Control Standards for Information Security
•
1 like•153 views
ISO 27001 is an international information security standard that provides specifications for implementing an effective Information Security Management System (ISMS) through risk management and compliance with regulations like GDPR. SOC 2 is an assessment for technology companies developed by AICPA to protect customer data stored in the cloud and apply to any company using cloud storage. Both standards aim to implement security controls, policies, and procedures to protect valuable assets, but ISO 27001 provides a more comprehensive framework while SOC 2 focuses on verifying data protection controls. Implementing one or both can strengthen security posture, simplify compliance, and improve customer confidence.
Report
Share
Control Standards for Information Security
- 1. Control Standards for Information Security ISO 27001 SOC 2 John Paz June 19, 2020
- 2. Contents 3. Overview and Purpose 4. Benefits 5. Comparison 6. The Needs and Requirements of the Customer 7. Roadmap 8. What Success Looks Like 9. Q&A
- 3. Overview and Purpose ISO 27001 Standard • The international security standard that provides the specifications to implement an effective Information Security Management System (ISMS) • ISO 27001 focuses on protecting confidentiality, integrity and availability. • Assists in complying with General Data Protection Regulation (GDPR) and Network and Information Systems (NIS) regulations. • A risk management framework. SOC 2 -Service Organization Control (SOC) report • SOC 2 is an assessment platform for technology companies developed by the AICPA (American Institute of Certified Public Accountants ) • SOC2 is specifically designed for service providers that store customer data in the cloud and must protect this data • SOC 2 applies to every company that uses cloud to store customers data. With both standards, the objective is to implement reasonable technical security controls, policies, procedures, and overall security management to protect the security of you company’s or client’s valuable assets
- 4. Benefits ISO 27001 Benefits • Provides the framework to build an effective ISMS for your organization • Simplifies compliance with multiple regulatory frameworks (e.g., HIPAA, PCI, PII) • Provides a baseline to implement and demonstrate measures to comply with strict GDPR and Data Privacy objectives worldwide SOC 2 Benefits • SOC 2 compliance can benefit businesses that handle customer data for others— such as SaaS companies, banking, or healthcare companies • Compliance helps strengthen company reputations, financial statements, and stability by documenting, evaluating, and improving their internal controls • SOC 2 ensures integrations with AWS, Azure, GCP, GitHub, are compliant and data is protected • Data Center and Colocation service providers can also offer security compliance to their customers • You implement governance, policies and controls that secure your data • You improve your company’s security posture. • Assets and confidential information are kept more secure • Customers and stakeholders gain confidence on how you manage and reduce security risks • You meet/exceed Third Party Risk Management requirements With either or both:
- 5. Comparison ISO 27001 • ISO 27001 is a standard that includes the specifications necessary to design, implement and operate the ISMS and validate the operation of technical controls within the system • More robust and comprehensive than SOC2 • 27001 compliant architecture can provide controls to comply with GDPR, PII, HIPAA and other regulatory and compliance requirements • ISO 27001 can be thought of applying to building an organization's security infrastructure while SOC2 applies more to verifying the existence of data security protection controls SOC 2 • A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating • The (SOC) 2 Report will be performed in accordance with AT-C 205 and based upon the Trust Services Criteria • The SOC2 audit examines Five Trust Services Criteria (TSPs) 1. Security 2. Availability 3. Processing integrity 4. Confidentiality 5. Privacy
- 6. The needs and requirements of the customer ISO 27001 • An effective approach to security to defend against external attacks and common internal threats. • Provides a proven framework to define, document, monitor, review, update, security controls to address security risks specific to your business. • Is a non-prescriptive standard that tells you what you need to do not how to do it. So your business implements a program specific to your organization SOC 2 • SOC 2 compliance is a minimal requirement when considering any SaaS, PaaS or IaaS provider. • The move to cloud requires evidence of third-party compliance and data protection measures • SOC 2 reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. InfoSec Requirements Leadership Requirements Planning Requirements Support Requirements Operational Requirements Evaluation Requirements Improvement Requirements For success you need to understand your company’s:
- 7. Roadmap ISO 27001 1. Create a plan for Security Management 2. Determine your scope – What assets need to be protected? 3. Understand all the risks associated with all assets 4. Perform a Risk Assessment 5. Find the gaps between desired and current state. Determine the best way to manage the risks. Determine what must be done 6. Close the Gaps – Create a Gap Remediation Plan (GRP) 7. Execute the GRP – Develop Polices/Standards/Procedures 8. Conduct an ISMS Internal Audit 9. Remediate, policies, procedures, practices and configurations before the official audit. 10. Begin the external certification audit 5-15 months to become 27001 certified Internal resources, third party consultants Audits - $20K-30K, Consulting $30K – 90K 1. SOC 2 reports are usually issued by independent third-party auditors 2. Find a competent CPA firm 3. 1st step is to perform a SOC 2 scoping and readiness assessment. 1. This evaluates the organizations internal control framework. 2. Determines business functions which will be in-scope of the SOC 2 audit 4. The conduct a SOC 2 Internal Audit 5. Remediate, policies, procedures, practices and configurations before the official audit. 6. Begin the external certification audit. 6 weeks – 3 months on average Internal resources, third party consultants SOC Type 1 starts at $20,000, SOC Type 2 starts at $30,000. SOC 2
- 8. What success looks like. A successful compliance program means: • Controls are in place at all levels to protect the security of all assets. • You have an infrastructure that achieves your security objectives • You see a measurable risk reduction across all business divisions • Marked reduction of self identified issues and external audit findings • A security posture that provides Continuous Compliance through integrations with AWS, Azure, GCP, GitHub, and more. • Continued successful external certification audits • The ability to demonstrate continuous improvement • Increased customer confidence • Higher ROI The cost of non-compliance can result in attacks that can debilitate your business. This can include lost revenue, customers, opportunities, and out-of-pocket costs. Security breaches affect people, operations, finance, intellectual property, and brand reputation. The impact is high.
- 9. Q&A
Editor's Notes
- To implement ISO 27001 you will ne to define a compliant ISMS Define the scope Define a security policy Conduct a risk assessment Manage identified risks Select control objectives and controls to implement Prepare a Statement of Applicability Reduce costs by understanding risks and opportunities for security improvements Reduce risks by designing a risk treatment plan. Accepted risks manageability of the risks
- with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls A SOC 2 report is based on the existing SysTrust and WebTrust Principles. The purpose of a SOC 2 report is to evaluate the organizations information systems relevant to security, availability, processing integrity, confidentiality or privacy. A SOC 1 report is an assessment of controls at a service organization that may be relevant to user entities’ internal control over financial reporting SOC 3 follows SOC principles does not detail that testing performed and is meant to be used as marketing material. SOC 2 covers 75-80% of the list of ISO 27002 controls
- What will ISO 27001 ISMS will accomplish for your business? What does top management need to do? How do we assess risks and confirm risk reduction? How do we ensure we have competence and awareness? How do we implement and control the processes needed to achieve our objectives? How do we ensure the effectiveness of our ISMS? How do we address deficiencies and continuously improve? The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives. The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives. The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy. The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy. The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy.
- Managed Services Managed services providers can set themselves apart by demonstrating their commitment to a maintaining the strong internal controls that customers want when entrusting them with the management of their information systems, including applications, databases, information security, backup and recovery, network management, and system monitoring. Banking and Financial Services Organizations like credit unions, banks, credit card companies, insurance companies, consumer finance companies, and stock brokerages face numerous challenges in internal controls. For example, physical and logical security play a major role in ensuring customer data is secure. They also must maintain confidentiality and privacy, as well as the completeness, timeliness, and accuracy of transactions. Thus, demonstrating a robust SOC 2 compliance program can be advantageous. Software as a Service (SaaS) Efficiency-seeking companies are turning to Software as a Service (SaaS) providers to reduce costs. SaaS providers can gain an edge by showing prospective customers that they can be trusted because of their adherence to widely accepted frameworks for internal controls. Data Centers and Colocation Facilities A single data center can serve many customers, housing vast amounts of sensitive data, which would make a breach exponentially damaging. Therefore, companies scrutinize the internal controls of a data center or colocation facility before trusting them with their data. SOC 2 compliance can provide those companies with the assurance they desire.