ISM Standards & Regulations

Zygma is active in the standards development arena. Our CEO made early contribution to the development of BS 7799, antecedent of today’s ISO/IEC 27001 and ISO/IEC 27002 (i.e. the information security management standards), and is today a leading contributor to the continued development of the ’27xxx family’ of standards. He has also been a significant contributor to standardization development in Europe, where he worked on standards related to the European electronic signature directive.

Zygma can assist its clients’ compliance with regulations, legislation, imposed policies and their conformity to a range of standards. Although our experience and approach allows us to analyze any regulation or standard, those which are the more common-place are listed below.

If you have needs in other areas don’t hesitate to call – we have a demonstrated approach towards mapping your standards into an ISMS context, or we can do the same in an ITSM context. We can also assist you in your need to demonstrate compliance and conformity with other regulation, policy and standards.

The more common regulation and standards for which we can provide support are these:

Jump to…

Information Security Management
Information Technology Service Management
Federal Information Security Management Act
FIPS 201
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act
Federal Financial Institutions Examination Council
Health Insurance Portability and Accountability Act
Payment Card Industry (PCI) Data Security Standard

Information Security Management

We are specialists in the building, operation and auditing of ISMSs which follow ISO/IEC 27001 (and therefore 27002) and can also provide training (both classroom and on-the-job) and a skeleton ISMS. Zygma’s approach lets its clients get on the fast track towards certification. Some will place great emphasis on ISO/IEC 27002 (2020-05 – presently in the throes of review at the ISO level of a substantial revision)when talking about ISMS, but this is to miss the point: 27002 provides only guidance (albeit valuable, well-prepared, guidance which reflects best practice) – 27001 provides the definitive requirements for implementing, operating and continually improving an ISMS, including a statement of applicability which says how each of the reference controls in its Annex A (for which 27002 provides implementation guidance) apply to the ISMS in question. See other pages within our web site, such as Questions You Should Ask.

IT Service Management

Increasingly, requirements for oversight and information security are causing senior management to look at their provision of business functions in terms of services, whether their user community be internal to the organization or external to it. ISO/IEC 20000 provides a set of requirements (in part 1) and guidance (part 2) which govern how a certifiable IT service management system should be implemented. We can provide the back-bone of an ITSM strategy and help clients build into that all the compliance and standards conformity requirements they have. Many of those specific needs may include one or more of the other standards we here mention. Zygma’s approach lets its clients get on the fast track towards certification.

Federal Information Security Management Act

The FISMA places requirements for information security management upon the heads of all Federal agencies and is supported by a range of standards and agency guidelines. Zygma can assist agencies and suppliers in constructing their information security management systems for specific systems. We are firm believers that an ISO/IEC 27001-conformant ISMS which embraces all the applicable FISMA requirements and supports the C&A process is viable. This includes compliance mapping with such major FISMA supports as NIST SP 800-53 (Revision 1).

In 2008, under GSA funding, Zygma produced a detailed mapping of IS27001:2005 (requirements and controls), prepared as a potential Annex for SP 800-63 Rev.2. It provided a comprehensive mapping of not just the IS27001 Annex A controls against SP 800-53 (Rev.2) but also aligned the requirements of IS27001 (i.e. clauses §4 to §8 inclusive) to controls in ‘-53 which were more akin to ‘measures’. Although NIST has chosen not to incorporate this content in subsequent revisions to date (i.e. it continues to map ‘-53 only to the Annex A controls) Zygma is able to construct this cross-walk for you.

Sarbanes-Oxley Act

The requirements of this Act expect that public companies assess and publicly disclose the effectiveness of their internal controls as they relate to financial reporting and have those controls independently audited, have a direct relationship to information security management. Virtually no business of any magnitude today operates without a high degree of dependence on IT systems, and hence the need for effective information security management in the SOX context is paramount. We can help clients establish their SOX compliance through their ISMS, efficiently and effectively.

Gramm-Leach-Bliley Act

The GLBA imposes requirements on financial institutions to specify and implement an information security plan and to protect personal identifiable information (under its Safeguards Rule) and also to establish a published consumer privacy policy, giving the consumer the choice of opting in or out of certain provisions regarding information sharing. The Act makes no suggestion as to how the information security plan should be realized: Zygma’s view is that by adopting a recognized standard which embodies best practices an institution gives itself the best defense against any challenge to its GLBA compliance. We can help you build and operate an ISMS which satisfies that need.

Health Insurance Portability and Accountability Act

Covered entities (i.e. those organizations subject to the HIPAA security standard) have an obligation to “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information“. By establishing a comprehensive mapping of HIPAA requirements into the ISMS management framework, clients have a way to manage and demonstrate their compliance.

Payment Card Industry (PCI) Data Security Standard

Essentially a technically-focused standard, the PCI requirements include many criteria which impinge upon management issues. Zygma can help relate this standard to the broader management systems, build conformant solutions and audit client systems for conformity.

Zygma is ready to respond to your specific needs for compliance/conformity for any of these specific standards, and others which may be particular to you – contact us to discuss the best way to solve those needs.