and access.
> Information security.
> Privacy compliance.
The Policies included in the IT Policy System have been referenced to ISO 29151 where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.
The PCI DSS Standard describes the 12 Payment Card Industry (PCI) Data Security Standard (DSS) requirements that apply to organisations who process credit card payments or hold credit card data. These PCI DSS requirements are organized in 6 logically related groups, which are “control objectives.”
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.
The Policies included in the IT Policy System have been referenced to PCI DSS where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. The protection of Controlled Unclassified Information (CUI) while residing in non-federal information systems and organisations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.
(a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall–
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
The Policies included in the IT Policy System have been referenced to SOX Section 404 where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.
The Policies in the System also assist in Complying with the following International Codes, Standards, Regulations and Frameworks
> GDPR – General Data Protection Regulation
> Data privacy requirements in ANZ
> PSN Public Sector Network see below
> Cyber Essentials UK
> Australian Signals Directorate cyber threat mitigations
> APRA recommendations
> HIPAA – The Health Insurance Portability and Accountability Act (NZ version)
> GLBA – The Gramm, Leach, Bliley Act
The Public Services Network (PSN) creates the effect of a single network across the public sector, delivered through multiple service providers, to create a more efficient marketplace for public sector ICT services, and thus ensure ongoing value and innovation, while reducing costs. The PSN is the enabling network layer for the Government ICT Strategy [E1].
Being PSN Compliant is defined as “A state describing ongoing adherence to the rules, conditions and obligations identified in a signed Code”. A Code is created by an organisation completing and signing the Code Template [ST11], or by signing a Deed of Undertakings in the case of a GCNSP. A Code can be a:-
> Code of Connection (CoCo): applicable to PSN Customers
> Code of Practice (CoP): applicable to PSN Service Providers
> Code of Interconnection (CoICo): applicable to those PSN Service
> Providers that are Direct Network Service Providers
> Deed of Undertakings (DoU): this is a contract applicable to GCN Service Providers.
PSN Compliance Certification is awarded by the PSN Authority (PSNA), following Compliance Verification, to the individual Customer Environment, PSN Service or GCN Service that make up the PSN.
The Policies included in the IT Policy System have been referenced to PSN where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.