27001 or NIST for Local Bank
I would like to ask a question on how to implement the best security policy for my bank. As we just create a new Security Unit and I will handle this team.
First, we are thinking of IT policy, Security Framework, Compliance with legal, SIEM, and SOC. Is it the best approach?
Assign topic to the user
I'm assuming, by the title of the e-mail you've sent, your question is in the context of ISO 27001 and NIST SP-800 documents.
Considering that, to implement the best security policy for your bank you should first understand which legal requirements (e.g., laws, regulations, and contracts) your bank needs to fulfill, and which business objectives it wants to achieve, so you can identify how information security can help.
For example, if the bank needs to comply with GDPR, then it needs to protect user's privacy, and as objectives, if it wants to increase market share, and decrease operational costs, then decreasing the occurrence and costs for information related incidents may help achieve those objectives.
Once you have identified what is expected from information security, then you can work on the other elements of the system, like IT policy, SIEM, etc. This approach will help you focus on the elements that really matter to your implementation.
Regarding ISO 27001 and NIST documents, both provide a solid basis for implementing information security, but ISO 27001 has the advantage to be certifiable and a worldwide recognized standard.
These articles will provide you more information:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jul 29, 2020