InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Increased Regulatory Complexity: With GDPR, CCPA, HIPAA, and emerging regulations like DORA (EU), EU AI Act businesses are seeking specialized compliance partners.
SME Cybersecurity Prioritization: Mid-sized businesses are investing in vCISO services to bridge expertise gaps without hiring full-time CISOs.
Rise of Cyber Insurance: Insurers are demanding evidence of strong compliance postures, increasing demand for third-party audits and vCISO engagements.
Growth Projections
vCISO market is expected to grow at 17–20% CAGR through 2028.
Compliance automation tools, Process orchestration (AI) and advisory services are growing due to demand for cost-effective solutions.
2. Competitor Landscape
Direct Competitors
Virtual CISO Services by Cynomi, Fractional CISO, and SideChannel
Offer standardized packages, onboarding frameworks, and clear SLA-based services.
Differentiate through cost, specialization (e.g., healthcare, fintech), and automation integration.
Indirect Competitors
MSSPs and GRC Platforms like Arctic Wolf, Drata, Vanta
Provide automated compliance dashboards, sometimes bundled with consulting.
Threat: Position as “compliance-as-a-service,” reducing perceived need for vCISO.
3. Differentiation Levers
What Works in the Market
Vertical Specialization: Deep focus on industries like legal, SaaS, fintech, or healthcare adds credibility.
Thought Leadership: Regular LinkedIn posts, webinars, and compliance guides elevate visibility and trust.
Compliance-as-a-Path-to-Growth: Reframing compliance as a revenue enabler (e.g., “SOC 2 = more enterprise clients”) resonates well.
Emerging Niches
vDPO (Virtual Data Protection Officer) in the EU market.
Posture Maturity Consulting for startups seeking Series A or B funding.
Third-Party Risk Management-as-a-Service as vendor scrutiny rises.
4. SWOT Analysis
Strengths
Weaknesses
Deep expertise in InfoSec & compliance
May lack scalability without automation
Custom vCISO engagements
High-touch model limits price elasticity
Opportunities
Threats
Demand surge in SMBs & startups
Commoditization by automated GRC tools
Cross-border compliance needs (e.g., UK GDPR + US laws)
ISO 27001 is an internationally recognized standard for establishing an Information Security Management System (ISMS) that protects an organization’s information assets. The standard lays out a structured, systematic approach to information security: it explicitly defines requirements that cover people, processes, and technology, and it is built on a risk-based management process. In other words, ISO 27001 requires an organization to identify its critical data and assets, assess the risks to them, and implement controls to mitigate those risks. As the AuditBoard blog explains, ISO 27001 “provid[es] a systematic approach to managing sensitive company information, and ensuring its confidentiality, integrity, and availability,” and “employ[s] a risk-based management process”​. By achieving ISO 27001 certification, a company demonstrates its commitment to security best practices and gains “improved risk management” capabilities​. In practice, this means ISO 27001 embeds risk reduction into the company’s daily operations: the organization is continually considering where its vulnerabilities lie and how to address them. This alignment of policy and process with identified risks helps prevent incidents that could lead to breaches or financial losses (outcomes the blog warns are costly for non-compliant companies​).
A core principle of ISO 27001 is systematic risk assessment. The standard mandates that organizations catalog information assets and regularly evaluate threats and vulnerabilities to those assets. This formal risk assessment process – often codified as a risk register – forces management to confront what could go wrong, estimate the likelihood and impact of each threat, and then select controls to lower that risk. The AuditBoard article highlights that effective compliance “starts with a deep understanding of your organization’s unique risk profile” through “comprehensive risk assessments that identify, analyze, and prioritize potential security threats and vulnerabilities”​. By building this into the ISMS, ISO 27001 ensures that controls are not applied haphazardly but are directly tied to the organization’s actual threat landscape. In short, ISO 27001’s risk-based approach means the organization is proactively scanning for problems, rather than only reacting after a breach occurs. This systematic identification and treatment of risks measurably lowers the chance that a threat will go unnoticed and turn into a serious incident.
Another key principle of ISO 27001 is continual improvement of the security program. ISO 27001 is inherently iterative: it follows the Plan–Do–Check–Act cycle, which requires the organization to plan security controls, implement them, monitor and review their effectiveness, and act on the findings to improve. In practice, this means an ISO 27001–certified organization must regularly review and update its security policies and controls to keep pace with new threats. The AuditBoard blog emphasizes this proactive stance: it notes that maintaining compliance “encourages businesses to regularly review and update their security policies, practices, and systems,” allowing the organization to adapt to evolving threats and maintain “long-term resilience”​. Furthermore, ISO 27001 requires ongoing monitoring and measurement of the ISMS. Automated monitoring tools, for example, can detect anomalies or intrusions in real time. The blog underlines that such continuous monitoring “strengthens an organization’s security posture” by enabling a quick response to new risks​. By continuously detecting issues and feeding back lessons learned, an ISO 27001 ISMS avoids stagnation: it evolves as the threat landscape evolves. This dedication to continual assessment and enhancement means that security controls are always improving, which keeps residual risk as low as possible over time.
ISO 27001 also enforces organizational accountability for security. It requires that top management be directly involved in the ISMS: leaders must establish a clear security policy, assign roles and responsibilities, and ensure adequate resources are available for security. Every risk and control must have an owner. The AuditBoard article reinforces this by stressing the importance of a cross-functional security team and collaboration among IT, legal, HR, and business units​. In an ISO 27001 context, this means everyone from the CISO to line managers shares responsibility for protecting data. Accountability is further ensured through documentation: ISO 27001 demands thorough records of all security processes. The blog points out that maintaining “comprehensive records of risk assessments, security controls, training activities, and incident response efforts” provides clear evidence of compliance and highlights where improvements are needed​. This audit trail makes the organization’s security posture transparent to auditors and stakeholders. In effect, ISO 27001 turns vague good intentions into concrete, assigned tasks and documented procedures, so that it is always possible to trace who did what, and to hold the organization accountable for gaps or successes alike.
By combining these elements – structured risk analysis, continuous improvement, and built-in accountability – ISO 27001 compliance significantly reduces overall organizational risk. The AuditBoard blog summarizes the core idea of compliance in cybersecurity as a security framework that can withstand emerging threats, noting that adherence to standards “ensures that organizations protect their data and build trust by demonstrating their commitment to information security”​. In practical terms, this means a company with an ISO 27001 ISMS is far better equipped to prevent the “significant consequences” of non-compliance – such as data breaches, financial losses, and reputational damage​. By embedding a risk-based approach into daily routines and maintaining a culture of vigilance and responsibility, ISO 27001 helps an organization identify issues early and handle them before they become disasters. Ultimately, this strong, systematic compliance posture not only shields sensitive information, but also saves the company from costly incidents – improving its bottom line and competitive standing (as noted, certification can confer a competitive edge and “improved risk management”​). In summary, ISO 27001 reduces risk by making effective information security practices a formal, organization-wide process that is continuously managed and improved.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
Conduct gap assessments to identify compliance challenges and control maturity
Deliver straightforward, practical steps for remediation with assigned responsibility
Ensure ongoing guidance to support continued compliance with standard
Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
Breakdown of how AI is revolutionizing ISO 27001 compliance, along with practical solutions:
1. AI-Powered Risk Assessments
Challenge: Traditional risk assessments are time-consuming, subjective, and prone to human bias. Solution: AI can analyze vast datasets to identify risks, suggest mitigations, and continuously update risk profiles based on real-time threat intelligence. Machine learning models can predict potential vulnerabilities and compliance gaps before they become critical.
2. Automated Documentation & Evidence Collection
Challenge: ISO 27001 requires extensive documentation, which can be tedious and error-prone. Solution: AI-driven tools can auto-generate policies, track changes, and map security controls to compliance requirements. Natural Language Processing (NLP) can extract key insights from audit logs and generate compliance reports instantly.
3. Continuous Compliance Monitoring
Challenge: Organizations struggle with maintaining compliance over time due to evolving threats and regulatory updates. Solution: AI can continuously monitor systems, detect deviations from compliance requirements, and provide real-time alerts. Predictive analytics can help organizations stay ahead of regulatory changes and proactively address security gaps.
4. Streamlined Internal & External Audits
Challenge: Audits are resource-intensive and often disruptive to business operations. Solution: AI can automate evidence collection, cross-check controls against ISO 27001 requirements, and provide auditors with a structured compliance report, reducing audit fatigue.
5. AI-Driven Security Awareness & Training
Challenge: Employee awareness remains a weak link in compliance efforts. Solution: AI can personalize training programs based on employees’ roles and risk levels. Chatbots and virtual assistants can provide real-time guidance on security best practices.
The AI-Driven ISO 27001 Compliance Solution You’re Building
Your AI-driven compliance solution can integrate these capabilities into a single platform that: ✅ Assesses & prioritizes risks automatically ✅ Generates and maintains ISO 27001 documentation effortlessly ✅ Monitors compliance continuously with real-time alerts ✅ Simplifies audits with automated evidence collection ✅ Enhances security awareness with adaptive training
Would love to hear more about your approach! Are you focusing on a specific industry, or building a general-purpose compliance solution/tool? Let’s explore how AI can revolutionize compliance strategies!
AI-Powered Risk Assessments which can help with ISO 27001 compliance
ISMS Policy Generator’s AI-Assisted Risk Assessment This tool offers a conversational AI interface to guide users through identifying and evaluating information security risks, providing step-by-step assistance tailored to an organization’s specific needs.
ISO 27001 Copilot An AI-powered assistant that streamlines risk assessment, document preparation, and ISMS management, making the compliance process more efficient.
Kimova AI’s TurboAudit Provides AI-driven solutions for ISO 27001 compliance, including intelligent tools for risk assessment, policy management, and certification readiness, facilitating continuous auditing and real-time compliance monitoring.
Secusy’s ISO 27001 Compliance Tool Offers comprehensive modules that simplify risk assessment and management by providing clear frameworks and tools to identify, evaluate, and mitigate information security risks effectively.
Synax Technologies’ AI-Powered ISO 27001 Solution Provides tools and methodologies to identify, assess, and manage potential information security risks, ensuring appropriate controls are in place to protect businesses from threats and vulnerabilities.
These AI-driven tools aim to automate and enhance various aspects of the ISO 27001 compliance process, making risk assessments more efficient and effective.
A roadmap to implement ISO 27001:2022. Here’s a high level step-by-step approach based on our experience with these projects. Keep in mind that while this is a general guide, the best approach is always tailored to your specific situation.
Understand the Context and Business Objectives : Start by understanding your organization’s broader business context, objectives, and the specific pressures and opportunities related to information security. This foundational step ensures that the ISMS will align with your organization’s strategic goals.
Engage Management and Secure Support : Once you have a clear understanding of the business context, engage with top management to secure their support. It’s crucial to present the implications, benefits, and requirements of implementing an ISMS to get their buy-in.
Buy the Official ISO/IEC 27001:2022 Document : Make sure you have the official standard document. This is essential for guiding your implementation process.
Define the Scope of the ISMS : Determine the scope of your ISMS, taking into account your organization’s needs and requirements. Decide whether to include the entire organization or specific parts of it.
Establish Leadership and Commitment : Appoint a dedicated team or individual responsible for the ISMS. Top management’s commitment is crucial, and they should provide the necessary resources and support.
Conduct a Risk Assessment : Identify, analyze, and evaluate information security risks. This involves understanding your assets, threats, vulnerabilities, and the potential impact of security incidents.
Develop a Risk Treatment Plan : Based on the risk assessment, decide how to treat the identified risks. Options include accepting, avoiding, transferring, or mitigating risks.
Implement Security Controls : Implement the controls you’ve selected in your risk treatment plan. These controls are detailed in Annex A of ISO 27001:2022 and further elaborated in ISO 27002:2022.
Create Necessary Documentation : Develop the required documentation, including the information security policy, statement of applicability, risk assessment and treatment reports, and procedures.
Implement Training and Awareness Programs : Ensure that all relevant staff are aware of their information security responsibilities and are trained accordingly.
Operate the ISMS : Put the ISMS into operation, ensuring that all procedures and controls are followed.
Monitor and Review the ISMS : Regularly monitor the performance of the ISMS, conduct internal audits, and hold management reviews to ensure its effectiveness.
Conduct Internal Audits : Perform regular internal audits to check compliance with the standard and identify areas for improvement.
Undergo Certification Audit : Once you’re confident that your ISMS meets the requirements, engage a certification body to conduct an external audit for ISO 27001:2022 certification.
Continual Improvement : Continuously improve the ISMS by addressing audit findings, implementing corrective actions, and adapting to changes in the business environment and threat landscape.
AI is revolutionizing audit, risk, and compliance by streamlining processes through automation. Tasks like data collection, control testing, and risk assessments, which were once time-consuming, are now being done faster and with more precision. This allows teams to focus on more critical strategic decisions.
In auditing, AI identifies anomalies and uncovers patterns in real-time, enhancing both the depth and accuracy of audits. AI’s ability to process large datasets also helps maintain compliance with evolving regulations like the EU’s AI Act, while mitigating human error.
Beyond audits, AI supports risk management by providing dynamic insights that adapt to changing threat landscapes. This enables continuous risk monitoring rather than periodic reviews, making organizations more responsive to emerging risks, including cybersecurity threats.
AI also plays a crucial role in bridging the gap between cybersecurity, compliance, and ESG (Environmental, Social, Governance) goals. It integrates these areas into a single strategy, allowing businesses to track and manage risks while aligning with sustainability initiatives and regulatory requirements.
Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:
Identify the systems, data, and people assets that you need to protect.
Identify the threats to those assets, and prioritize them.
Identify what you want to do to protect your priority assets from their most significant threats.
2. Identify the activities you need to complete
It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.
DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:
Review policies and procedures (including Acceptable Use Policy)
Complete a risk assessment – this should be done annually
Review security training – to ensure new employees, as well as current employees, are up to date on all their training
Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.
3. Assign the right people and resources(RACI Matrix)
It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.
4. Schedule all your meetings and tasks for the year(Audit/ Assessment planning)
It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.
If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.   Â
6. Plan ahead to future-proof your security program
Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.
To learn more about compliance management you should seek expert advice from serious security professionals like the DISC Professional Services team.Â
Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That we’ll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we don’t comply, really believe those rituals make us safer. And yet, we check the box every flight because a government agency said we can’t fly unless we do so...
I’m starting to wonder if the obsession with checking boxes in cybersecurity might be akin to securing our tray tables before take-off. We do as we’re told, check all the boxes, pat ourselves on the back, and in the process, distract ourselves from our ultimate goal: stopping the bad actors and protecting our data.
I started to think about this somewhat disconcerting cybersecurity community reality when scanning the titles of some of the attendees at a recent regional cybersecurity conference. I was surprised by the frequency of titles that combined security with compliance. To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager – IT Security & Compliance (among others). To add to this: countless “auditor” titles – roles designed specifically to assure fealty to various standards requirements.
Nearly all enterprise breaches originate in one of three ways, and all cybersecurity professionals know this:
An unpatched vulnerability
Credential theft
Installation of malicious software (typically via phishing)
So, let’s try an experiment. Ask a CISO or experienced cybersecurity expert how they would defend their organization against these three breach types if:
1. They could completely ignore standards and compliance, and they’d be given no credit for any level of compliance (and there would be no ramifications for non-compliance)
2. They could re-deploy every dollar of budget allotted to standards compliance and auditing any way they liked
3. Their single objective was to win the game (stop the bad actors, and minimize their organization’s risk of a compromise)
How many would determine that the best use of their resources would be to attain or retain compliance with a cybersecurity standard? And how many would deploy those compliance and auditing resources to patch more vulnerabilities, invest in additional cybersecurity expertise, tools to identify and reduce their external threat footprint, and myriad other effective measures to genuinely reduce their organization’s cyber risk?
It’s not as if dedication to compliance is any more of a guarantee against a breach than any other technology, strategy or prayer. Here are a few examples of compliant companies that have suffered high profile breaches (thanks to ChatGPT for saving me the hours of research otherwise required to build this list):
Equifax (PCI and NIST CSF)
Target (PCI)
Marriott (PCI)
Anthem (HIPAA)
Premera Blue Cross (HIPAA)
CareFirst BCBS (HIPAA)
SolarWinds (NIST CSF)
This is, of course, not an exhaustive list. Show me a large enterprise that was breached and I’ll show you a large enterprise adhering to multiple compliance standards.
So, why do we continue to be obsessed with cybersecurity compliance, standards, frameworks, etc.? The obvious reason is that organizations can be fined for non-compliance.
And yet, there’s been little effort among cybersecurity experts to challenge regulatory agencies. Indeed, many enthusiastically embrace compliance and congratulate themselves and their teams for achieving it. And, of course, no one loves compliance standards more than vendors, just like every barber in the world would celebrate a new law requiring everyone to get a haircut weekly.
The less obvious reason for our community’s love for compliance is that it covers behinds. “Yes, we were breached, but we did everything we were supposed to do, so don’t blame us.” Coaches in every sport will identify that as a loser’s attitude. Champions know there’s no checkbox formula for winning, and there’s no excuse for losing, especially “we did everything we were supposed to and still lost.” It’s cliche’, but the best teams and athletes “just know how to win.”
Am I suggesting we abandon frameworks and compliance? Not immediately, and not without serious debate and analysis. But there is a case to be made that the compliance-centric philosophy governing cybersecurity decision-making today simply isn’t working, and we in cybersecurity are the living embodiment of (not) Einstein’s definition of insanity: doing the same thing over and over and expecting a different result.
Cybersecurity spending continues to increase and yet breach incidents are increasing as well. It shouldn’t be sacrilegious to propose that we consider changing our foundational philosophy from checking boxes on a compliance audit form to doing whatever makes sense to defend our organizations, and win.
How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?
Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.
I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.
Let me give you an example:
Let’s say your company receives a California Consumer Privacy Act data access request.
First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.
You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).
In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.
To help put this process into perspective, we like to ask six simple questions:
1. Do you know where your data is? 2. Do you know who owns your data? 3. Do you know what regulations govern your data? 4. Do you know what third parties have access to your data? 5. Can you forensically prove data integrity throughout all the processes that use your data? 6. Can you easily and quickly respond to requests for your data?
This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.
The CyberSecurity Framework Ver 1.1 Preso
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/09/NIST-CSF-1.1-preso.pdf” title=”NIST CSF 1.1 preso”]
As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.
The key elements of data mapping
To effectively map your data, you need to understand the information flow, describe it and identify its key elements.
1. Understand the information flow
An information flow is a transfer of information from one location to another, for example:
From inside to outside the European Union; or
From suppliers and sub-suppliers through to customers.
2. Describe the information flow
Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
Make sure the people who will be using the information are consulted on the practical implications.
Consider the potential future uses of the information collected, even if it is not immediately necessary.
3. Identify its key elements
Data items
What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
Formats
In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
Transfer method
How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?
Location
What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
Accountability
Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
Access
Who has access to the data in question?
The key challenges of data mapping
Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.
Data flow mapping
To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.
Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:
A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
Direction and guidance from expert GDPR practitioners.
Includes two licenses for the GDPR Staff Awareness E-learning Course.
The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.
Who needs to comply with the GDPR?
The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.
Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.
Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.
What do US organizations need to do to comply with the GDPR?
The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.
For US organizations, the most significant change concerns the territorial reach of the GDPR.
The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.
Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.
Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield
August’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.
Following the release late last month of the Base Process Library, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched
/EIN Presswire/ — Following the release late last month of the Base Process Library (http://www.itgovernance.co.uk/products/3460), the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched. The guide can be purchased here www.itgovernance.co.uk/products/3469 in a PDF format or hard copy.
The guide will provide organisations that need to achieve compliance with the TickITplus scheme with information about identifying and selecting the scope of certification and developing in-house resources. It contains guidance on identifying processes, mapping them to TickITplus processes and establishing the assessment strategy. The TickITplus Kick Start Guide also offers advice on preparing for, participating in and following up an assessment.
TickITplus (www.tickitplus.org) is the successor of TickIT and provides improved process modelling to facilitate more efficient business and quality systems planning and improvement. TickITplus gives entry level access to capability grading for small IT organisations and offers significant cost savings for those already pursuing both ISO9001 and Capability Maturity Measurements.
As an introductory guide, the TickITplus Kick Start Guide concentrates specifically on achieving the Foundation level of the scheme, either through initial entry or transition from the existing TickIT scheme.
Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.
So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.
Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.
It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.
Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)
A Wall Street Journal/Harris poll revealed that two thirds of investors express doubts in the ability of corporate boards of directors to provide effective oversight. In the shadow of recent global scandals involving businesses such as Parmalat and WorldCom- Manager’s Guide to Compliance: Best Practices and Case Studies is essential reading for you- whether your organization is a major corporation or a small business.
This timely handbook places U.S. and global regulatory information- as well as critical compliance guidance- in an easy-to-access format and helps you make sense of all the complex issues connected with fraud and compliance.
‘Wide perspectives and best practices combined deliver a punch that will knock your “SOX” off! The author has blended together a critical mix necessary for effectively handling the requirements of SOX.’ Rob Nance- Publisher- AccountingWEB- Inc.
‘Robust compliance and corporate governance is an absolute necessity in today’s business environment. This new book by Anthony Tarantino is an authoritative guide to understanding and implementing compliance and regulatory requirements in the United States and around the world. From SOX to COSO to ERM- this book covers them all.’ Martin T. Biegelman- Certified Fraud Examiner- Fellow and Regent Emeritus of the Association of Certified Fraud Examiners- and coauthor of Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance
‘If compliance wasn’t difficult enough- now companies are faced with a barrage of technology vendors claiming to automate compliance as if it were a project. In his new book- Dr. Tarantino paints the reality of the situation: companies need to embrace the broader tenets of governance and use technology to embed governance policies and controls into their daily business processes. Only then can they gain business value from their compliance investments.’ Chris Capdevila- CEO and cofounder- LogicalApps