Highlights of IS.007 Compliance Standard
The IS.007 Compliance Standard defines the requirements to ensure that the Commonwealth complies with all relevant legislative, regulatory, statutory and contractual requirements related to information security. The standard outlines requirements for:
- Policies, standards, guidelines and procedures are in place, communicated, implemented and enforced.
- Reporting security incidents and violations and breaches follow incident response guidelines
- Security compliance reviews to identify security risks that could compromise information assets
- Creating audit records of security events that can be audited
- External attestation of compliance by third parties
See the Enterprise Information Security Standards Self-Assessment Questionnaire (Excel) that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.