This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site you consent to the placement of these cookies.

NYDFS – 23 NYCRR 500

NYDFS and ISO 27001 as a best-practice solution

The New York Department of Financial Services’ (NYDFS) cybersecurity Requirements began its 180-day transition period on March 1, and financial institutions (and their third party providers) across the state are making sure they have the measures in place to comply with the Regulation.

Adopting ISO 27001 is a great way to achieve compliance. It is the international standard that describes best practice for an information security management system (ISMS), and can be used as a framework to meet the Requirements.

How ISO 27001 can help

Much of the NYDFS cybersecurity Requirement is native to ISO 27001 making it straight-forward to implement and manage. ISO 27001 is an ideal umbrella security framework and can easily accommodate other regulatory requirements, for instance, Clauses 4.2 and 4.3 of ISO 27001 essentially require the ISMS to meet all legal, regulatory, and contractual requirements, which naturally includes the NYDFS Cybersecurity Requirements. As such, compliance with ISO 27001 should streamline NYDFS compliance because it’s already understood, has plenty of resources, and provides a structure for NYDFS compliance.

Important dates

August 28, 2017 –  covered entity’s cybersecurity program, cybersecurity policy, and response plan must all be in place; breach notification obligation effective; CISO must be appointed;

February 15, 2018 – first annual certification to the Superintendent of Financial Services due;

March 1, 2018 – penetration and vulnerability testing obligation begins; periodic assessments policy must be in place; cybersecurity awareness training must be provided to employees;

September 1, 2018 – covered entity’s audit trail policy, applications security policy, data retention policy, and authorized user monitoring policy must all be in place; encryption or alternative must be adopted; and

March 1, 2019 – third party service provider security policy in place.

Ezentria helps firms implement cutting edge information security practices. Using the globally-accepted ISO 27001:2013 Information Security Management System as a focal point. Contact us to discuss your environment and we’ll create a strategy to meet the NYDFS requirement and also groom your organization to easily accommodate future information security legislation and concern.


Call (800) 230-0780 now for a free consultation.

Don't wait to secure your company's vital information assets.

Contact us now to learn more about NYDFS – 23 NYCRR 500.

A security compliance program specifically designed for small and midsize businesses.
LEARN MORE