ISO 27001: Regulatory Compliance Requirements in Israel and the U.S. – Who Must Comply with the Standard?

What is ISO 27001?

ISO 27001 is an international standard that defines the requirements for an Information Security Management System (ISMS). The standard is developed and maintained by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC).

As stated by the ISO itself:

“ISO/IEC 27001 provides a framework for establishing, implementing, maintaining and continually improving an information security management system in the context of the organization.” (ISO, 2022)

The Standard’s Basic Regulatory Requirements

The standard is based on a risk management approach and includes an annex (Annex A) detailing 114 controls divided across 14 control domains. The most recent edition of the standard is ISO/IEC 27001:2022, updated in October 2022.

According to Disterer (2013) in his article in the Journal of Information Security:

“The controls detailed in Annex A of the standard constitute a comprehensive catalog reflecting best practices in information security and are based on years of accumulated experience and research in the field.”

The main control domains include:

1. Information Security Policies – establishing policies and procedures

2. Organization of Information Security – defining roles and responsibilities

3. Human Resource Security – controls before, during, and after employment

4. Asset Management – mapping and classifying information assets

5. Access Control – restricting access to sensitive information

6. Cryptography – encrypting sensitive data

7. Physical and Environmental Security – protecting facilities and infrastructure

8. Operations Security – secure operational procedures

9. Communications Security – securing networks and information transfer

10. System Acquisition, Development, and Maintenance – integrating security into systems

11. Supplier Relationships – managing information security risks in the supply chain

12. Information Security Incident Management – detecting, reporting, and handling incidents

13. Information Security Aspects of Business Continuity Management – disaster recovery

14. Compliance – meeting legal, regulatory, and contractual obligations

(*) Professor and researcher in the field of information systems and information security. This specific article focuses on the ISO 27000 series, particularly ISO 27001 and ISO 27002 standards concerning information security management.

Who is Required to Comply with the Standard Under Israeli Law?

In Israel, the regulatory obligation to comply with ISO 27001 applies to several sectors:

Financial Institutions

The Bank of Israel’s Banking Supervision Department mandated the implementation of a cyber risk management framework in Proper Conduct of Banking Business Directive 361. As stated in the directive:

“The bank shall implement a cyber defense framework based on internationally accepted risk management principles such as ISO 27001.”
(Bank of Israel, Directive 361, 2015, p. 4)

Essential Service Providers to the Cyber Directorate

According to Government Resolution 2443, which expanded the Public Bodies Security Arrangements Law (1998), entities defined as “critical infrastructure” must implement information security standards.

As cybersecurity researcher Dr. Tal Goldschmidt (2021) notes:

“The Public Bodies Security Arrangements Law allows the National Cyber Directorate to require critical infrastructure entities to comply with specific standards and guidelines, with ISO 27001 forming the basis of most of these directives.”

Organizations Holding Sensitive Databases

The Privacy Protection (Data Security) Regulations (2017) impose specific obligations on organizations holding databases. Section 15(3) of the regulations states:

“The owner of a database subject to the high-security level shall consider conducting a risk assessment covering all systems of the database at least once every 24 months, according to accepted standards in the field.”

Government Cloud Service Providers

As part of the Nimbus tender, cloud service providers to the government are required to present certification to the standard. As stated in the tender documents published by the Ministry of Finance (2020):

“The provider shall attach proof of compliance with ISO 27001 or an equivalent standard.”

The Situation in the U.S.: Sector-Based Regulation

In the United States, there is no uniform federal legislation mandating compliance with ISO 27001. The U.S. approach is characterized by sector-specific regulation.

According to a study published by the National Institute of Standards and Technology (NIST, 2020):

“Unlike the European model, the U.S. approach to information security regulation is based on sector-specific requirements, with an emphasis on outcomes rather than specific means.”

Financial Sector

The Sarbanes-Oxley Act (SOX) of 2002 and the Gramm-Leach-Bliley Act of 1999 require financial institutions to implement information security controls. As Siponen & Willison (2009) noted:

“U.S. financial regulation, particularly SOX, requires strong internal controls that closely align with the controls required in ISO 27001.”

Healthcare Sector

The HIPAA (Health Insurance Portability and Accountability Act) regulations define requirements for securing medical information. A study published in the Journal of Healthcare Information Management (Herzig et al., 2018) found:

“63% of healthcare organizations surveyed adopted ISO 27001 as a framework for compliance with HIPAA’s technical requirements.”

Government Service Providers

The NIST Cybersecurity Framework, developed following a 2013 presidential executive order, serves as the foundation for information security requirements in federal contracts. A study by Ross et al. (2019) showed:

“There is a 92% overlap between the NIST CSF requirements and ISO 27001 controls.”

Public Companies

In 2023, the U.S. Securities and Exchange Commission (SEC) issued guidelines requiring public companies to report on cyber risk management and significant cybersecurity events. Adopting structured frameworks like ISO 27001 can help organizations meet these expectations.

New York State’s Special Regulatory Landscape

New York is a leader in cybersecurity regulation in the U.S., particularly in the financial sector. The New York Department of Financial Services (NYDFS) issued Regulation 23 NYCRR 500 in 2017, also known as the “NYDFS Cybersecurity Regulation.” These regulations require supervised financial institutions to maintain a comprehensive cybersecurity program, incorporating many components similar to those required by ISO 27001.

In addition, in 2019, New York enacted the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), which imposes data security requirements on any business holding the personal information of New York residents. The law requires businesses to implement reasonable safeguards, conduct periodic risk assessments, and provide employee training in information security.

Implementing ISO 27001 is considered one of the most effective ways to comply with these requirements, as the standard offers a comprehensive framework for information security management that includes most of the elements required by New York legislation. As a result, many businesses in the state choose to adopt the standard to ensure compliance with strict local regulations.

Bibliography

• Bank of Israel (2015). Proper Conduct of Banking Business Directive 361 – Cyber Defense Management.

• Goldschmidt, T. (2021). Cyber Regulation in Israel: A Comparative Review. Israeli Institute for Technology Policy.

• Ministry of Finance (2020). Nimbus Tender for Cloud Services to the Government of Israel.

• Privacy Protection (Data Security) Regulations, 2017.

• Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, 4(2), 92–100.

• Gartner (2023). Market Guide for Cybersecurity Regulatory Compliance.

• Herzig, T., et al. (2018). HIPAA Compliance and ISO 27001: An Integrated Approach. Journal of Healthcare Information Management, 32(3), 64–72.

• International Organization for Standardization (2022). ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

• National Institute of Standards and Technology (2020). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1.

• Ross, R., et al. (2019). Integrating the NIST Cybersecurity Framework with ISO 27001. NIST Special Publication 800-53.

• Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267–270.