For many organisations ISO 27001 has been seen as the benchmark for information security, but with the threat landscape continually evolving and the punishments for getting it wrong ever increasing, many organisations are now looking for greater levels of assurance and over broader areas. This article sets out why this is an issue and where it is going....
Formal assurance opinions over controls related to financial statements have existed for many years in the form of standards such as AAF 01/06, ISAE 3402 and SSAE16, but it is only since the launch of the SOC 2 framework that we have seen similar levels of assurance specific for information security.
Since the launch on SOC 2 in 2013, it has grown prolifically. Starting initially in the US, it is now making its mark in the UK.
The SOC 2 framework was designed to complement existing controls reports. Unlike ISO 27001 which focuses only on the design of controls, SOC 2 also allows for the testing of the operating effectiveness of security controls over a period. While these controls may not impact directly an entity’s financial statements, they are now hugely significant to organisations both from an operational and reputational perspective
Within the SOC 2 framework there are five Trust Principles: Security, Availability, Confidentiality, Processing Integrity and Privacy. With only the Security principle being mandatory this standard also provides organisations with a degree of flexibility, allowing them to target the specific domains that are most important to them and their customers.
Similarly, the selection of applications in scope for the review is also at the discretion of the organisation, allowing them to target those which are most important to them and their clients.
IS0 27001 has been and will continue an important standard, allowing organisations to demonstrate that they have implemented a solid internal information risk management framework. But the world has changed – threats have evolved, and assurance requirements, both internally and externally have grown, with the SOC 2 framework providing the platform to address these needs.
As we move towards ever greater levels of regulation over security and data privacy, including the upcoming EU General Data Protection Regulations (GDPR) in 2018, the penalties for failing to protect your data and that of your customers is increasing. With the potential fines reaching 4% of global turnover the cost of failure is crippling and service providers will undoubtedly face ever increasing scrutiny and requests from their clients.
Having a SOC 2 report not only avoids duplicating effort servicing multiple audit request, but it puts you firmly on the front foot with your existing clients, your Board and your Regulator and may even help to differentiate you against your competitors.
For those organisations who are engaging with service providers or sharing data, the message is clear: whilst services can be outsourced, accountability cannot. It is imperative that they can demonstrate how they are gaining comfort over security controls across their supply chain.
Organisations should reassess the adequacy of current forms of assurance in place – both in terms of depth and breadth of coverage. In completing this assessment different lenses should also be used:
If you would like to discuss this article with Krishna or need further information, please contact him via email@example.com or 07841 566415.