InfoSec Management, Standards & Records Law
Key Takeaways
- ISO/IEC 27001:2022 is the current version of the international information security management system (ISMS) standard, organized around 93 controls in four themes.
- PCI DSS v4.0.1 is the only active Payment Card Industry Data Security Standard version; all 51 previously future-dated requirements became mandatory on March 31, 2025.
- GDPR requires notifying the supervisory authority of a personal-data breach within 72 hours of becoming aware of it.
- GDPR's most serious violations carry fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher.
- Biometric information privacy laws such as Illinois' BIPA require a written, publicly available retention and destruction policy and written consent before collecting biometric identifiers.
Information Security Management Principles
Information security management is the governance discipline that translates security strategy into repeatable operational practice. CPP candidates should be fluent in the vocabulary examiners use precisely: an asset is anything of value to the organization (data, systems, reputation); a threat is any potential cause of an unwanted incident; a vulnerability is a weakness a threat can exploit; and risk is the combination of the likelihood a threat exploits a vulnerability and the resulting impact. Most recognized management-system standards, including ISO/IEC 27001, structure the security function around a Plan-Do-Check-Act (PDCA) cycle: plan the information security management system (ISMS) and its controls, implement (do) them, check their effectiveness through audit and monitoring, and act on findings to drive continual improvement. A defensible program also maintains a clear policy hierarchy -- policy (management intent) sits above standards (mandatory specifications), which sit above procedures (step-by-step instructions), which sit above guidelines (recommended practice) -- and requires visible executive sponsorship, since a program without leadership backing cannot compel resourcing or enforce compliance.
Governance roles matter as much as vocabulary: many organizations designate a Chief Information Security Officer (CISO) or equivalent information security manager to own the ISMS, report risk posture to executive leadership and the board, and define the organization's risk appetite -- the level of risk the organization is willing to accept before treatment is required. Without a documented risk appetite, security professionals lack a consistent line for deciding whether a given qualitative rating (e.g., Medium) requires mandatory mitigation or can be accepted.
Industry Standards
Three standards dominate CPP-level information security testing:
| Standard | Scope | Key current facts |
|---|---|---|
| ISO/IEC 27001:2022 | General-purpose information security management system (ISMS), applicable to any organization regardless of industry | Third edition, replacing the 2013 version; organizes 93 controls into 4 themes (organizational, people, physical, technological); certification transition to the 2022 version closed October 31, 2025 |
| PCI DSS v4.0.1 | Mandatory technical/procedural controls for any organization that stores, processes, or transmits payment card data | The only active version since v3.2.1 retired March 2024 and v4.0 retired December 2024; all 51 previously future-dated requirements became mandatory March 31, 2025; requires multi-factor authentication for all non-console access to the cardholder data environment (CDE) |
| PII protection principles | Any personally identifiable information an organization collects | Core principles: data minimization (collect only what is needed), purpose limitation, access control, and encryption both at rest and in transit |
A candidate should recognize that ISO 27001 certification does not satisfy PCI DSS obligations, and vice versa -- they address overlapping but distinct scopes, and an organization handling payment cards typically must comply with both simultaneously.
Records-Management Laws
Information security management does not end at the technical boundary; it extends into legal obligations governing how records are retained, disclosed, and destroyed.
GDPR (General Data Protection Regulation) is the EU's data-protection law with extraterritorial reach -- it applies to any organization processing the personal data of EU residents, regardless of where the organization is based. Two provisions are especially exam-relevant: (1) a 72-hour breach notification requirement to the relevant supervisory authority once the organization becomes aware of a qualifying personal-data breach, and (2) a tiered fine structure -- up to EUR 20 million or 4% of global annual turnover (whichever is higher) for the most serious infringements, and up to EUR 10 million or 2% for lesser violations such as a pure notification failure. GDPR also grants individuals rights of access, erasure (commonly called the right to be forgotten), and data portability. Data subject rights that a records-management program must be able to operationalize include:
- Right of access -- provide a copy of the personal data being processed.
- Right to erasure -- delete personal data upon a valid request, subject to legal retention exceptions.
- Right to data portability -- provide data in a structured, commonly used, machine-readable format.
- Right to rectification -- correct inaccurate personal data.
Organizations processing personal data at scale, or engaging in large-scale monitoring, are also generally required to appoint a Data Protection Officer (DPO) to oversee compliance independently of operational management.
Retention schedules and legal holds govern the routine lifecycle of records. A retention schedule specifies how long each record category must be kept to satisfy legal, regulatory, or business need before routine destruction. A legal hold suspends that routine destruction schedule the moment litigation, investigation, or regulatory inquiry is reasonably anticipated -- failing to issue a hold in time (spoliation) can expose the organization to sanctions independent of the underlying dispute. A legal hold notice typically identifies the custodians affected and the categories of records covered, and instructs recipients to suspend any automated or manual destruction process until the hold is formally released by legal counsel.
Biometric information privacy laws, such as Illinois' Biometric Information Privacy Act (BIPA), impose obligations specific to fingerprints, iris scans, facial geometry, and similar identifiers. BIPA requires a written policy, made publicly available, that establishes a retention schedule and destruction guidelines, and requires written, informed consent before collection. Biometric data must be destroyed when the original collection purpose is satisfied, or within three years of the individual's last interaction with the entity, whichever comes first. Several other U.S. states have since enacted similar biometric-specific statutes, and security managers implementing biometric access control must coordinate with legal counsel to satisfy both the security-system requirement and the records-law requirement simultaneously -- a clear example of why information security management cannot be separated from broader records-management compliance.
Which statement correctly distinguishes the current PCI DSS standard from ISO/IEC 27001:2022?
An organization operating in Illinois collects employee fingerprint data for time-clock purposes. Under a biometric information privacy law such as Illinois' BIPA, which requirement must be satisfied before collection?