Compliance and compliance
Nov 30th, 2011 by Jesper Kråkhede
I have recently started to create a generic compliance architecture for all types of compliance. As you easily understand I immediately ran into some problems. The obvious once is of course that some compliance focuses on confidentiality, like HIPAA and PCI DSS, while other focuses on integrity, like SOX. Another challenge in compliance is not only the CIA-triad but what the compliance structure focuses on. In some cases the focus is on only a few information objects and in some others it the whole business that needs to be compliant.
The strategy for reaching compliance is of course different depending on the type of compliance and how you would like to run your business but in general a single information object compliance, like PCI DSS, is more suitable for minimizing the scope or outsourcing while a compliance scheme that affect the whole business, like ISO-27000 (yes, I know it is not mandatory), demands a more holistic approach.