Compliance is a necessary evil. The market, and government, generally insist that companies holding sensitive data or playing a role in critical infrastructure, have a base level of cyber security controls in place.
The real challenge is ensuring that your compliance investment doesn’t distract you from protecting what’s important to you.
There are numerous requirements that need to be adhered to during the course of the year to ensure that compliance with standards are met. These may be implementation and process related or may be related to documentation. To keep a track of all these requirements is difficult for internal audit and compliance teams. Trustwave has provided many resources to help you build, run and comply with your compliance standard requirements.
Resources Available to Free Users
Through your free Security Colony account you have access to some very practical resources to help you work out your compliance status and prepare for an audit against a range of regulations and standards including PCI-DSS and the Australian Government’s ISM.
- PCI DSS v3.1 Assessment Workbook Template - This template is intended for use by auditors (including Payment Card Industry (PCI) Qualified Security Assessors (QSA), internal organisational security personnel and other individuals) in the conduct of an assessment against the PCI Data Security Standard (DSS) version 3.1
- ISM Assessment Initial Documentation Request - This resource is a checklist that provides a list of key documents that are likely to be required for an assessment of your organisation’s compliance to the 2015 version of the Australian Government’s Information Security Manual (ISM)
- Project Security Compliance Checklist - This document provides a questionnaire for project teams and a checklist for information security teams to ensure that security related activities to be performed by project teams within the various stages of a project comply with the requirements of the information security management system (ISMS).
Resources Available to Premium Users
- ISO 27001 Compliance Toolkit (also known as our ISMS in a box) - One of our flagship resources, this toolkit is designed to provide the fundamental building blocks for developing an ISO 27001:2013 compliant information security management system (ISMS) within an organisation. It consists of two fundamental components: (1) A set of ‘core’ ISMS documents, consisting of a Cyber Security Strategy, Policy, Standards and Risk Assessment and Treatment Methodologies; (2) A series of supporting documents to assist with the process of implementing an ISO 27001:2013 compliant ISMS.
- Information Security Assurance Annual Activity Calendar - Standards such as PCI DSS, ISO 27001 and most organisations’ own policies, require a range of security assurance activities to be completed over the course of a year. Often these elements are spread throughout multiple distinct standards documents. The intent of this document is to assist in developing a ‘calendar’ of security assurance activities for an organisation.
- Mapping of 2015 ISM Controls to PCI DSS 3.1/3.2 Controls - This spreadsheet provides a mapping between the 2015 version of the ISM with version 3.1/3.2 of the PCI DSS. It is intended for use by organisations that are subject to both standards to help establish the differences and gaps that exist between them. The mapping has been built with the ISM as the master, mapping PCI DSS control requirements to those in the ISM. As such, controls that are present in the PCI DSS but not the ISM are not included.
- APRA Cloud Assessment Workbook - This document is intended for use by internal auditors for the conduct of a gap analysis of outsourced business operations for a financial or insurance institution who are obliged to comply, as identified in the Information Paper - Outsourcing Involving Shared Computing Services (including Cloud), APRA, July 2015.
Other SecurityColony Features That Can Help
If you have any further questions about how you could comply with PCI/APRA/ISO 27001 or if your compliance obligations are more niche - APRA 234 / 235, SOC2, NZ ISM, or an amalgamation of multiple standards, we can help with that too, you can get in touch with us via the "Ask a Consultant" function.
Paid subscribers also have their own Private Forum dedicated to their organisation.
Questions from free users will be answered when we can fit them in (but it generally won't take long).