What is ISO27001 accreditation?
ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for organisations to establish, implement, maintain and continually improve their information security processes and controls. The standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The main objective of ISO 27001 is to help organisations protect the confidentiality, integrity and availability of their information assets. It provides a systematic approach to managing sensitive company information including financial data, intellectual property, employee details and customer information. The standard applies to all types and sizes of organisations, whether private, public, for-profit or non-profit.
What are non-conformities?
Major non-conformities are where your ISMS doesn’t meet the requirements of the ISO 27001 standard. Generally, these are significant gaps in the management system’s overall design or the controls in the statement of applicability. In contrast, minor non-conformities may undermine the effectiveness of the ISMS or have a minor impact on the requirements of the ISO 27001 standard but don’t prevent it from achieving its goals or meeting the key requirements of the ISO 27001 standard.
Can we get certified if we have non-conformities?
Yes, it is possible to get certified with open non-conformities. That will generally only include minor non-conformities with a clear and reasonable action plan for when and how those non-conformities will be remediated. If there are a high number of minor non-conformities or major non-conformities, you are given up to 90 days to remediate those before the certification decision.
What is SOC2?
SOC 2 stands for “System and Organization Controls 2.” and is a set of standards and criteria developed by the American Institute of Certified Public Accountants (AICPA) for managing customer data based on five “trust service principles” — security, availability, processing integrity, confidentiality, and privacy. It is particularly relevant for technology and cloud computing companies that handle customer data.
What Trust Service Criteria Underpin SOC2?
SOC 2 is underpinned by the following Trust Service Criteria:
- Security: The system is protected against unauthorised access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorised.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.
Security, also known as “Common Criteria” is the only mandatory requirement, whereas availability, confidentiality, processing integrity and privacy are optional.
Can you fail SOC2?
Not as such. SOC 2 reports are not pass/fail. The report can be issued with any number of exceptions and qualifications. Most companies choose to delay their SOC 2 report until it is “clean”. If you are in an annual reporting cycle with customer commitments, you may not have that flexibility, so the report may be issued with disclaimers about any identified exceptions and qualifications.
What’s required for SOC2?
There are a few things to be aware of for SOC 2 reporting:
A system description is prepared to overview your compliance scope and activities. We add your tailored controls, mapped to the criteria and the results of the audit (Type 2); we then both sign off to issue the final report.
There are 33 common criteria to satisfy by mapping your controls and implementing a state of compliance. We integrate with several compliance platforms to assist your compliance journey.
The controls include documented policies, system configurations, and defined processes. Our PolicyTree solution generates your tailored set of policies that are the foundations of your compliance program.
An audit is conducted to verify your compliance, which AssuranceLab performs. We have some flexibility for first-time reports, especially Type 1, that lets you fix things as we work through.
SOC1 vs SOC2: what’s the difference?
The service organisation control, sometimes referred to as system and organisational control (SOC) standards has been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation.
As reliance on third-party services evolved with the rise in software as a service companies, these reports naturally evolved to being used for assurance over those third-party services even when no direct financial objectives were involved. The Trust Services Criteria were then introduced to better align with the modern needs of third parties that were reliant on security, availability, confidentiality, processing integrity and privacy. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.
Type1 and Type2 reports: what’s the difference?
A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives.
A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the SOC 2 control criteria.
Usually, a Type 1 report is issued first as baseline compliance. That marks the start of the live and recurring Type 2 audit period for reports issued annually. That is the industry standard but the SOC standards have the flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drive the industry-standard approach).