Meeting and maintaining InfoSec Compliance requirements for frameworks like SOC 2, ISO 27K, HIPAA, and PCI-DSS can be challenging. With anecdotes Compliance automation, you can easily scale as you grow, to kick Compliance maturity into high gear.
SOC 2 is the de-facto security standard for technology companies and service providers.
Established by the American Institute of Certified Public Accountants (AIPCA), SOC 2 is not based on a checklist but instead covers 5 Trust Service Criteria; Security, Availability, Processing Integrity, Confidentiality, and Privacy. Although organizations can choose the criteria they want to be audited for, the Security Criteria, also called the Common Criteria, is mandatory.
Passing an audit for SOC 2 is an important benchmark for any organization looking to grow and expand; today, it’s considered as a major business enabler primarily in US-based companies interested in increasing sales volume. Note that SOC 2 is attestation, and not certification.
How long does it take to become SOC 2 compliant?
Achieving SOC 2 compliance can be a time-consuming and exhausting process.
But first, it’s important to understand that SOC 2 audits come in two types; Type 1 looks at how the organization is aligned with its security policies and procedures at the moment and takes about 1 - 3 months to prepare for. If you're wondering why Type 1 is needed, there are times when an organization may want to ensure their service provider is currently secured (for short term contracts, for instance). Type 1 is the fast way to prove exactly that.
Type 2 looks at policies and procedures over a significant period of time. It usually takes between 3 - 6 months to collect the relevant controls evidence for Type 2 and is thus far more labor-intensive to prepare for, but is a far greater indicator of security posture than Type 1. Moreover, many organizations may require potential partners to be audited for Type 2.
What is involved in the process?
The relevant parties will hold a kickoff meeting with the auditor. If this is their first SOC 2 audit, they’ll decide on the scope and the controls which will be included in the audit. If this isn’t their first time being audited for SOC 2, they will go through the chosen controls to decide whether they need to add additional ones. Then the auditor will get to know the organization’s control environment, i.e., reviewing the policies and procedures, agreeing on the criteria relevant for the organization, and accordingly setting up expectations for the audit, when the controls will be tested.
Part of the set expectation is to review all types of reports and lists (i.e., joiners and leavers) and ensure the basic controls operate properly. Once agreed upon, the auditor will start counting the time for the auditee to collect enough information about the controls, evidence, etc. Then the auditor performs the audit itself, which tests the controls in place.
As part of this phase, the auditor gets back to the reports and lists (joiners and leavers, for instance) and asks for updates and tests them again. The auditor expects to see that the controls that worked in the past work smoothly now as well. This proves the controls are well designed and are properly implemented. The auditor then brings their findings to the organization, and together they agree on remediation where needed, and whether there are any "deal breakers" (such as having harmful security practices, for example). Ideally, this phase is not needed since a reasonable control environment has been agreed upon. And finally, there is the report writing and presentation portion of the audit.
In order to pass an audit, evidence proving that the chosen controls are in place and are functioning optimally must be collected from different systems across the organization. Organizations must prove they have the proper security controls in place and are using the proper tools.
The audit is performed by a Certified Public Accountant (CPA) who is a certified SOC 2 auditor.
What do Organizations Gain by Becoming SOC 2 Compliant?
There’s definitely a lot of work involved in SOC 2 reporting but it’s well worth it; achieving SOC 2 compliance is a tangible demonstration of an organization’s commitment to securing the data it collects and stores. The majority of businesses today will not enter partnerships with companies that have not successfully gone through the SOC 2 audit process. Moreover, the entire ecosystem agrees SOC 2 is sufficient, and if audited by a formal auditor who is certified by the AICPA, that should be enough to assure potential partners that the service provider is suitable.
ISO 27001 was first established in 2005 by the International Organization for Standardization, a worldwide organization that sets standards across different countries and industries. The current version is from 2013 and there will soon be a new version, which will bring some major changes. ISO 27001 delineates how companies should ideally manage information security, and successfully meeting it is seen as an important indicator of security maturity. A key element in this certification is showing improvement over time.
How Long Does it Take to Become ISO 27001 Compliant?
Becoming ISO 27001 compliant requires a significant time commitment, although not quite as much time as SOC 2, as it is partially checklist-based (ISO 27002 is the code of practice suggested for organizations when starting the journey of getting ISO 27001 certified). In smaller companies, it can take around three months and in enterprises, it typically takes around a year of preparation. It also depends on the company security culture, management involvement, and the scope of the desired certification.
What’s Involved in the Process?
ISO 27001 preparation can be conducted by anyone with security expertise, though there are certifications for lead implementers and lead auditors. To provide the organization with the desired certification, the auditing organization needs to be accredited to do so, usually by a larger accredited organization. Two of the most well-known organizations are ANAB and IQNet.
A key element of ISO 27001 is showing a methodology for security. This is done by reviewing the information security management system, the ISMS, which are the company’s policies and procedures with which data is managed. The ISMS should reflect the ISO 27001 objectives. The organization needs to prepare a document called the Statement of Applicability (SoA), and then present it to the auditor for their objective opinion.
The auditor then goes through their own checklist of controls (usually based on ISO 27002, the code of practice), compares it to the organizational control environment as reflected in the SoA, and accordingly, provides guidance on any major missing controls. After everything is completed to their satisfaction, the organization will get the approved SoA (Statement Of Applicability) and the certification, as well as some recommendations to implement more controls towards the next certification renewal process.
What do Organizations Gain by Becoming ISO 27001 Compliant?
The goal of this certification is to give organizations a framework with which they can manage information and having an ISMS is a great way to achieve that. ISO 27001 is recognized as the international standard for information security and businesses planning on expanding globally need to ensure they have this important certification.
Created in 1996, The Health Insurance Portability and Accountability Act (HIPAA) is the regulatory standard that outlines how Protected Health Information (PHI) must be handled and stored. Any provider of services related to healthcare information (such as a family doctor, a company that manages healthcare files, the developers behind apps collecting weight, heart rate, health conditions, etc.) and their associated third parties, must adhere to HIPAA to ensure PHI is kept secured at all times, allow access to data, fix mistakes, transfer the data to other healthcare service providers, delete data, etc.
Becoming HIPAA compliant requires implementing controls and safeguards to protect the integrity, confidentiality, and availability of PHI, as well as developing and enforcing policies and procedures in line with HIPAA and its subsequent derivative Acts.
How Long Does it Take to Become HIPAA Compliant?
Ensuring an organization is HIPAA compliant is often a full time job. In new organizations or in companies that have just started collecting PHI, it can take around 6 months of effort to become fully compliant with HIPAA’s requirements. This timeline will change with the size of the organization and the number of locations it has.
What’s Involved in the Process?
To become HIPAA compliant, organizations must know how the requirements apply to them. The Department of Health and Human Services’ Office for Civil Rights has condensed these requirements into a 115 page PDF and many organizations choose to create their own checklist to help guide them through the process. The US Department of Health and Human Services, also called the HHS, is tasked with ensuring that organizations adhere to HIPAA.
What do Organizations Gain by Becoming HIPAA Compliant?
Being HIPAA compliant isn't a choice. This is a federal law and therefore, any and all organizations collecting PHI must adhere to it. If an organization is the subject of a complaint or is otherwise found to be in violation of HIPAA requirements, they may be subject to fines and penalties.
What is PCI-DSS?
The Payment Card Industry Data Security Standard is a body of requirements that all companies storing, processing, or transmitting credit card information must adhere to. PCI-DSS was established by MasterCard, Amex, Visa, Discover Card, and JCB International in 2006 to foster trust in the complex digital payment industry. Adherence to PCI-DSS is not optional and organizations found to be in violation can be subject to fines and penalties.
How Long Does it Take to Become PCI-DSS Compliant?
PCI-DSS is based on a highly technical checklist, so it takes less time to become compliant with this regulation than with other frameworks. The first time the organization goes through this process, it can take up to 6 months to prepare and comply. However, after that initial time, the renewal process is fast and structured.
What’s Involved in the Process?
The initial stage involves filling out a self-assessment and then passing a PCI scan. After those elements are completed, the assessment and scan are submitted to the organization’s merchant bank and then to the PCI-DSS Council. There are different yearly and quarterly requirements, depending on the number of credit cards processed by the individual organization. Audits are performed by Qualified Security Assessors (QSAs), who assess the Point-of-Sale (POS) system and other relevant IT systems to see if they meet the standards set by the PCI-DSS Council.
What do Organizations Gain by Becoming PCI compliant?
The goal of PCI-DSS is to engender confidence in the payment industry. In the wake of major breaches like the one that leveraged the POS systems of Target, businesses need to restore trust in this arena. PCI-DSS provides consumers with a level of assurance and protection, knowing that their credit card data is properly protected. Additionally, it helps reduce the incidence of stolen credit cards, thus potentially reducing the cost of insurance premiums.
What is SOX-ITGC / ITGC?
Originally, SOX ITGC was used as part of the Sarbanes Oxley (SOX) Act to deal with IT and security controls. Established by the US Government in 2002 in response to scandals that rocked the financial world as well as common consumers, SOX applies to any publicly traded company. Nowadays, ITGC also refers to general IT controls managed by the organization, in alignment with the organizational IT and security policies and procedures, and in accordance with industry standards.
What is involved in the process?
ITGC is a list of controls that demonstrate that the IT department provides and implements the necessary insurance of those business controls required to be compliant with SOX. The audit is done internally (or by an outside consultant), as part of the quarterly and annual financial statement and is performed by the financial accounting firm. It is then signed off on by the company management, accompanied by their external accountant’s confirmation.
How long does it take to become SOX-ITGC / ITGC compliant?
It can take about 2-3 months to become compliant with ITGC and since financial statements are issued every quarter, companies must perform this audit 4 times per year.
What do organizations gain by becoming SOX-ITGC / ITGC compliant?
SOX-ITGC is mandatory for publicly traded companies, as mentioned above. But it’s also clearly valuable, as it establishes a necessary level of transparency and now many stock exchanges and other regulatory bodies have developed their own versions.
ITGC is a process that ensures that IT and security activities are well managed and governed, according to both the policies and procedures approved by management and industry best practices. While it's not mandatory, organizations may be contractually obligated to meet ITGC in some cases.
What is an Internal Audit?
The goal of establishing internal controls is so that an organization can audit their own compliance with their own management-approved policies and procedures. When considered in relation to information security, this is the process of internally assuring the organization is aligned with the information security policies (and other topic-related policies), defined by the organization, as well as the business needs. The audit report is typically presented to both management and the Board of Directors, and its remediation plan is monitored closely by management.
What is involved in the process?
Based on the purpose of the internal audit, it must include first the scope and the “guidelines” which are the relevant policies and procedures. The auditor (who can also be a third-party performing this on behalf of management) reviews relevant stakeholders, collects information from related processes and systems, presents the findings to the owners, and receives acknowledgment and a remediation plan. Then the auditor prepares the report to be presented to management and the BoD.
If the scope is on a process/system that has been audited in the past, the auditor will start by checking the status of the remediation plan from the previous audit report.
How long does it take to become compliant?
Based on the nature and purpose of the internal audit, being “compliant” is something internal only. The auditor usually provides an objective opinion about the level of compliance s/he encountered during the audit.
What do organizations gain by becoming compliant?
The gain is internal, mainly for the management and BoD, assuring their approved policies and procedures are being followed to the letter.
