What is the primary objective of GLBA?

The primary objective of GLBA is to require financial institutions to explain their information-sharing practices and safeguard nonpublic personal information (NPI). Enacted in 1999, GLBA's Title V mandates transparency via the Privacy Rule (16 C.F.R. Part 313)—initial and annual notices detailing NPI collection, disclosure to nonaffiliated third parties, and opt-out rights—and security via the Safeguards Rule (16 C.F.R. Part 314), requiring a written information security program with administrative, technical, and physical safeguards.

Who is legally or professionally required to comply with GLBA?

GLBA applies to any "financial institution" significantly engaged in financial activities handling NPI, including non-banks under FTC jurisdiction. Covered entities include banks, mortgage lenders, payday lenders, debt collectors, tax preparation firms, collection agencies, credit counselors, and auto dealers arranging financing. The FTC enforces for non-banks; federal banking regulators (e.g., OCC, Federal Reserve) oversee others.

Does GLBA require an external audit or third-party certification?

No, GLBA does not mandate external audits or third-party certification. The Safeguards Rule requires internal processes like periodic risk assessments, vulnerability assessments, and penetration testing, plus service provider oversight with contractual safeguards. Organizations must maintain evidence (e.g., testing results, board reports) for regulatory exams, but no formal certification is prescribed.

How often should an assessment for GLBA be performed?

Risk assessments under GLBA must be performed periodically, at least annually, and upon material changes in operations or threats. The revised Safeguards Rule (effective June 9, 2023) mandates written assessments inventorying customer information, evaluating threats, and defining risk criteria. Testing includes regular vulnerability assessments and penetration testing.

What are the consequences of non-compliance with GLBA?

Non-compliance with GLBA can result in civil penalties up to $100,000 per violation for institutions and $10,000 per violation for individuals, plus up to 5 years imprisonment for willful violations. FTC enforcement includes consent orders, remediation, and reputational harm; examples include actions against Equifax, PayPal, and TaxSlayer. As of May 13, 2024, breaches affecting 500+ consumers require FTC notification within 30 days.

An GLBA be mapped to other international frameworks?

Yes, GLBA elements such as the Safeguards Rule's risk assessments, access controls, encryption, and incident response map to frameworks like NIST CSF and ISO 27001. Privacy notices align with notice-and-choice models. However, GLBA remains a standalone U.S. sectoral law focused on NPI; mappings support integrated compliance but do not substitute for GLBA-specific requirements like Qualified Individual designation and board reporting.

What is the first step to begin implementing GLBA?

The first step to implement GLBA is to determine applicability by inventorying NPI flows and designating a Qualified Individual. Conduct scoping to identify financial activities, map data across systems and vendors, then develop a written information security program per the Safeguards Rule, including risk assessment and board reporting.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions), define scope including supply chain interdependencies, integrate leadership commitment, and ensure performance evaluation through audits and management reviews. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and not legally mandatory for any organization. It applies professionally to any entity influencing supply chain security, including logistics providers, manufacturers, retailers, ports, and government agencies of all sizes. Adoption is driven by customer requirements, contractual flow-downs, insurance incentives, or trade facilitation programs, with top management required to demonstrate commitment via policy and resource allocation.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally. Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation review) and Stage 2 (implementation audit), with annual surveillance. Internal audits (Clause 9.2) are mandatory at planned intervals to ensure SMS effectiveness.

How often should an assessment for ISO 28000 be performed?

Risk assessments under ISO 28000 must be maintained as an ongoing process per Clause 8.3, with frequency determined by organizational context, risk changes, and audit results. Internal audits occur at planned risk-based intervals (Clause 9.2), management reviews at planned intervals (Clause 9.3), and continual improvement (Clause 10) evaluates performance trends, nonconformities, and external factors like supplier changes.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties as it is a voluntary standard, but it risks operational disruptions, financial losses from security incidents, and failure to meet contractual or partner requirements. Internally, it leads to ineffective SMS, unmet objectives, and audit nonconformities requiring corrective action (Clause 10); externally, it may result in lost market access, higher insurance costs, or reputational damage from supply chain failures.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns structurally with Annex SL-based standards via its PDCA cycle and clause structure (Clauses 4–10). It references ISO 31000 for risk management (Clause 8.3), ISO 22301 for security plans (Clause 8.6), and supports integration with management systems for combined audits, shared documentation, and unified governance.

What is the first step to begin implementing ISO 28000?

The first step is determining the context of the organization per Clause 4, including internal/external issues, interested parties, and SMS scope with supply chain boundaries. This involves mapping processes, identifying legal requirements, and documenting scope as evidenced information, ensuring controls for externally provided processes affecting security conformity.

Standards Comparison

GLBA vs ISO 28000

GLBA

Mandatory

1999

U.S. federal law for financial privacy and safeguards

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

GLBA mandates privacy notices and security for US financial firms protecting NPI, while ISO 28000 is a voluntary global standard for supply chain security management. Organizations adopt GLBA for legal compliance; ISO 28000 for resilience and certification.

Financial Privacy

GLBA

Gramm-Leach-Bliley Act

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Mandates privacy notices and opt-out for NPI sharing
Requires written information security program with safeguards
Designates Qualified Individual for oversight and reporting
Imposes 30-day FTC breach notification threshold
Broad activity-based scope for financial institutions

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management system
PDCA cycle aligned with other ISO standards
Explicit focus on supplier interdependencies and external processes
Leadership commitment and security policy requirements
Integrated incident response and recovery plans

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

GLBA Details

What It Is

Gramm-Leach-Bliley Act (GLBA) is a U.S. federal regulation enacted in 1999. It establishes privacy and security standards for financial institutions handling nonpublic personal information (NPI). Primary purpose: ensure transparency in data sharing and protect customer data via risk-based safeguards. Approach combines Privacy Rule notices/opt-outs with Safeguards Rule security programs.

Key Components

Privacy Rule (16 C.F.R. Part 313): notices, opt-outs for nonaffiliate sharing.
Safeguards Rule (16 C.F.R. Part 314): written security program with 9+ elements including risk assessment, Qualified Individual, vendor oversight.
**Pretexting provisionsanti-social engineering protections. Built on risk-based governance; enforced by FTC for non-banks, no formal certification but audit/compliance model.

Why Organizations Use It

Legal mandate for financial entities; avoids penalties up to $100K/violation. Enhances risk management, customer trust, vendor controls. Provides competitive edge via demonstrated security; aligns with cyber insurance, stakeholder expectations.

Implementation Overview

Phased: scoping, risk assessment, policy development, technical controls (encryption, MFA), testing, training. Applies to broad financial activities (banks, fintech, auto dealers); U.S.-focused. Requires ongoing audits, board reporting, breach notifications.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security and resilience — Security management systems — Requirements is an international certification standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security. It adopts a risk-based, PDCA (Plan-Do-Check-Act) approach aligned with ISO management systems.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.
Built on holistic principles like customization, human factors, and relationship management.
Supports third-party certification per ISO 28003.

Why Organizations Use It

Reduces supply chain risks (theft, sabotage, disruptions).
Meets contractual, regulatory, and insurance requirements.
Enhances resilience, market access, and stakeholder trust.
Provides competitive edge via certified assurance.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, training, audits.
Applicable to all sizes/industries with supply chains.
Involves internal audits, management reviews, optional certification audits. (178 words)

Key Differences

Aspect	GLBA	ISO 28000
Scope	Consumer financial privacy and NPI security	Supply chain security management system
Industry	Financial institutions, non-banks (US)	All sectors with supply chains (global)
Nature	US federal law with FTC enforcement	Voluntary ISO certification standard
Testing	Risk assessments, penetration testing annually	Internal audits, management reviews periodically
Penalties	Up to $100k per violation, imprisonment	Loss of certification, no legal penalties

Scope

GLBA

Consumer financial privacy and NPI security

ISO 28000

Supply chain security management system

Industry

GLBA

Financial institutions, non-banks (US)

ISO 28000

All sectors with supply chains (global)

Nature

GLBA

US federal law with FTC enforcement

ISO 28000

Voluntary ISO certification standard

Testing

GLBA

Risk assessments, penetration testing annually

ISO 28000

Internal audits, management reviews periodically

Penalties

GLBA

Up to $100k per violation, imprisonment

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about GLBA and ISO 28000

GLBA FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

Unlock SOC excellence with our 5-step maturity roadmap. Compare SOC-CMM, NIST CSF, and CMMC frameworks to scale from ad-hoc to automated operations. Start your

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

Discover how compliance software automates monitoring, delivers real-time insights, and transforms compliance pros from reactive gatekeepers to proactive strate

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how GLBA and ISO 28000 compare against other standards

Other GLBA Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Privacy Rule (16 C.F.R. Part 313): notices, opt-outs for nonaffiliate sharing.

Safeguards Rule (16 C.F.R. Part 314): written security program with 9+ elements including risk assessment, Qualified Individual, vendor oversight.

**Pretexting provisionsanti-social engineering protections. Built on risk-based governance; enforced by FTC for non-banks, no formal certification but audit/compliance model.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.

Emphasizes risk assessment (aligned with ISO 31000), operational controls, security plans, and supplier interdependencies.

Built on holistic principles like customization, human factors, and relationship management.

Supports third-party certification per ISO 28003.

Aspect

GLBA

ISO 28000

Scope

Consumer financial privacy and NPI security

Supply chain security management system

Industry

Financial institutions, non-banks (US)

All sectors with supply chains (global)

Nature

US federal law with FTC enforcement

Voluntary ISO certification standard

Testing

Risk assessments, penetration testing annually

Internal audits, management reviews periodically

Penalties

Up to $100k per violation, imprisonment

Loss of certification, no legal penalties