1.2. Policy and Compliance
Content
- Align the cyber risks with the business objectives to ensure compliance by default.
- Create a governance structure with a set of policies and standards. This includes:
- Global information security policy: General rules about management commitments.
- System enegineering policy: Rules around configuration and change management.
- Software lifecycle policy: Rules related to the build pipeline.
- Cryptography & access control policy: Rules to enforce the principle of least privilege and separation of duty.
- Business continuity (See BCMS requirements from ISO/IEC 22301).
- Privacy management (See PIMS requirements from ISO/IEC 27701).
- Any other applicable industry specific or regional requirement.
- Create a set of processes, procedures and guidelines. This include:
- Physical security (See relevant controls in ISO/IEC 27002).
- Incident response (See Guidelines from ISO/IEC 27035).
- Supply chain security (See Guidelines from ISO/IEC 27036).
- Change management process.
- Onboarding and Offboarding employees.
- Choose a set of controls that are applicable and aligned with your objectives.
Control Frameworks:
- ISO27002 Controls [10]
- ISO/AWI 27799 Information security management in health (Pending revision/Under development)
- SOC2 [11]
- NIST Cybersecurity Framework (CSF) [12]
- NIST SP 800-53 rev5 [13]
- CIS Critical Security Controls [14]
- CSA Cloud Controls Matrix (CSA CCM) [15]
- ENX TISAX Information Security Assessment [16] (Automotive Suppliers)