Introduction
In the context of the framework, ‘compliance’ is taken to be a measurement of
the degree to which security practice in an organisation accords with the
documented security requirements and standards.
This definition encompasses the idea that an organisation could be partially
compliant, and also the concept that compliance must be against something - an
agreed set of procedures or a defined target state of affairs.
Principles of Governance
Cabinet Office requires UK Government departments to have developed an ISMS
demonstrating compliance with ISO/IEC 17799 for all
their nominated key information systems.
ISO/IEC 17799 identifies two kinds of compliance:
- compliance with legal and regulatory requirements; and
- physical, personnel, procedural and technical compliance, primarily against
the stated security policy.
In practice the applicable legal and regulatory requirements will normally be
documented within the security policy; consequently the target for compliance is
the agreed security policy. However, this section of the framework is
nevertheless based on the ISO/IEC 17799 division.
Continue reading "Compliance, Information Assurance Governance Framework" »
