DOMAIN:COMPLIANCE_THOUGHT_LEADERS¶
OWNER: julian
UPDATED: 2026-03-24
SCOPE: key organizations, authors, certifications, and resources in compliance and information security
SERVES: julian (compliance officer), amber (auditor)
ALSO_USED_BY: annegreet (knowledge curation), eltjo (learning analysis)
STANDARDS_ORGANIZATIONS¶
ISO (International Organization for Standardization)¶
TAG:ISO
WHAT: develops and publishes international standards including the 27000 family
HEADQUARTERS: Geneva, Switzerland
RELEVANT_STANDARDS:
- ISO/IEC 27001:2022 — Information security management systems (ISMS) requirements
- ISO/IEC 27002:2022 — Information security controls guidance
- ISO/IEC 27017:2015 — Cloud security controls
- ISO/IEC 27018:2019 — Protection of PII in public clouds
- ISO/IEC 27701:2019 — Privacy information management (GDPR extension)
- ISO/IEC 27005:2022 — Information security risk management
- ISO 22301:2019 — Business continuity management
- ISO 31000:2018 — Risk management
WEBSITE: iso.org
NOTE: standards must be purchased (not free). National bodies (NEN for Netherlands) sell them.
NEN_WEBSITE: nen.nl — Dutch normalization institute, sells ISO standards in Dutch and English
GE_RELEVANCE: ISO 27001 is GE's primary ISMS framework. ISO 27701 for GDPR demonstration.
AICPA (American Institute of Certified Public Accountants)¶
TAG:AICPA TAG:SOC2
WHAT: defines SOC 2 Trust Services Criteria, accredits SOC 2 auditors
RELEVANT_PUBLICATIONS:
- TSP Section 100: 2017 Trust Services Criteria (defines CC1-CC9)
- SOC 2 Reporting Framework (examination guidance for auditors)
- Description Criteria for Service Organizations (DC Section 200)
- SOC for Cybersecurity (newer framework, less adopted)
WEBSITE: aicpa.org
SOC2_RESOURCES: aicpa.org/resources/soc-2
NOTE: SOC 2 is US-origin but globally recognized. Enterprise clients (especially US-based or US-funded) frequently require it.
GE_RELEVANCE: SOC 2 Type II certification validates GE's controls to enterprise clients.
ISACA¶
TAG:ISACA
WHAT: global professional association for IT governance, risk, audit, cybersecurity, and privacy
HEADQUARTERS: Schaumburg, Illinois (global presence)
FRAMEWORKS:
- COBIT 2019 — IT governance and management framework
- CMMI — Capability Maturity Model Integration
- ITAF — IT Assurance Framework (audit standards)
CERTIFICATIONS:
- CISA (Certified Information Systems Auditor) — gold standard for IT audit
- CISM (Certified Information Security Manager) — security management
- CRISC (Certified in Risk and Information Systems Control) — risk management
- CGEIT (Certified in Governance of Enterprise IT) — governance
- CDPSE (Certified Data Privacy Solutions Engineer) — privacy engineering
PUBLICATIONS:
- ISACA Journal (bimonthly)
- Audit programs and checklists (members-only)
- Research reports on emerging technology risks
WEBSITE: isaca.org
GE_RELEVANCE: COBIT provides governance framework context. CISA methodology informs Amber's audit approach.
CSA (Cloud Security Alliance)¶
TAG:CSA TAG:CSA_STAR
WHAT: promotes best practices for cloud security
FRAMEWORKS:
- Cloud Controls Matrix (CCM) v4 — 197 control objectives across 17 domains
- CSA STAR (Security, Trust, Assurance, and Risk) — cloud-specific certification
- Level 1: self-assessment (publish CAIQ)
- Level 2: third-party audit (ISO 27001 + CCM or SOC 2 + CCM)
- Level 3: continuous monitoring
- Consensus Assessments Initiative Questionnaire (CAIQ) v4 — standardized cloud security questionnaire
PUBLICATIONS:
- "Security Guidance for Critical Areas of Focus in Cloud Computing" (free)
- CCM mapping to ISO 27001, NIST CSF, PCI DSS
- Top Threats to Cloud Computing (annual)
WEBSITE: cloudsecurityalliance.org
GE_RELEVANCE: CSA STAR Level 2 builds on ISO 27001 — efficient path to cloud-specific certification. CCM questionnaire increasingly requested by enterprise clients.
IAPP (International Association of Privacy Professionals)¶
TAG:IAPP TAG:PRIVACY
WHAT: largest global information privacy community
HEADQUARTERS: Portsmouth, New Hampshire (global presence)
CERTIFICATIONS:
- CIPP/E (Certified Information Privacy Professional/Europe) — EU privacy law
- CIPP/US — US privacy law
- CIPM (Certified Information Privacy Manager) — privacy program management
- CIPT (Certified Information Privacy Technologist) — privacy in technology
PUBLICATIONS:
- Daily Dashboard (daily privacy news)
- Privacy Perspectives (blog)
- Privacy Tracker (regulation tracking)
- Resource Center (research reports, benchmarking)
WEBSITE: iapp.org
GE_RELEVANCE: CIPP/E and CIPT are most relevant. IAPP resources inform Julian's privacy guidance.
NIST (National Institute of Standards and Technology)¶
TAG:NIST
WHAT: US federal agency producing cybersecurity frameworks and standards
RELEVANT_FRAMEWORKS:
- NIST Cybersecurity Framework (CSF) 2.0 — February 2024, 6 functions (GOVERN new)
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls (comprehensive, 1,000+ controls)
- NIST SP 800-171 Rev. 3 — Protecting CUI in nonfederal systems (relevant for US gov contractors)
- NIST AI 100-1 — AI Risk Management Framework (January 2023)
- NIST SP 800-218 — Secure Software Development Framework (SSDF)
WEBSITE: nist.gov/cybersecurity
NOTE: US government framework but widely referenced globally. Maps to ISO 27001 and SOC 2.
FREE: all NIST publications are free (unlike ISO standards)
GE_RELEVANCE: NIST CSF 2.0 provides complementary risk framework. NIST AI RMF relevant for AI governance. SP 800-218 aligns with GE's SDLC.
ENISA (European Union Agency for Cybersecurity)¶
TAG:ENISA
WHAT: EU agency for cybersecurity policy, standards, and threat analysis
HEADQUARTERS: Athens, Greece
RELEVANT_PUBLICATIONS:
- ENISA Threat Landscape (annual) — comprehensive EU threat analysis
- Cloud Security Guide for SMEs
- Good Practices for Security of IoT
- NIS2 implementation guidance
- EU Cybersecurity Certification Framework (EUCC)
WEBSITE: enisa.europa.eu
GE_RELEVANCE: ENISA threat landscape informs risk assessment. NIS2 guidance directly applicable. EUCC may become relevant for GE certification.
EDPB (European Data Protection Board)¶
TAG:EDPB
WHAT: independent European body ensuring consistent GDPR application
RELEVANT_GUIDELINES:
- Guidelines 4/2019 on Art. 25 (Data Protection by Design)
- Guidelines 1/2024 on Legitimate Interest
- Guidelines 02/2023 on Art. 5(3) ePrivacy (tracking and cookies)
- Opinion 22/2024 on Processors
- Opinion 28/2024 on AI Models and GDPR
- Recommendations 01/2020 on supplementary transfer measures (Schrems II)
WEBSITE: edpb.europa.eu
NOTE: EDPB guidelines are not binding law but are highly authoritative — DPAs follow them in enforcement
GE_RELEVANCE: EDPB guidelines are the primary interpretive source for GDPR implementation. Julian must track all new guidelines.
KEY_AUTHORS_AND_CONSULTANTS¶
Jaap van Hoepman¶
TAG:AUTHOR
ROLE: Professor of Privacy Technologies, Radboud University, Netherlands
CONTRIBUTION: 8 Privacy by Design Strategies (MINIMIZE, HIDE, SEPARATE, AGGREGATE, INFORM, CONTROL, ENFORCE, DEMONSTRATE)
BOOK: "Privacy Is Hard and Seven Other Myths" (MIT Press, 2021)
RELEVANCE: Hoepman's 8 strategies are GE's primary privacy-by-design framework. Dutch academic, directly applicable to EU context.
WEBSITE: cs.ru.nl/~jhh/
Adam Shostack¶
TAG:AUTHOR
CONTRIBUTION: threat modeling methodology, STRIDE framework popularization
BOOKS:
- "Threat Modeling: Designing for Security" (Wiley, 2014) — definitive reference
- "Threats: What Every Engineer Should Learn From Star Wars" (Wiley, 2023) — accessible introduction
RELEVANCE: threat modeling methodology applicable to GE's security assessments. STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) framework for systematic threat identification.
Gene Kim, Jez Humble, Nicole Forsgren¶
TAG:AUTHOR
CONTRIBUTION: DevOps and continuous delivery research, security in the SDLC
BOOKS:
- "Accelerate" (IT Revolution, 2018) — research-backed DevOps metrics (DORA metrics)
- "The Phoenix Project" (IT Revolution, 2013) — DevOps narrative
- "The DevOps Handbook" (IT Revolution, 2016) — practical implementation
- "Investments Unlimited" (IT Revolution, 2022) — compliance in regulated environments
RELEVANCE: "Investments Unlimited" directly addresses automated compliance in CI/CD, compliance-as-code. DORA metrics applicable to GE's change management measurement.
Chris Romeo and Brook S.E. Schoenfield¶
TAG:AUTHOR
CONTRIBUTION: application security architecture
BOOKS:
- Romeo: "Application Security Program Handbook" (Manning, 2024)
- Schoenfield: "Securing Systems: Applied Security Architecture and Threat Models" (CRC Press, 2015)
- Schoenfield: "Secrets of a Cyber Security Architect" (CRC Press, 2019)
RELEVANCE: practical application security architecture. Schoenfield's work on security architecture patterns applicable to GE's three-zone architecture design.
Ross Anderson¶
TAG:AUTHOR
CONTRIBUTION: foundational security engineering
BOOK: "Security Engineering" (Wiley, 3rd edition 2020) — comprehensive reference, 1200+ pages
NOTE: freely available online at cl.cam.ac.uk/~rja14/book.html
RELEVANCE: foundational security engineering principles. Chapter on access control directly applicable. Chapter on economics of security relevant to GE's pricing model.
Noriaki Kano¶
TAG:AUTHOR
CONTRIBUTION: Kano model of quality (must-be, one-dimensional, attractive)
RELEVANCE: compliance requirements as "must-be" quality (no credit for having them, massive penalty for missing them). Frames compliance as baseline, not differentiator.
CERTIFICATIONS_FOR_REFERENCE¶
INFORMATION_SECURITY¶
| Certification | Issuing Body | Focus | Relevance to GE |
|---|---|---|---|
| CISSP | (ISC)2 | Broad security management | General security framework knowledge |
| CISA | ISACA | IT audit | Amber's audit methodology reference |
| CISM | ISACA | Security management | Julian's management approach reference |
| CCSP | (ISC)2 + CSA | Cloud security | Cloud-specific security controls |
| CEH | EC-Council | Ethical hacking | Ashley's adversarial testing reference |
| OSCP | Offensive Security | Penetration testing | Adversarial security testing methodology |
| ISO 27001 Lead Auditor | Various (IRCA-certified) | ISMS auditing | Amber's audit competency reference |
| ISO 27001 Lead Implementer | Various | ISMS implementation | Julian's implementation methodology |
PRIVACY¶
| Certification | Issuing Body | Focus | Relevance to GE |
|---|---|---|---|
| CIPP/E | IAPP | EU privacy law | Julian's GDPR knowledge base |
| CIPT | IAPP | Privacy in technology | Development privacy controls |
| CIPM | IAPP | Privacy program management | Privacy program structure |
| DPO certification | Various (CEDPO members) | Data Protection Officer | DPO competency framework |
| ISO 27701 Lead Implementer | Various | Privacy management | PIMS implementation methodology |
CLOUD_AND_DEVOPS¶
| Certification | Issuing Body | Focus | Relevance to GE |
|---|---|---|---|
| CCSK | CSA | Cloud security knowledge | Cloud security baseline |
| CKA/CKS | CNCF | Kubernetes admin/security | k3s cluster security |
| AWS/Azure/GCP security certs | Cloud providers | Provider-specific security | Provider assessment context |
KEY_BOOKS¶
COMPLIANCE_AND_GOVERNANCE¶
- "IT Governance: An International Guide" — Alan Calder, Steve Watkins (Kogan Page, 8th ed. 2024)
- Comprehensive IT governance reference, covers ISO 27001, SOC 2, GDPR
-
GE_USE: governance framework context
-
"ISO 27001 Controls: A Guide to Implementing and Auditing" — Bridget Kenyon (Springer, 2023)
- Practical control implementation guidance, updated for 2022 version
-
GE_USE: Julian's implementation reference, Amber's audit reference
-
"SOC 2 Academy: From Basics to Certification" — various authors
- NOTE: no single definitive book — AICPA guidance documents are primary source
-
GE_USE: SOC 2 preparation methodology
-
"Investments Unlimited" — Gene Kim et al. (IT Revolution, 2022)
- Compliance automation in CI/CD, compliance-as-code
-
GE_USE: evidence automation approach, directly applicable to GE's pipeline
-
"The GDPR Handbook" — Certes Computing (Kogan Page, 2nd ed. 2024)
- Practical GDPR implementation for technology organizations
- GE_USE: Julian's GDPR reference
SECURITY_ENGINEERING¶
- "Security Engineering" — Ross Anderson (Wiley, 3rd ed. 2020)
- Free online. Foundational security engineering principles.
-
GE_USE: security architecture fundamentals
-
"Threat Modeling: Designing for Security" — Adam Shostack (Wiley, 2014)
- STRIDE methodology, practical threat modeling
-
GE_USE: threat modeling in specification phase (Anna)
-
"Building Secure and Reliable Systems" — Heather Adkins et al. (O'Reilly, 2020)
- Google SRE team's approach to security and reliability
- Free online from Google. Covers secure SDLC, incident response.
-
GE_USE: operational security practices, incident response design
-
"Application Security Program Handbook" — Chris Romeo (Manning, 2024)
- Building and scaling application security programs
- GE_USE: structuring GE's security program across agents
PRIVACY_ENGINEERING¶
-
"Privacy Is Hard and Seven Other Myths" — Jaap van Hoepman (MIT Press, 2021)
- Privacy by design strategies, accessible and practical
- GE_USE: primary privacy-by-design reference (Hoepman's 8 strategies)
-
"Data Privacy: A Runbook for Engineers" — Nishant Bhajaria (Manning, 2022)
- Engineering-focused privacy implementation
- GE_USE: technical privacy controls, privacy in development pipeline
-
"The Privacy Engineer's Manifesto" — Michelle Dennedy et al. (Apress, 2014)
- Privacy engineering as a discipline
- GE_USE: privacy engineering mindset for development teams
AUDIT_AND_RISK¶
-
"IT Auditing Using Controls to Protect Information Assets" — Mike Kegerreis et al. (McGraw-Hill, 3rd ed. 2019)
- Practical IT audit techniques and methodologies
- GE_USE: Amber's audit technique reference
-
"The Risk Management Handbook" — David Hillson (Kogan Page, 2nd ed. 2023)
- Risk management frameworks and techniques
- GE_USE: risk assessment methodology
ONLINE_RESOURCES¶
FREE_FRAMEWORKS_AND_TOOLS¶
| Resource | URL | Description |
|---|---|---|
| NIST CSF 2.0 | nist.gov/cyberframework | Full framework, free |
| NIST SP 800-53 | csrc.nist.gov | Control catalog, free |
| CIS Controls v8 | cisecurity.org | Top 18 controls, free |
| CIS Benchmarks | cisecurity.org | Configuration benchmarks, free |
| OWASP ASVS | owasp.org/asvs | Application security verification, free |
| OWASP Top 10 | owasp.org | Web application security risks, free |
| CSA CCM v4 | cloudsecurityalliance.org | Cloud controls matrix, free |
| CSA CAIQ v4 | cloudsecurityalliance.org | Cloud security questionnaire, free |
| ENISA publications | enisa.europa.eu | EU cybersecurity guidance, free |
| EDPB guidelines | edpb.europa.eu | GDPR interpretive guidance, free |
COMMUNITY_AND_NEWS¶
| Resource | Description |
|---|---|
| ISACA Now (blog) | IT governance and audit community news |
| IAPP Daily Dashboard | Daily privacy news digest |
| Krebs on Security | Security incident reporting and analysis |
| The Hacker News | Cybersecurity news and vulnerability disclosure |
| ENISA Threat Landscape | Annual EU threat analysis report |
| AP nieuwsberichten (Dutch DPA) | Dutch DPA enforcement actions and guidance |
DUTCH_SPECIFIC_RESOURCES¶
TAG:NETHERLANDS
ORGANIZATIONS¶
| Organization | Role | Website |
|---|---|---|
| NEN | Dutch normalization institute, sells ISO standards | nen.nl |
| Autoriteit Persoonsgegevens | Dutch DPA, GDPR enforcement | autoriteitpersoonsgegevens.nl |
| NCSC-NL | National Cyber Security Centre | ncsc.nl |
| Rijksinspectie Digitale Infrastructuur (RDI) | NIS2 supervisory authority (when Cbw takes effect) | rdi.nl |
| Platform voor Informatiebeveiliging (PvIB) | Dutch information security community | pvib.nl |
| Dutch Cloud Community | Cloud adoption and security community | dutchcloudcommunity.nl |
| NOREA | Professional body for IT auditors in NL | norea.nl |
CERTIFICATIONS_DUTCH_CONTEXT¶
- RE (Register EDP-Auditor) — NOREA certification, recognized for IT audit in Netherlands
- CISSP, CISA, CISM recognized but not NL-specific
- ISO 27001 Lead Auditor/Implementer certifications via NEN-affiliated training providers
LEGAL_RESOURCES¶
- Wetsvoorstel Cyberbeveiligingswet (Cbw) — NIS2 Dutch implementation bill
- Telecommunicatiewet Art. 11.7a — Dutch cookie law implementation
- Uitvoeringswet AVG (UAVG) — Dutch GDPR implementation act
FRAMEWORK_CROSS_MAPPING¶
Understanding how frameworks relate saves effort — one control satisfies multiple frameworks.
MAPPING_TABLE (selected controls)¶
| GE Control | ISO 27001 | SOC 2 | NIST CSF 2.0 | CIS v8 | CSA CCM |
|---|---|---|---|---|---|
| Access control (RBAC) | A.8.2, A.8.3 | CC6.1, CC6.4 | PR.AA | 5, 6 | IAM-01-04 |
| Change management | A.8.32 | CC8.1-8.4 | PR.IP | 2 | CCC-01-05 |
| Vulnerability mgmt | A.8.8 | CC7.1 | ID.RA, PR.IP | 7, 16 | TVM-01-09 |
| Incident response | A.5.24-27 | CC7.2-7.5 | RS, RC | 17 | SEF-01-05 |
| Logging/monitoring | A.8.15-16 | CC7.1-7.2 | DE.CM | 8 | LOG-01-13 |
| Secure coding | A.8.28 | CC8.2 | PR.DS | 16 | AIS-01-04 |
| Encryption | A.8.24 | CC6.6 | PR.DS | 3 | CEK-01-14 |
| Config management | A.8.9 | CC7.1 | PR.IP | 4 | IVS-01-13 |
BENEFIT: implementing controls once, mapping to multiple frameworks, reduces certification cost.
READ_ALSO: iso27001-controls.md, soc2-criteria.md, gdpr-implementation.md, evidence-automation.md, audit-procedures.md