Quick review: Compliance and Standards – ISC2 CC

What you really need to know

Compliance concerns adherence to laws, regulations, standards, internal policies and contractual requirements. For ISC2 CC, you need to understand that security is not only technology: it also includes governance, accountability, documentation, audits and verifiable controls.

An organization must be able to demonstrate that it protects data, systems and processes in a way that is consistent with applicable requirements. It is not enough to say that a control exists: it often needs to be documented, verified and maintained over time.

Key concepts

• Compliance: adherence to laws, regulations, standards, policies and requirements.
• Standard: a set of recognized practices or requirements to follow.
• Policy: a high-level document that defines rules and expectations.
• Procedure: detailed operational instructions for applying a policy.
• Governance: the set of responsibilities, processes and decisions that guide security.
• Audit: formal verification of compliance with requirements, controls or policies.
• Privacy: protection of personal data and proper use of information.
• Accountability: demonstrable responsibility for decisions and actions.
• Due diligence: careful evaluation before making decisions or selecting suppliers.
• Due care: reasonable care in applying appropriate security measures.

Differences not to confuse

Concept	Main meaning
Compliance	Adherence to applicable requirements
Standard	Model or requirement to follow
Policy	General rule approved by the organization
Procedure	Practical steps to apply a rule
Governance	Direction and control of security
Audit	Verification of compliance
Privacy	Protection of personal data
Accountability	Demonstrable responsibility
Due diligence	Evaluating carefully
Due care	Acting with reasonable care

Compliance

Compliance means meeting the requirements applicable to an organization. These requirements may come from:

• laws;
• regulations;
• industry standards;
• contracts;
• internal policies;
• customer requirements;
• privacy and data protection obligations.

For ISC2 CC, you need to remember that compliance does not automatically mean perfect security. An organization can be formally compliant and still have residual risks. However, compliance helps demonstrate that appropriate controls, responsibilities and processes are being applied.

Standards, policies and procedures

A standard defines requirements or good practices to follow. It can be internal or external.

A policy is a high-level document that establishes what must be done. Example: a password policy may state that accounts must use strong authentication.

A procedure explains how to practically apply a policy. Example: the steps to create an account, revoke access or handle a password reset request.

In quizzes, it is important to distinguish between general rules and operational instructions.

Security governance

Governance defines how security is directed, controlled and integrated into the organization's objectives.

It includes:

• roles and responsibilities;
• approval of policies;
• risk management;
• compliance monitoring;
• security priorities;
• management oversight;
• periodic review of controls.

The key point is that security is not only the responsibility of the technical team. It must be supported by clear processes, decisions and responsibilities.

Audit

An audit is a formal verification. It is used to check whether policies, controls, procedures or requirements are being followed.

Examples of items verified during an audit:

• access logs;
• access reviews;
• evidence of training;
• backups;
• patching;
• incident management;
• documentation of controls;
• approvals and responsibilities.

For ISC2 CC, you need to remember that an audit requires evidence. If a control is not documented or verifiable, it can be difficult to demonstrate compliance.

Privacy and data protection

Privacy concerns the proper handling of personal data. It includes collection, use, retention, protection, sharing and deletion of data.

Important principles:

• collect only the necessary data;
• protect personal data;
• limit access to authorized people;
• retain data only for the necessary time;
• respect legal and regulatory obligations;
• properly manage incidents and data breaches.

Security protects data. Privacy also establishes how that data must be used correctly and legitimately.

Accountability

Accountability means being able to demonstrate responsibility and control over decisions and activities.

It is not enough to say that security is important. An organization must be able to show:

• who is responsible for an activity;
• which policies have been approved;
• which controls have been applied;
• which reviews have been performed;
• which corrective actions have been taken;
• which evidence supports compliance.

Due diligence and due care

Due diligence concerns careful evaluation before making a decision. Example: evaluating a cloud provider before entrusting it with sensitive data.

Due care concerns applying reasonable care and appropriate measures. Example: applying patches, training users, using MFA and monitoring access.

Simple difference:

• due diligence = evaluate beforehand;
• due care = act correctly and maintain adequate protection.

Third parties and suppliers

Compliance also concerns suppliers, partners and external services. If an organization entrusts data or services to a third party, it must assess risks and define clear responsibilities.

Examples:

• supplier assessment;
• contractual security requirements;
• data processing agreements;
• SLAs;
• audit or compliance reports;
• management of supplier access;
• incident notification procedures.

Delegating a service does not mean eliminating the organization's responsibility.

Common quiz mistakes

• Thinking that compliance means perfect security.
• Confusing policy and procedure.
• Thinking that an audit is used only after an incident.
• Forgetting that privacy also concerns use and retention of data.
• Thinking that suppliers eliminate all internal responsibility.
• Confusing due diligence and due care.
• Forgetting that compliance requires documented evidence.
• Thinking that governance is only a technical topic.

Mini exam scenario

An organization wants to use a new cloud provider to store sensitive data. Before signing the contract, it evaluates the supplier's security controls, certifications, responsibilities, incident management and data protection clauses.

This activity is an example of due diligence, because the organization is carefully assessing risk before making a decision.

Mini checklist before the quiz

Before starting the quiz, you should be able to explain:

• what compliance means;
• the difference between standard, policy and procedure;
• what security governance is used for;
• why audits require evidence;
• why privacy is not only data encryption;
• what accountability means;
• the difference between due diligence and due care;
• why suppliers must be assessed;
• why being compliant does not mean eliminating all risk.