One of the big questions we get is "which standard should we use?" Or "which security certification should we get?" Oh and what is a SOC 2 Type 2SOC 2 Type 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time, typically six to twelve months. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover both the design and operating effectiveness of a service organization's systems, processes, and procedures. anyway???
Although securityprogram.io is neutral to which standard you use, we have seen customers mature through different levels of security in different standards and to be blunt, we've seen people get stuck.
The TL;DR of this post is to start with something simple and achievable but work with a standard over the long term toward something more robust. We recommend CIS 20CIS 20 refers to the Center for Internet Security's Critical Security Controls for Effective Cyber Defense version 8.0. It is an updated version of the original CIS 18 controls. to NIST CSFNIST CSF (Cybersecurity Framework) is a set of guidelines and best practices for organizations to manage and reduce cybersecurity risks. The NIST CSF includes five core functions - Identify, Protect, Detect, Respond, and Recover - which serve as a foundation for developing and improving an organization's cybersecurity posture. to NIST 800-53NIST 800-53 is a special publication by the National Institute of Standards and Technology (NIST) that provides a catalog of security and privacy controls for federal information systems and organizations. The publication outlines security requirements and guidelines for the selection, implementation, and assessment of security controls to protect the confidentiality, integrity, and availability of information systems..
In securityprogram.io, we have a Simple Program that is even simpler to do than the CISCIS (Center for Internet Security) is a non-profit organization in the cybersecurity industry that provides resources, tools, and best practice guidelines to help organizations improve their cybersecurity posture. CIS benchmarks are widely used to provide guidelines for securing systems and networks. 20 and makes it easy to do the most important things first, regardless of the standard or certification you care about.
We recommend doing the certifications when you need to but not before.
Often companies come to us with the idea that they need to do SOC 2 or FedRamp because a prospective customer asked for it. There is a really big difference between asking for a SOC 2SOC 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are commonly used by technology and cloud service providers to demonstrate compliance with industry standards and best practices. and requiring it. Often, the best response is to say that you don't have it yet - is it required? If so, when is it required? Then, you can plan. On some level, if you are going to have to do a big security lift to land a deal, that is a business decision.
Note that any of these certifications are a long term commitment. Once you do it once, you will probably want to conduct annual audit activities.
Obviously, in some areas organizations need to be more proactive. For example, companies that process credit cards need to think about PCI-DSS. Companies that handle health information should be aware of HIPAA and HITECH. Companies in the DoD supply chain should know about CMMC, NIST 800-171 and ITAR. Public companies have SOX and financial institutions have FFIEC. Education companies and institutions worry about COPPA, FERPA and even state laws like SOPPA.
These are all useful and have their place, but we wouldn't necessarily build a security program around them. We typically like to see a functional security program based on a broad open standard (typically NIST 800-53 or ISO 27001) with the more specific certifications or standards layered on top. We like NIST CSF too because it can be used to model improving maturity over time and it can be easier to read and understand.
First we should say that we don't do SOCService Organization Controls (SOC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to help organizations assess and report on the effectiveness of their internal controls. SOC reports provide assurance to customers and stakeholders that service organizations have appropriate controls in place to protect sensitive data and assets. 2 audits or certifications, but we work with a number of firms that do. To get a fully authorized answer, you should probably talk to them - maybe get a quote and understand directly what they think you need to do. That being said, it is a common enough question that we thought it might be useful to demystify it all a bit.
Broadly speaking, a SOC 1SOC 1 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's internal controls over financial reporting. SOC 1 reports are based on the Statement on Standards for Attestation Engagements (SSAE) No. 18 and cover controls related to financial transactions and reporting processes. is more of an administrative or financial control audit which doesn't mean so much for companies demonstrating information security.
A SOC 2 is an audit that checks the organizational and information security controls you have in place. There is a SOC 2 Type 1SOC 2 Type 1 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy at a specific point in time. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover the design of a service organization's systems, processes, and procedures., which reflects a point in time and there is a SOC 2 Type 2 which audits that the controls have been implemented over a period of time. Most engagements we have seen start with a gap assessment then do a SOC 2 Type 2 (after 6 months of information gathering from the starting gun). In some cases, there is a strong need to do a SOC 2 Type 1 because it can be done faster.
A SOC 3SOC 3 is a type of Service Organization Control (SOC) report that provides a summary of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are intended for public distribution. SOC 2 reports are more detailed and customizable, while SOC 3 reports are high-level and intended for public distribution. is just a more public version of the SOC 2 Type 2 report that is intended for distribution to partners. Of course, it costs more to do each piece so you want to navigate based on what you need.
In some cases we have seen efficiencies from combining audits (eg. SOC 2 and ISO-27001) at the same time. Sometimes the work is actually duplicated, so it doesn't actually save your company time. Of course, if you are collecting evidence it can be useful to collect it once and push it to two different places - but the systems I have seen for supporting these audits are pretty limited in terms of saving the subjects of the audits time or money.
While we're talking about SOC 2, we should mention that we also see SIG Lite and Cloud Security Alliance CAIQ and CCM with some frequency. These are also useful references, but in our estimation lack the backing of the SOC 2 for formal certification and the breadth and backing of NISTNIST stands for the National Institute of Standards and Technology, which is a US government agency responsible for developing and publishing standards and guidelines related to information security and cybersecurity. 800-53 for general program alignment.
We should also note that companies sometimes believe that once they do their SOC 2 Type 2 they will be able to just reply to security inquiries from prospects or partners with a PDF of the report. While the report goes a long way to substantiate the program to third parties, there is often still a more specific questionnaire that goes along with it.
Since securityprogram.io abstracts away which standard or certification goal is requiring you to do the tasks of building a program, as a user you just do the tasks and work toward a more secure state.
Then when it is time to consider or prepare for an audit, you have mappings to different frameworks and you can start to understand how close or far you are from being ready.
SPIO gives you a contextual sense of the progress you are making overall. This type of dashboard can be useful on a week to week basis to ensure that progress is being made.
SPIO also maps your work (live) to different standards to show progress against those. Here is an example of the first few CIS 20 controls.
Below is an expanded view of NIST CSF. You might imagine trying to get all of the green bars to 50% as an initial goal.
Again, while you're doing all of this work, the core tasks you see explain what to do and map to NIST 800-53, which has the advantage of being a fairly comprehensive open standard. ISO 27001ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information and mitigating cybersecurity risks. ISO 27001 includes a set of best practices for establishing, implementing, maintaining, and continually improving an ISMS, which helps organizations identify and manage information security risks and protect against cyber attacks. is comparable but has a licensing model, which makes it a little less portable.
We know. We just threw a lot of acronyms at you. You don't really care about the acronyms, you just want the work to get done, the deal to close and to be able to know that you are doing the right work.
SPIO was conceived as a solution that could democratize access to awesome security help. If you use SPIO, you know you are doing the right work.
At the same time, one of the biggest lessons we have learned in helping people build programs is that we can't do all the work for you. Some of the tasks will inevitably come back to someone in your HR department, an engineer with access to production or a team that handles laptops. To succeed, you have to commit to do that work yourselves. It makes sense. You can't get security without doing the work.
The neat thing about SPIO is that you can largely bite off that work yourself and prepare your organization by doing the baseline security work that is required for all of these standards. When you need help, you can bring in an expensive hired gun or start hiring a security team.
The point of this post is to explain our underlying strategy for SPIO users as it emerges from our work in securityprogram.io - which is the culmination and amalgamation of many hard won lessons from customer projects over the last 7 years.
The benefit of this approach is that you get to focus on smaller chunks of work on a week to week basis, while working toward a larger goal that will help you meet whatever challenges come your way. SOC 2 or no, you will be ready.
Again, SPIO was conceived as a solution that could democratize access to awesome security help. If you use SPIO, you know you are doing the right work. The contents of this post explain how you know we know you are doing the right work.
We'd love to hear your feedback or talk more about it!