Compliance, regulation, and GRC

The Importance of Information Security Compliance

Since the high-profile failure of Enron, most large organizations are fully aware of the consequences of not complying with national and international laws and regulatory requirements. More recently, infosec has come under the radar of legislatures around the world, requiring organizations to comply with data security and privacy requirements. Hence being aware of what information security compliance is critical for every organization, large and small. 

Understanding the information security compliance definition is important for success. Compliance is all about meeting a set of rules or standards. Information security is concerned with protecting the confidentiality, integrity, and availability of information and technology assets within an organization. So, information security compliance means meeting rules or standards about the protection of data and information.

Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) are necessary functions within enterprises but businesses tend to structure and run them differently. For example, in some companies, GRC operates as three separate, siloed functions. Other companies have a GRC function that includes GRC specialists if not GRC certified professionals. 

Even when GRC operates as a combined organization, cyber security – another risk function – tends to operate separately. One of the reasons for that is because GRC functions are viewed as business functions while cyber security is viewed as more of an IT (technology-oriented) function. However, as any cyber security incident demonstrates, the scope of risk fallout tends to impact more than one function simultaneously.

The scale of the compliance issue

To get an idea of the scale of the information security regulations, there are hundreds of laws at federal and state levels that exist to protect the personal data of individuals in the USA. The UK has over 16 items of legislation that have to be complied with. No matter what size your organization is, you need to be fully aware of your legal requirements for information security and plan for compliance.

Here is an example of just some of the most common U.S. information security compliance standards, each relating to one or more different industry sectors:

Sarbanes-Oxley Act (SOX):

Compliance with the Sarbanes-Oxley Act requires financial records to be retained for seven years. It is required for all U.S. company boards, management personnel, and accounting firms. This legislation aimed to prevent another scandal like the Enron incident, where fraudulent bookkeeping led to a series of events resulting in the bankruptcy of the major this major U.S. energy, commodities, and services company and the dissolution of their auditors, Arthur Andersen LLP, which had been one of the largest auditing and accounting companies in the world.


The General Data Protection Regulation, or GDPR, aims to protect citizens in the European Union (EU) from data breaches. The GDPR applies to all companies processing personal data for people residing in the EU, even if that company is not physically located or based in the EU. This is a good example of how information security compliance may be required for legislation that arose in another jurisdiction.


The Federal Information Security Management Act of 2002 considers information security to be a matter of national security for all U.S. federal agencies. As part of the bill, all federal agencies are required to develop data protection methods.


An acronym for the Health Insurance Portability and Accountability Act. This bill establishes several regulations about maintaining the security of healthcare patients records. All companies that handle healthcare data must comply with the HIPAA regulations when handling this data.


The Payment Card Industry Data Security Standard is a set of regulations aimed at reducing fraud, primarily through protecting customer credit card information. PCI-DSS security and compliance is required for all companies handling this information.

Information security compliance standards

ISO/IEC 27001, the international standard for an information security management system (ISMS), is the most commonly used IT security compliance standard. It sets out a best practice approach for providing appropriate security for data and information. This information security compliance standard can support all other IT-related regulations by providing independent structured guidance for an ISMS. This encourages a risk-based approach to securing and maintaining the confidentiality, integrity and availability of data and information. The standard also provides an overarching control environment within which the specific controls of the IT systems and information technology rules and regulations can operate effectively.

How IT Governance can help you

Expert individuals who have held leadership CISO roles and have a wealth of industry experience.

Skilled at ensuring your organization is prepared to deal with data breaches and incidents.

Ability to manage and communicate with regulators for all data privacy and information security requests on your behalf.

Experienced practitioners who can offer cyber security training as part of the service.

Information Security Compliance: Which regulations relate to me?

The Act

What it Regulates

Company Affected

NIST (National Institute of Standards and Technology)

This framework was created to provide a customizable guide on how to manage and reduce cybersecurity related risk by combining existing standards, guidelines, and best practices. It also helps foster communication between internal and external stakeholders by creating a common risk language between different industries.

This is a voluntary framework that can be implemented by any organization that wants to reduce their overall risk.

CIS Controls (Center for Internet Security Controls)

Protect your organization assets and data from known cyber attack vectors.

Companies that are looking to strengthen security in the internet of things (IoT).

ISO 27000 Family (International Organization for Standardization)

This family of standards provide security requirements around the maintenance of information security management systems (ISMS) through the implementation of security controls.

These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.

ISO 31000 Family (International Organization for Standardization)

This set of regulations governs principles of implementation and risk management.

These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.

HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule

This act is a two part bill. Title I protects the healthcare of people who are transitioning between jobs or are laid off. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. This was further expanded through the HITECH / Omnibus Rule.

Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.

PCI-DSS (Payment Card Industry Data Security Standard)

A set of 12 regulations designed to reduce fraud and protect customer credit card information.

Companies handling credit card information.

GDPR (General Data Protection Act)

This regulates the data protection and privacy of citizens of the European Union.

Any company doing business in the European Union or handling the data of a citizen of the European Union.

CCPA (California Consumer Privacy Act)

Privacy rights and consumer protection for the residents of California.

Any business, including any for-profit entity, that does business in California and collects consumers’ personal data.

AICPA (American Institute of Certified Public Accountants) SOC2

The security, availability, processing integrity, and privacy of systems processing user data and the confidentiality of these systems.

Service organizations that process user data.

SOX (Sarbanes-Oxley Act)

This act requires companies to maintain financial records for up to seven years. It was implemented to prevent another Enron scandal.

U.S. public company boards, management, and public accounting firms.

COBIT (Control Objectives for Information and Related Technologies)

This framework was developed to help organizations manage information and technology governance by linking business and IT goals.

Organizations that are responsible for business processes related to technology and quality control of information. This includes, but is not limited to, areas such as audit and assurance, compliance, IT operations, governance, and security and risk management.

GLBA (Gramm-Leach-Bliley Act)

This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers.

This act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”

FISMA (Federal Information Security Modernization Act of 2014)

This act recognizes information security as a matter of national security. Thus, it mandates that all federal agencies develop a method of protecting their information systems.

All Federal agencies fall under the range of this bill.

FedRAMP (Federal Risk and Authorization Management Program)

Cloud services across the Federal Government.

Executive departments and agencies.

FERPA (The Family Educational Rights and Privacy Act of 1974)

Section 3.1 of the act is concerned with protecting student educational records.

Any post-secondary institution including, but not limited to, academies, colleges, seminaries, technical schools, and vocational schools.

ITAR (International Traffic in Arms Regulations)

Controls the sale of defense articles and defense services (providing critical military or intelligence capability).

Anyone who produces or sells defense items and defense services.

COPPA (Children’s Online Privacy Protection Rule)

The online collection of personal information about children under 13 years of age.

Any Person or entity under U.S. jurisdiction.

NERC CIP Standards (NERC Critical Infrastructure Protection Standards)

Improve the security of North America’s power system.

All bulk power system owners and operators.

CONTACT US for a free consultation!

Do you have any queries? Feel free to contact us!