Understanding and complying with standards and regulations can be a daunting task. CIMA's experienced staff provides a variety of services to help ensure your organization's compliance with many of the latest standards and regulations. These services include performing compliance assessments, facilitating impact assessments performed by internal and external control owners to quantify what it will take from a people, process and technology perspective to transition a non-compliant control to full compliance. We also help clients design, build, and implement controls, as well as, train control users and stakeholder on newly implemented controls.
To learn about some of the key compliance standards and regulations we work with, click on the arrow adjacent to their name below and the full text will open.
ISO 27001 - Information Security Management System (ISMS)
ISO 27001 has become the defacto information security program framework for global companies and their 3rd party vendors due to its wide-spread acceptance in 165 countries around the globe.
With a core expertise in the standard, CIMA helps clients through every step of the way from planning your Information Security Management System (ISMS), to working with external certification auditors to help you achieve your business goals.
While many competitors claim expertise in the standard, few have been working with it as long as CIMA's CEO, who has been working with it since 1997 in its then current form as the British Standard or BS 7799 part one (1). CIMA has also been teaching ISO 27001 Lead Implementer and Lead Auditor courses based on this standard since 2010.
CIMA has also begun work on developing a certification Mastery Series, to address the skill gap for many of the specialty areas within scope of the ISO 27001 standard, to ensure today and tomorrow's information security leaders have a level of competence to lead all areas of an ISMS.
ISO 27701 - Privacy Information Management System (PIMS)
ISO 27701 is a relatively new companion standard to ISO 27001, and is intended to help organizations build on the work they have already done under 27001, to achieve full EU General Data Protection Regulation (GDPR) compliance.
Using this document, CIMA takes a standars-based approach to help you design, build, rollout and management a Privacy Information Management System (PIMS).
ISO 22301 - Business Continuity Management System (BCMS)
Given the intrinsic relationship between Information Security and Business Continuity Management through the three tenants of security (Confidentiality, Integrity and AVAILABILITY), CIMA provides clients with expert management consulting services through a standards-based approach founded on the ISO 22301 standard.
Similar to our ISO 27001-based services, we provide clients consulting support from initiation to certification. CIMA has also been teaching certification training courses in ISO 22301 Lead Implementer and Lead Auditor since 2013.
NIST - Cybersecurity Framework (CSF)
The United States' National Institute of Standards and Technology (NIST) published version two (2) of its Cybersecurity Framework in 2019, as an update to its national standard for the design, development and management of an information security program for private sector organizations.
Compared by many as a peer to ISO 27001, the standard enjoys recognition by US federal government agencies, as a desired standard for use by government vendors, as well as state, county and municipal governments.
CIMA offers management consulting services to help organizations assessment, build and manage NIST-CSF compliant information security programs.
CIMA is currently working on developing a certification Mastery Series on Information Security that will be aligned with the requirements of NIST-CSF, and is designed to ensure today and tomorrow's information security leaders have a level of competence to lead all areas of an information security program.
GDPR (Eurpean Union - General Data Protection Regultion)
Seen as the pillar of global privacy legislation, the EU General Data Protection Regulation (GDPR) went into effect in 2018 and has global implications for companies and government agencies around the world, who maintain and manage the personally identifiable information of EU residents and citizens.
Using a standards-based approach following ISO 27001 and ISO 27701, CIMA help client to assess their level of compliance, and build a data protection program encompassing an Information Security Management System (ISMS) and peer Privacy Information Management System (PIMS).
CIMA has been teaching ISO 27001 Lead Implementer and Lead Auditor certification training courses since 2010, and is currently developing a peer certification course for ISO 27701.
CCPA (California Consumer Protection Act)
The California Consumer Protection Act, which came into effect on January 1, 2020 is a state regulation intended to enhance the privacy rights and consumer protection for residents of the state of California. The CCPA is seen as the first attempt in the US to promulgate GDPR like protection, for a segment of its residents, as well as a model for other states to follow.
As part of our engagement with clients, we help leaders inside their organization understand the implications, and how to comply with CCPA.
SSAE 18 (formerly SSAE 16)- SOC 2 is based on a set of controls called Trusted Services Criteria (TSC) published by the American Institute of Certified Public Accountants (AIPCA). SOC 2 focuses on criteria necessary of an organization to establish a comfort of trust that a compliant organization has the knowledge and controls in place to protect sensitive information and systems.
With CIMA's core expertise in information security, CIMA assists clients by performing a compliance assessment against TSC, to help organizations understand where to invest time and resources appropriately to achieve compliance. CIMA also works with clients to mitigate gaps by building and implementing missing controls to help them achieve full compliance and satisfy service clients.
PIPEDA (Canadian Data Privacy)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that went into effect in April 13, 2000. PIPEDA governs how private sector organizations collect, use and disclose personal information in the course of commercial business affairs.
CIMA works with clients that operate their business within the legal justification of Canada to understand and comply with PIPEDA