06. Obligation Sources

What are the benefits of compliance? In many cases, organizations must comply with certain Obligations because of a business activity they already perform or because of an industry they operate within, but not all compliance Obligations are mandatory. Sometimes businesses use compliance to make themselves more attractive to potential customers --- adopting a standard to demonstrate a minimal level of security.

Organizations can form a nexus to an Obligation in one of three ways. First, the company may be required to meet an obligation based on existing business activity. For instance, a company would be required to be HIPAA compliant if it stored, processed, or transmitted US healthcare information. Next, companies can contractually obligate themselves to Obligations. They may do this by either contracting with a customer or business partners to meet Control Objectives specifically spelled out within the contract, there may be additional security requirements attached to the contract in a rider (a separate document that acts as part of a contract), or the contract may dictate that the organization comply with a well-known Obligation like PCI-DSS or ISO27001. Finally, organizations may choose to comply with any number of Obligations by adopting the Obligation and working toward complying with its Control Objectives.

Circling back to non-contractual Obligations, we briefly mentioned certain Obligations that companies are required to follow if engaged in specific business activity. These are standards or laws like PCI-DSS which is a standard required by any organization that processes credit card data, HIPAA which is a law required by any organization that stores, processes, or transmits healthcare data, or GDPR which is a privacy regulation required by any organization that stores, processes, or transmits personally identifiable information of European Union citizens.

There are, however, other standards like ISO27001 or SOCII that are not specifically required by any business activity or industry. Rather, these are security standards intended to be adopted by companies to prove that they possess some minimum level of security.