There are several standards and frameworks out there that cover various elements and perspectives on information security. They all provide guidelines and directives that can be implemented as a method to protect your company and client data. Examples of common frameworks include: ISO 27001, SOCII, NIST 800-171 and PCI-DSS. Your information security program can essentially be designed around any of these frameworks. Which framework your program should be based on will depend on things such as the requirements of your industry and could even be driven by the needs of your clients. Being compliant with a standard means building an information security program in accordance with one (or a number) of the common frameworks then applying and managing your program moving forward.
Once you’ve implemented a program that you feel complies with a particular standard, the next step can be to have the program “Certified as Compliant." Certification involves a third party firm auditing your company's policies and procedures as well as your implementation of those policies and procedures to provide a third party verdict or validation of your compliance with the respective standard. All of the standards and guidelines in this space have a lot of overlap. In other words, if you're compliant with one you are likely on the path to being compliant with several others. In fact you can even design your program in a way that you are compliant with several standards at once!
It is critical to consider your customer base and the market you work in to ensure that you are using the right standards and frameworks. In many cases, stating your compliance and answering a security questionnaire will be suitable for customers, however in some cases customers may require third party verification through certification. It is important to know your market’s needs when deciding your approach.
Well, there is no easy answer. It really depends on the scope of your project and the level of dedication and resources you put into the project. The scope refers to how many different locations and services where data is processed and stored and the type of data involved.
If you are a small local shop that stores customer data in one location and only has a few people that access the data then the scope of your compliance project is likely fairly simple. If you have clients all over the world, a lot of employees, and dozens of different systems and computers that process and store data then your scope is likely fairly significant. If you have experienced information security professionals participating in the project either as consultants or employees, your senior management is dedicated to the project and you have access to a reasonable amount of internal HR resources then you are likely looking at a few months to build and implement a quality program.
If senior management isn’t prioritizing the project or there are no resources for cybersecurity professionals then this could drag on for years. Like most things you get out of it what you put into it.