Professional Documents
Culture Documents
18 Compliance
isoconsultantkuwait.com/2019/12/24/iso-270012013-a-18-compliance
Organizations are subject to numerous laws, regulations, and contractual obligations that
specify requirements related to the appropriate management and protection of diverse
information sets. Understanding and maintaining compliance with these different
requirements is sometimes a difficult road. The path to establishing compliance takes a
complete look at the areas in which your Organization has responsibilities, whether legal,
regulatory, contractual, or self-imposed. Important elements to consider when developing
a plan for compliance include the following:
Awareness of relevant regulations/laws. (Do you know what you need to follow?)
Awareness of relevant policies. (Do you know what policies apply to information
use?)
Awareness of relevant contractual agreements. (Do you know what agreements
your organization has made that impose conditions on the use of data?)
Awareness of relevant standards or best practices. (Do you know what standards or
best practices your organization chooses to follow with respect to information use?)
Management of organizational records. (Do you know what you need to keep and for
how long?)
Awareness of how records are managed by your organization.
Approach to complying with each item. (Do you know what your organization is
doing to follow the law?)
Awareness of internal and/or external audit activities. (Do you know what
internal/external audits exist and what is required to meet or pass these reviews?)
1/12
determine where progress needs to be made.
3. Develop a prioritized action plan that will help you organize your efforts (one section of
your Information Security plan).
4. Develop a policy, standard, roles, and responsibilities, and/or procedures in
collaboration with other key stakeholders at your organization.
5. Familiarize yourself with common standards and regulations that address specific
requirements
6. Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you
with managing compliance.
Control
Implementation guidance
The specific controls and individual responsibilities to meet these requirements should
also be defined and documented. Managers should identify all legislation applicable to
their organization in order to meet the requirements for their type of business. If the
organization conducts business in other countries, managers should consider
compliance in all relevant countries.
Control
Appropriate procedures should be implemented to ensure compliance with legislative,
regulatory and contractual requirements related to intellectual property rights and use
of proprietary software products.
Implementation guidance
The following guidelines should be considered to protect any material that may be
considered intellectual property:
a) publishing an intellectual property rights compliance policy which defines the legal
use of software and information products;
b) acquiring software only through known and reputable sources, to ensure that
copyright is not violated;
c) maintaining awareness of policies to protect intellectual property rights and giving
notice of the intent to take disciplinary action against personnel breaching them;
2/12
d) maintaining appropriate asset registers and identifying all assets with requirements
to protect intellectual property rights;
e) maintaining proof and evidence of ownership of licenses, master disks, manuals, etc.;
f) implementing controls to ensure that any maximum number of users permitted within
the license is not exceeded;
g) carrying out reviews that only authorized software and licensed products are
installed;
h) providing a policy for maintaining appropriate license conditions;
i) providing a policy for disposing of or transferring software to others;
j) complying with terms and conditions for software and information obtained from
public networks;
k) not duplicating, converting to another format or extracting from commercial
recordings (film, audio) other than permitted by copyright law;
l) not copying in full or in part, books, articles, reports or other documents, other than
permitted by copyright law.
Other information
Control
Records should be protected from loss, destruction, falsification, unauthorized access
and unauthorized release, in accordance with legislator, regulatory, contractual and
business requirements.
Implementation guidance
When deciding upon the protection of specific organizational records, their
corresponding classification based on the organization’s classification scheme should be
considered. Records should be categorized into record types, e.g. accounting records,
database records, transaction logs, audit logs and operational procedures, each with
details of retention periods and type of allowable storage media, e.g. paper, microfiche,
magnetic, optical. Any related cryptographic keys and programs associated with
encrypted archives or digital signatures should also be stored to enable decryption of the
records for the length of time the records are retained. Consideration should be given to
the possibility of deterioration of media used for storage of records. Storage and
3/12
handling procedures should be implemented in accordance with the manufacturer’s
recommendations. Where electronic storage media are chosen, procedures to ensure the
ability to access data (both media and format readability) throughout the retention
period should be established to safeguard against loss due to future technological
change. Data storage systems should be chosen such that required data can be retrieved
in an acceptable timeframe and format, depending on the requirements to be fulfilled.
The system of storage and handling should ensure identification of records and of their
retention period as defined by national or regional legislation or regulations, if
applicable. This system should permit the appropriate destruction of records after that
period if they are not needed by the organization. To meet these record safeguarding
objectives, the following steps should be taken within an organization:
Other information
Some records may need to be securely retained to meet statutory, regulatory or
contractual requirements, as well as to support essential business activities. Examples
include records that may be required as evidence that an organization operates within
statutory or regulatory rules, to ensure defence against potential civil or criminal action
or to confirm the financial status of an organization to shareholders, external parties
and auditors. National law or regulation may set the time period and data content for
information retention.
Control
Privacy and protection of personally identifiable information should be ensured as
required in relevant legislation and regulation where applicable.
Implementation guidance
An organization’s data policy for privacy and protection of personally identifiable
information should be developed and implemented. This policy should be communicated
to all persons involved in the processing of personally identifiable information.
Compliance with this policy and all relevant legislation and regulations concerning the
protection of the privacy of people and the protection of personally identifiable
information requires appropriate management structure and control. Often this is best
achieved by the appointment of a person responsible, such as a privacy officer, who
should provide guidance to managers, users and service providers on their individual
responsibilities and the specific procedures that should be followed. Responsibility for
handling personally identifiable information and ensuring awareness of the privacy
principles should be dealt with in accordance with relevant legislation and regulations.
Appropriate technical and organizational measures to protect personally identifiable
information should be implemented.
4/12
Other information
ISO/IEC 29100 provides a high-level framework for the protection of personally
identifiable information within information and communication technology systems. A
number of countries have introduced legislation placing controls on the collection,
processing and transmission of personally identifiable information (general
information on living individuals who can be identified from that information).
Depending on the respective national legislation, such controls may impose duties on
those collecting, processing and disseminating personally identifiable information, and
may also restrict the ability to transfer personally identifiable information to other
countries.
Control
Cryptographic controls should be used in compliance with all relevant agreements,
legislation and regulations.
Implementation guidance
The following items should be considered for compliance with the relevant agreements,
laws and regulations:
Legal advice should be sought to ensure compliance with relevant legislation and
regulations. Before encrypted information or cryptographic controls are moved across
jurisdictional borders, legal advice should also be taken.
Annex A.18.1 is about compliance with legal and contractual requirements. The objective
is to avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements. It’s an important part of the
information security management system (ISMS) . The goal here is to help outline
effective practices for identifying compliance obligations, as well as the roles and
responsibilities, activities and controls needed to manage all of the organization’s legal,
contractual, and records management requirements.
A good control describes how all relevant legislative statutory, regulatory, contractual
requirements and the organization’s approach to meet these requirements should be
explicitly identified, documented and kept up to date for each information system and the
5/12
organization. Put in simple terms, the organization needs to ensure that it is keeping up to
date with and documenting legislation and regulation that affects the achievement of its
business objectives and the outcomes of the ISMS. It is important that the organization
understands the legislation, regulation and contractual requirements with which it must
comply and these should be centrally recorded in the register to allow for ease of
management and coordination. The identification of what is relevant will largely depend
on; Where the organization is located or operates; What the nature of the organization’s
business is; and The nature of information being handled within the organization. The
Identification of the relevant legislation, regulation and contractual requirements are
likely to include engagement with legal experts, regulatory bodies and contract managers.
This is an area that often catches organizations out as there is generally far more
legislation and regulation impacting the organization than is first considered. The auditor
will be looking to see how the organization has identified and recorded its legal,
regulatory and contractual obligations; the responsibilities for meeting such requirements
and any necessary policies, procedures and other controls required for meeting the
controls. Additionally, they will look to see that this register is maintained on a regular
basis against any relevant change – especially in legislation across common areas that
they would expect any organization to be impacted by. Legal requirements need to be
explicitly identified and recognized and a plan in place for meeting applicable
requirements. To meet this part of compliance, controls should be developed which:
1. Identify the persons or person responsible for ascertaining the legal requirements.
Those requirements should then be placed against the other controls that exist in
some sort of matrix which shows controls in place to meet the requirements. Each
state has breach laws, personal information protection laws, social security
protections laws, or other laws related to technology furnished at the organization.
Each state must be taken as its own legal island and an organization must know if
any of the following impact or enhance security efforts.
2. Identify the persons or person responsible for reviewing contracts to determine any
information security requirements, whether they are requirements of
the organization or requirements of the vendor. Those requirements should then be
placed against the other controls that exist in some sort of matrix which shows
controls in place to meet the requirements.
Every contract that involves organizational data must be documented and any controls
specified in that contract must also be documented. It is crucial to know what your
contractual responsibilities are so that you can look at the physical and technical controls
you have in place and determine if they are adequate for the assumed contractual liability.
In instances where contracting parties have access to organizational data, you want to be
sure that you can audit the contractual controls and protections that the other party has
agreed to follow.
Intellectual Property (IP) rights are a dominant issue at any Organizations. Organizations
may have many different types of research and proprietary information that can be
protected via these rights. These rights are also attached to the different technologies that
6/12
the organization might buy or license from others (and the rights are then protected via
contract provisions). A good control describes how the appropriate procedures ensure
compliance with legislative, regulatory and contractual requirements related to
intellectual property rights and use of proprietary software products. Put into simple
terms, the organization should implement appropriate procedures which ensure it
complies with all its requirements, whether they are legislative, regulatory or contractual
– related to its use of software products or intellectual property rights. Policies, processes
and technical controls are likely to be needed for both of these aspects. Within asset
registers and acceptable use policies it is likely that IPR considerations will need to be
made – e.g. where an asset is or contains IPR protection of this asset must consider the
IPR aspect. Controls to ensure that only authorized and licensed software are in use
within the organization should include regular inspection and audit. The auditor will want
to see that registers of licenses owned by the organization for use of others’ software and
other assets are being kept and updated. Of particular interest to them will be ensuring
that where licenses include a maximum number of users or installations, that this number
is not exceeded and user and installation numbers are audited periodically to check
compliance. The auditor will also be looking at how the organization protects its own IPR,
which might include; Data loss and prevention controls; Policies and awareness program
targeting user education; or Non-disclosure and confidentiality agreements that continue
post-termination of employment. Appropriate controls to identify and protect intellectual
property include:
• An intellectual property rights compliance policy (which meets copyright policy
requirements of certain laws);
• Ensuring proper use of software and other technology licenses;
• Education and awareness on respecting IP rights;
• Keeping track of IP assets.
Protection of Records
A good control describes how records are protected from loss, destruction, falsification,
unauthorized access and unauthorized release, in accordance with the legislator,
regulatory, contractual and business requirements. Different types of record will likely
require different levels and methods of protection. It is critical that records are adequately
and proportionality protected against loss, destruction, falsification, unauthorized access
or release. The protection of records must comply with any relevant legislation, regulation
or contractual obligations. It is especially important to understand how long records
must, should or could be kept for and what technical or physical issues might affect these
over time – bearing in mind that some legislation might trump others for retention and
protection. The auditor will be checking to see that considerations for the protection of
records have been made based on business requirements, legal, regulatory and
contractual obligations. The organizations deal with the issues inherent in managing
organizational records and data, whether electronic or in the paper. As part of the
compliance controls at every organization, important records as well as records we are
legally obligated to retain the need to be protected from loss, destruction, and
falsification. ISO has a separate standard, ISO 15489 “Information and Documentation —
Records Management.” This standard goes into greater detail about how an organizations
7/12
recognizes the context in which records are created, received, used, stored, and destroyed
as an implicit part of the data governance process. This “records management” function
may be placed anywhere in organizations, and sometimes it is part of an organization’s IT
structure. Regardless, records management has components of compliance that are
unavoidable. Organization’s policies and guidelines on retention, storage, handling, and
disposal of records should be reviewed. Oftentimes this will require a security control to
ensure that these policies and guidelines are carried out properly. (Refer to the Records
Retention and Disposition Toolkit for additional information and templates.). Policies
that protect records from loss, destruction, or falsification.
8/12
To ensure that information security is implemented and operated in accordance with the
organizational policies and procedures.
Control
The organization’s approach to managing information security and its implementation
(i.e. control objectives, controls, policies, processes and procedures for information
security) should be reviewed independently at planned intervals or when significant
changes occur.
Implementation guidance
Control
Managers should regularly review the compliance of information processing and
procedures within their area of responsibility with the appropriate security policies,
standards and any other security requirements.
Implementation guidance
9/12
Results of reviews and corrective actions carried out by managers should be recorded
and these records should be maintained. Managers should report the results to the
persons carrying out independent reviews when an independent review takes place in
the area of their responsibility.
Control
Implementation guidance
Other information
Technical compliance reviews involve the examination of operational systems to ensure
that hardware and software controls have been correctly implemented. This type of
compliance review requires specialist technical expertise. Compliance reviews also
cover, for example, penetration testing and vulnerability assessments, which might be
carried out by independent experts specifically contracted for this purpose. This can be
useful in detecting vulnerabilities in the system and for inspecting how effective the
controls are in preventing unauthorized access due to these vulnerabilities. Penetration
testing and vulnerability assessments provide a snapshot of a system in a specific state
at a specific time. The snapshot is limited to those portions of the system actually tested
during the penetration attempt(s). Penetration testing and vulnerability assessments
are not a substitute for risk assessment.
10/12
longer be considered fully compliant by the PCI SSC and if reviews aren’t conducted on a
recurring basis, this could result in non-compliance with PCI DSS requirements. It is good
to get an independent review of security risks and controls to ensure impartiality and
objectivity as well as benefit from fresh eyes. That doesn’t mean it has to be external, just
benefit from another colleague reviewing policies in addition to the main
author/administrator. These reviews should be carried out at planned, regular intervals
and when any significant, security-relevant changes occur – ISO interprets regular to be
at least annually. The auditor will be looking for both regular independent security review
and review when significant changes occur, as well as take confidence there is a plan for
regular reviews. They will also require evidence that reviews have been carried out and
any issues or improvements identified in the reviews are appropriately managed.
11/12
see that there is evidence of how improvements are made over time to ensure an
improvement in compliance levels or maintenance if compliance is already at 100%. This
dovetails into the main requirements of ISO 27001 for 9 and 10 around internal audits,
management reviews, improvements, and non-conformities too. Staff awareness and
engagement in line with A 7.2.2 is also important to tie into this part for compliance
confidence.
12/12