ISO 27001 in the banking industry: “One standard to rule them all”
Why should banks go with ISO 27001? If you know the “Lord of the Rings” saga, the headline of this article probably sounds familiar. “One ring to rule them all” refers to the magic ring with the power to control all other magic rings. Am I saying that ISO 27001 does magic in the banking industry? Well… no, unfortunately not. But when “forged” well, an ISO 27001-based Information Security Management System (ISMS) can be used to manage all the different information security frameworks banks are subject to.
What is ISO 27001?
ISO 27001 is a globally recognized standard published by the International Organization for Standardization (ISO), which provides a framework that companies of any size and industry can utilize to implement a custom-made and effective Information Security Management System.
The framework is not designed to just manage IT security, but to manage information security holistically across the company by implementing both technical and non-technical controls.
ISO 27001 was developed by the world’s best information security experts and is the most popular information security standard worldwide.
Information and regulation in banks
Massive amounts of data are processed and stored by banks, most of it sensitive or very sensitive in nature. Banks must control all that data in line with contractual requirements, but at the same time also be compliant with many laws and regulations governing the security and privacy of all this data.
A few laws and standards that are common, or new, are:
- SOX – Sarbanes-Oxley Act
- Payment Card Industry Data Security Standard – PCI-DSS
- PSD2: Payment Service Directive 2
- New York State Department of Financial Services – NYDFS
- GDPR (EU General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- LGPD (Lei Geral de Proteção de Dados – Brazilian data protection law)
- And many other (country-specific) laws and regulations
Having so many different requirements makes information security and privacy compliance a very complex task. Although every industry has its fair share of laws, standards, and regulations, the financial and banking industry, together with healthcare, are amongst the most highly regulated industries.
And, as if that is not enough, the fast developments in Fintech (financial technology), besides many opportunities, introduce a lot of complexity to governance and compliance. So, where and how does ISO 27001 settle in?
A single management system
ISO 27001 offers a framework that can bring together the different laws, regulations, and contractual requirements in one ISMS. Its well-thought-out design has also led to the fact that many data protection standards and laws use ISO 27001 as a basis, which makes implementation much easier.
Using a single security management system requires better design and planning in the start-up phase, but once in place, it provides better governance, greater efficiency (less overlap), and more risk control by providing information across the board, pointing out risks, gaps, opportunities, and priorities. Next to that benefit, the ISMS also enables banks to certify against ISO 27001, showing that an independent body has assessed the effectiveness and efficiency of information security controls.
Benefit of certification to ISO 27001 for banks
In organizations that are subject to so many laws and regulations, such as banks and their vendors, the main benefit is compliance. That means being able to prove that controls have been implemented in accordance with all the different laws and regulations from a single, independently certified management system. As mentioned before, a lot of laws and standards are designed with ISO 27001 in mind, which makes working with (supervisory) authorities much easier.
Over the last few years, ISO 27001 has increasingly become a default contractual requirement that banks include in their agreements when selecting vendors – and for good reason. Vendor governance becomes less complicated when security management follows the same ISO 27001 framework approach.
For more about ISO 27001 benefits, read the article Four key benefits of ISO 27001 implementation.
Scope of ISO 27001 in the banking industry
As said, the ISO 27001 framework is not designed to just manage IT security; it is designed to manage information security holistically across the company by implementing both technical and non-technical controls. ISO 27001 contains 10 clauses and 114 controls divided over 14 control sets.
All the ingredients to have an effective and efficient Information Security Management System are included within the framework, without becoming overly prescriptive in the requirements, enabling the ability to integrate all of the different requirements. This makes ISO 27001 the “one standard to rule them all” – if not magical, then a very strong tool that can work wonders!
To see how ISO 27001 fits other frameworks, download this free document: How to integrate ISO 27001, COBIT, and NIST.
About the author:
Tom van der Stoop is a Senior Privacy and Information Security Consultant based in the Netherlands, specializing in Privacy (GDPR), Information Security (ISO 27001), Quality (ISO 9001), and process optimization. He has over 20 years of experience in IT covering a wide range of industries, from banking to fashion, and from automotive to food. Amongst his vast experience and many qualifications, he is a certified ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, ITIL Expert, Certified Information Privacy Professional – Europe (CIPP/E), and Certified Information Privacy Manager (CIPM), and he also earned the distinct designation “IAPP Fellow of Information Privacy” (FIP) recognizing his outstanding work as a privacy professional.