In 2010, privacy regulations covered only approximately 10% of the world’s population. Now, by 2025, modern privacy regulations will protect two-thirds of the world’s population. Ten years ago, about 50 non-mandatory standards related to information security were published. And now, there are more than 180 standards altogether, where ISO/IEC JTC 1/SC 27 alone has published more than 10 standards per year.
In a fast-changing regulatory landscape, companies, government bodies, and NGOs need to update their security and privacy strategies. This way, they can avoid large fines, gain trust from customers, and, in essence, remain in business. This may be a significant challenge since new regulations, laws, and standards are in constant development, publication, and change.
To stay compliant, organizations must align their security and privacy strategies with the principles outlined in relevant standards, laws, and regulations. In essence, all regulatory and normative frameworks are jointly guided by more or less the same principles. When organizations identify these principles and implement them in their security and privacy strategies, they can manage to keep up with the regulatory landscape. These principles are the backbone of today’s regulatory and normative frameworks; hence, they will be further discussed in this article.
Please note that any and all regulatory and normative frameworks discussed in this article are in regard to information security and privacy.
The Foundation: Security and Privacy Strategy
At its core, Security and Privacy Strategy (which, for the sake of simplicity, I will refer to as the “Strategy” in this article) is a high-level strategic document providing context and outlining vision, security, and privacy objectives, and a high-level approach to reach those objectives. The Strategy primarily concerns itself with setting the ground for the implementation of security and privacy controls by providing guidance on what the organization’s Security and Privacy Program must cover.
A comprehensive Strategy should provide at least the following information:
- Background – Why are we proposing this strategy?
- Context – Why is this strategy important?
- Threat landscape – Who is likely to attack us?
- Vision – What is our desired outcome?
- Key principles – What are the foundational principles that will guide us in securing our organization?
- Roles and responsibilities – Who is doing what?
- Implementation – What are our objectives, how do we plan to achieve them (high-level), and how will we know when we have achieved them?
In this article, I will focus on elaborating key principles and high-level objectives that most regulatory and normative frameworks consider core.
Today’s Regulatory Landscape
As previously mentioned, new regulatory and normative frameworks are continually being developed, published, and revised. To better understand the regulatory landscape, we need to define what regulatory and normative frameworks apply to our organization. Generally, we can divide these frameworks into three major groups:
- High-level general standards and frameworks – Can be either national or international. Most organizations, regardless of their size, industry, or other characteristics, can apply them. Examples include: ISO/IEC 27001, ISO/IEC 27701, and NIST Cybersecurity Framework.
- Sector- or topic-specific standards and frameworks – Can be either national or international. Their application depends on the organization’s industry. In other words, they are security standards specific to each sector. Examples include ENX TISAX for the automotive industry and ISA/IEC 62443 for industrial environments.
- Regulations, laws, and directives (legal requirements) – Apply to organizations that process specific types of data or operate in certain sectors. Their scope may be one specific country, partnering countries, and economic and political alliances. Examples include GDPR, NIS2, GLBA, SOX, and Cybersecurity Law of the People’s Republic of China (CSL).
Please note that all organizations must comply with the relevant regulations, laws, and directives. Failure to do so can result in fines and operational hurdles. However, standards are voluntary. You can obtain certification and attestation for some standards, but others do not allow it.
When developing security, privacy, and compliance programs, start with legal requirements. Then, consider standards and frameworks. Now, there are many voluntary frameworks available. An organization should not simply select any standards that apply to it, as there are numerous options. Instead, it should choose the standards that matter to its customers, partners, and other interested parties. For example, if your organization produces vehicle parts, consider implementing ENX TISAX. Vehicle manufacturers value it, so it can help you win new customers. It’s advisable to first adopt a general standard or framework. After that, you can explore more specific standards and frameworks for your sector. The first will help you set a foundation for the second.
However, even if there are so many regulatory and normative frameworks, there are some that are considered “state of the art” or “golden standards.” In information security, ISO/IEC 27001 is known as the “golden standard.” If an organization is compliant with it, it is likely to meet other security standards as well. If they don’t, the compliance gap is likely minimal. In the privacy area, ISO/IEC 27701 stands out as the main standard. It effectively narrows the compliance gap for many privacy laws and regulations.
The Reality: Are Standards Really Voluntary?
As aforementioned, organizations are not mandated to comply with security standards – but is that really the case? Legally, absolutely yes! But practically, not really. Yes, some edge cases require compliance with standards like ISO/IEC 27001 by law, especially in the banking sector. But usually, it’s not mandatory. When we look into the practice, it is not so black and white. We are not going to get fined for noncompliance, but we are not going to win big-shot clients either. If your organization is okay with working with SMEs, that’s all good. However, many organizations aim to expand and gain larger customer bases. For them, security standards often become essential.
Key Principles Across Regulatory and Normative Frameworks
Many regulatory and normative frameworks rely on the same security and privacy principles. Principle is defined as “a basic idea or rule that explains or controls how something happens or works” by the Cambridge Dictionary. In security and privacy terminology, principle is “a foundational rule or guideline that helps protect information and systems from harm or unwanted coercion”. Key principles in most regulatory and normative frameworks for information security include:
- Risk-based approach
- Continuous improvement
- Defense in depth
- Least privilege
- Accountability and governance
- Security by design and by default
- Supply chain security
- Awareness and training
- Documentation and evidence
- Leadership and commitment
When it comes to privacy, many laws like GDPR and CCPA follow OECD (Organization for Economic Co-operation and Development) privacy principles. These principles are:
- Collection limitation
- Data Quality
- Purpose specification
- Use limitation
- Security safeguards
- Openness
- Individual participation
- Accountability
By adopting these principles, organizations can lessen compliance gaps in many regulatory and normative frameworks. After an organization implements them, only a few adjustments will be needed to meet any related framework, standard, regulation, or law. In the next section, I will elaborate further on these principles and their objectives.
Practical: Applying Key Principles
Now, when we defined what principles are the cornerstones of security and privacy, we can further discuss how to apply them to your Strategy. It is not sufficient to merely list them in your Strategy document, but to set objectives based on them, define an approach to meet those objectives, and means to measure success.
Objectives must be defined based on the aforementioned principles. They outline the organization’s future goals and focus by showing what it aims to achieve. Meanwhile, the approach outlines the steps the organization will take to help achieve its objectives. And, as a cherry on top, comes measurement. Everything the organization undertakes to achieve its objectives should be measured. Success measurement offers a clear way to track an organization’s actions and progress towards its goals over time. They help us grasp our current situation. This allows organizations to share their position with others, both within and outside the company.
Example
I believe that the best understanding comes from practice and learning from examples. Here’s an example of defining objectives for a risk-based approach and other key elements I mentioned earlier.
A risk-based approach requires decision-makers to evaluate and prioritize actions based on the potential risks to the organization. In the context of security and privacy, risk is typically defined as the combination of the likelihood of a threat exploiting a vulnerability and the impact it would cause. Rather than treating all negative scenarios equally, this approach targets the most significant risks. By doing this, it allows for informed and balanced decision-making.
Objectives:
- Organization information security risk appetite is determined, agreed, and documented in line with the wider risk management processes.
- Organization has developed, documented, and embedded a consistent way to assess information security risks across all its operations, both internally and externally.
- Processes to manage information security risks, including oversight, governance, and regular reporting, are developed and embedded across the organization.
Approach:
- Consult and work with senior management to determine and document the organization’s information security risk appetite.
- Develop and document a consistent way to identify and assess information security risks and communicate them to the relevant stakeholders.
- Design and implement simplified risk management processes that enable effective oversight and regular reporting.
Measurement:
- The organization has a clear understanding of its information security risk appetite. This is documented, signed off by senior management, and communicated to employees, vendors, contractors, and other internal and external stakeholders.
- A consistent process to identify and assess information security risks is documented. Risks are identified early, documented, and monitored. Reports are shared regularly with senior management.
- Known, accepted risks are reviewed regularly and reassessed to validate the level of risk posed to the organization in line with the agreed risk appetite.
Conclusion
As we have seen, the regulatory landscape is expanding continuously, resulting in increasing pressure on companies, government bodies, and NGOs, more so than in previous eras. In a rapidly evolving regulatory environment, it is crucial for businesses, governmental organizations, and NGOs to revise their security and privacy strategies. Doing so helps them evade hefty fines, foster customer trust, and ultimately sustain their operations. However, this remains a daunting task due to the ongoing emergence, enactment, and alteration of regulations, laws, and standards. To comply with key regulatory and normative frameworks, organizations must identify their overlapping principles. They should implement these principles in their security strategies. This will help minimize compliance gaps with most regulatory and normative frameworks. To sum up, despite the uncertainties surrounding emerging regulatory and normative frameworks, careful planning can ensure compliance.
