The Framework Provides a Common Language for a Global Company
- One example of how a framework based on the ISO standard must be modified to meet local compliance requirements is European operations needing to comply with GDPR.
- When implementing a framework, begin by focusing on goals and data that are most important, deliver on that, and then expand the scope of your program as needed.
“The standard is recognized by the customers and suppliers, partners, regulators, other offices in the company, pretty much everybody, and it provides a line of communication.”
According to Eric Bedell, the greatest benefit of adopting a framework is that it provides a common language for talking to people about your security posture. “It is recognized by the customers and suppliers, partners, regulators, other offices in the company, pretty much everybody, and it provides a line of communication,” says Bedell, who is the chief information security officer (CISO) at Mitsubishi UFJ Financial Group (MUFG), one of the world’s largest financial services companies. Having a common security language is very important to a global company like MUFG, which has operations in more than 50 countries. Although each country has its own standards and regulations, and each region can adopt its own framework, everyone starts with the MUFG corporate standard, which is based on ISO 27001.