Breaking it Down: The Difference Between InfoSec Compliance Types

Compliance is an essential part of any business. From a corporate perspective, it can be defined as ensuring your company and employees follow all laws, regulations, standards, policies and ethical practices that apply to your organization. In the context of information security, it means ensuring your organization meets the standards for data privacy and security that apply to your specific industry. And with the growing number of breaches and cyber attacks, this infosec compliance has become more critical to your business compliance program than ever before.

While infosec compliance might feel like a hassle, it will save — and avoid — costs for your organization in the long run, while also providing a solid foundation for a successful cyber risk management program. However, staying on top of your compliance obligations can be a challenge. So, a good place to start is to understand the key types of compliance for your business:

1. Regulatory Compliance means conforming to a rule, such as a specification, standard, or law. It is the responsibility of every organization to be aware of and take steps to comply with these mandatory regulations, many of which are created by government bodies. For example, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. government to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge, and the General Data Protection Regulation (GDPR) is a European Union (EU) law that addresses the transfer of personal data both within and outside the European Union. Some regulations can also be created by private bodies, e.g. the Payment Card Industry (PCI) International Security Standard Council, which is made up of AMEX, VISA, MasterCard, Discover, and the Japan Credit Bureau, to ensure that an organization maintains a secure environment to accept, process, store or transmit credit card information.
2. Contractual Compliance focuses on an organization’s conformance and performance of obligations within an agreement. This includes customer and supplier contracts, employment agreements, and other internal company policies, e.g., travel expense reimbursements. Essentially, it ensures that all individuals and organizations involved in a contract follow through in the basic spirit of “good business”.
3. Best Practices aren’t regulations that you and your organization must comply with by law, but doing so will show others (e.g., customers, partners, and end-users) that you’re doing things the “right” way. This can be particularly useful for business-to-business (B2B) companies, as it can help convince prospective customers that their sensitive data and functions will be protected. A great example is Service Organization Control 2 (SOC 2) certification, which is an attestation procedure that ensures service providers securely manage data to protect the interests of an organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. International Organization for Standardization (ISO) 27001 is similar to SOC 2, but accepted on an international level.

Now that you have a better understanding of the different types of compliance your organization needs to monitor, you’re ready to create your information security compliance management program. To learn more about how to build a strong compliance management program that enables you to achieve business-critical infosec compliance and cyber risk management for your organization, check out our recent webinar: Strategies to Connect Cyber Risk and InfoSec Compliance.