Legal and Regulatory Elements of a CISO’s Role


With such a diverse range of responsibilities, the path to becoming a Chief Information Security Officer, or CISO, appears long and winding. Therefore, in the previous blog post, we decided to simplify the process by following Alex, a newly appointed CISO, on her journey.

Alex’s journey can be broken down into 7 stages. Last week, we looked at the first stage, Security Operations, and this week we will delve into the second stage, Legal and Regulatory.

A CISO’s Legal and Regulatory responsibilities comprise many different components and are best explored when broken down into 8 separate parts:

  1. Compliance
  2. Privacy
  3. Audit
  4. Investigations
  5. Intellectual Property Protection
  6. Contract Review
  7. Customer Requirements
  8. Lawsuit Risk

It is worth noting that, although each part is within the realm of a CISO’s responsibilities, the relevance of some components will vary from organisation to organisation and industry to industry. Indeed, CISOs, like Alex, play a key role in discerning what is applicable and evaluating where an organisation’s cybersecurity priorities lie.


Compliance deals with a company’s responsibility to adhere to certain standards, frameworks and other guidelines. Compliance requirements vary across industry and jurisdiction, therefore, a CISO must determine what applies to their organisation and put processes in place to ensure that compliance is met. They may include:

  1. Payment card industry (PCI)
  2. The Sarbanes–Oxley Act (SOX)
  3. Health Insurance Portability and Accountability Act (HIPAA)
  4. The Federal Financial Institutions Examination Council (FFIEC), Consolidated Audit Trail (CAT)
  5. The Family Educational Rights and Privacy Act (FERPA)
  6. North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
  7. National Institute of Standards and Technology Special Publication (NIST SP 800-37 and 800-53)


Organisations also have certain guidelines and compliance levels specifically related to privacy that they must meet. These include:

  1. Privacy Shield
  2. European Union General Data Protection Regulation (EU GDPR)


Audits concern the policies, procedures and controls that an organisation, through its CISO, puts in place to ensure that compliance and other requirements are met. This includes:

  1. Statement on Standards for Attestation Engagements No. 16 (SSAE 16)
  2. Service Organization Control 2 (SOC 2)
  3. International Organization for Standardization (ISO 27001)
  4. Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP)
  5. National Institute of Standards and Technology Special Publication (NIST SP 800-53A)
  6. Committee of Sponsoring Organizations of the Treadway Commission (COSO)


An organisation must also have processes in place to perform certain Investigations. For example, if a customer requests all personal data be deleted, eDiscovery – which consists of all the information a company has across its active files, archives and databases – is required to ensure this request is met. Investigations include:

  1. eDiscovery
  2. Forensics

Intellectual Property Protection

Intellectual Property Protection requires a CISO to ensure that all valuable company information, for example, company documents, code or even hardware, is protected.

Contract Review

Contract Review ensures a company is secure and protected. A CISO must review contracts and legal documentation and guarantee the company can exercise its legal rights should the need arise.

Customer Requirements

Customer Requirements involve adapting or making provisions for specific customers to meet their individual needs.

Lawsuit Risk

Lawsuit Risk concerns the steps taken by a CISO to mitigate against lawsuits and ensure that that the company is not exposed to any threats.

Aware of all of her Legal and Regulatory responsibilities as a CISO, Alex must now discern what applies to her organisation and begin putting procedures in place to ensure that her company is protected.

Initially, Alex, whose previous roles have been IT-focused, was surprised at the breadth of her Legal and Regulatory responsibilities. However, it soon became evident to her that, like performing a Pen Test or a Cybersecurity Risk Assessment, carrying out these tasks is essential to ensure that her organisation is secure and protected.

Do you have 5 minutes for a quick chat?