Does your company comply with the regulations, laws, regulations and standards in matter cybersecurity and data protection?Do you know if it is obliged to comply with them, or with any of them specifically, due to the activity and the sector in which the organization is framed?
If you are a company, you should be very clear about these three concepts, and apply them in the day-to-day development of the company's activity, with regard to its organization and management:
- corporate governance O governance: It is the set of principles, rules and procedures that establish how the different bodies of the company (the governing bodies) to direct and manage it.
- Risks: It is the probability that an unwanted situation will occur that has an impact or causes damage, both in a company and in any other area.
- Compliance: It is the action by which different measures, standards, or laws, established in advance, specifically intended for the sector and productive fabric of the company, are duly carried out, implemented and carried out.
Thinking about the digital world, in the field of Information Technologies (IT, IT, ICT), taking these definitions into account, the three concepts are translated in a similar way:
- Government TI O IT Government: It is the set of principles, rules and procedures that establish and govern how the different information systems, so that these provide service and align with the business and corporate strategy.
- Risks: probability of an unwanted situation occurring which, in the case of information technologies, will consist of a computer incident, O cyber incident, which can have a negative impact on the business, and may even have to stop.
- Compliance O “compliance”: consists of the convenient implementation and coverage of standards, frameworks, rules, regulations, decrees and laws that, in matters of digital systems, information technologies, security, privacy and cybersecurity, must be carried out in the company, in a recommended and even mandatory manner.
Some rules, regulations, standards, regulations and laws that you have surely heard of, regarding IT and cybersecurity refers, they can be:
- RGPD/GDPR (General Data Protection Regulation).
- LOPD (Organic Data Protection Law).
- LOPDGDD (Organic Law on Data Protection and Guarantees of Digital Rights).
- LSSICE (Law on Information Society Services and Electronic Commerce).
- LGC (General Communications Law).
- LGT (General Telecommunications Law).
- TO US (National Security Scheme).
- NIST (Marco de Ciberseguridad del National Institute of Standards and Technology).
- CIS (controles del Center for Internet Security).
- SGSI (Information Security Management System).
- ISO 27001 (international norm or standard for the establishment of a SGSI).
- ISO 27701 (international norm or standard for the management of privacy and compliance with GDPR).
- ISO 22301 (international norm or standard for business continuity management).
In any case, it is worth clarifying that laws are mandatory, while industry standards, norms and regulations are recommendations and references to promote compliance, management and legal compliance.
But, how do we know if we are obliged to comply with any of them? The answer is not “black or white.” It depends on many things and on each case, on each company, on each type of company, on what you do, how you do it and what type of information assets you manage or manipulate, how you do it and the degree of sensitivity or confidentiality of the same, if you market online (if you have an online store), in which country you reside and/or operate, etc.
And, on the other hand, how can we know if we already comply, or not (and what may be missing to achieve it), with certain normative, regulations and laws? In this case, the first thing is to analyze the situation, know the state of the systems, processes, assets and resources in this regard. This is achieved by carrying out audits, regulatory or legal compliance, specific for each case.
Once the audit, we will be in a position to comply with them based on the establishment of certain controls, activities O Actions on the elements that have been identified as nonconformities of compliance in the case that concerns us.
In the case of our GRC service, we take care of both the governance, as of the Risk management, as of compliance, doing the following:
- Based on the needs and objectives that are established, we carry out a analysis of the situation, from the point of view of maturity level in cybersecurity that the company has.
- It determines a maturity level objective to achieve and, therefore, the range and activity planning.
- Se defines the GRC model to be implemented based on the desired regulatory framework.
- They determine the mechanisms and tools to use.
- Prepare and deliver a report with the implemented GRC model and recommendations.
- Presentation of results.
Do you want us to audit your company for cybersecurity compliance?