Category: Advisory

How to choose the right SOC 2 principles?

How to choose the right SOC 2 principles?

A common question is who is responsible for determining and selecting the principles to be included in a SOC 2 examination. The answer to this question is not always what a service organization wants to hear. As with a SOC 1, management is always tasked with choosing the Trust Services Principles (TSPs). This often comes down to which principles fit your business, services, and clients. Unfortunately, there is no definitive list of rules that must be followed when selecting these principles. Below is a description of these TSPs:

  • Information Security: The system is protected against unauthorized access, use, or modification to meet the entity’s system requirements.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

De scope

Before deciding on the principles, you must first determine the scope of the examination. This is done by identifying the various components that fall within the scope, including third parties offering the same services. This is an important step, as organizations often have a narrower view of their services and what should be included in a SOC 2 system. Moreover, organizations must carefully consider their infrastructure, software, personnel, procedures, and data when defining the outline of a SOC 2 examination. Each of these individual components is further described in SOC 2 literature.

Information Security

After establishing the scope, the next step is to determine which principles apply to the service organization’s system. Take, for example, the Security principle. This must be included in all SOC 2 examinations because it contains criteria related to all other principles. These common criteria include ensuring the security of a system, such as detecting and preventing unauthorized modification, destruction, or disclosure of information.

If a client wants reasonable assurance about the security of their data, they are likely most interested in the Security principle. This principle is so broad that it may suffice for the client to examine only this principle to gain a sense of security over their data.

Availability

The second most commonly chosen principle for a SOC 2 examination is Availability. Since most service organizations provide an outsourced service to their clients, the availability of this service is often contractually defined through Service Level Agreements (SLAs). Therefore, the Availability principle is a compelling one to include in a SOC 2 examination.

Processing Integrity

If the service organization processes transactions for its clients, a third interesting principle is Processing Integrity. This principle contributes to the assurance that data is processed completely, validly, accurately, and in an authorized manner. In addition to the Security principle, the Availability principle, and Processing Integrity, two other principles can be included in a SOC 2 examination.

Confidentiality and Privacy

The final two principles are Confidentiality and Privacy. These are often discussed in the same context, although the principles are distinct. Moreover, many organizations consider these two principles to be of great importance for the SOC 2 examination. The principles are similar in that they both relate to the information ‘in’ the system. The difference is that the Privacy principle only applies to personal information. However, the term ‘confidential information’ can have different meanings for different companies. If the service organization handles confidential information and specific agreements have been made about securing this data, then the Confidentiality principle is relevant.

Within the context of a SOC 2 examination, Privacy relates to the protection of personal information. If a service organization has responsibility for managing the ‘lifecycle’ of personal information (also known as PII, Personally Identifiable Information), then this principle is interesting to include in the examination. The lifecycle refers to the collection, use, disclosure, storage, and destruction of personal information.

Overall, choosing the right principles is an important process. It begins with being well-informed about which principles are best applied in a given situation. This requires a good understanding of the organization. Subsequently, the knowledge and experience of an experienced SOC 2 firm is invaluable. A reputable company will guide an organization in selecting the appropriate principles for the SOC 2 examination.

ISAE 3402 vs. ISAE 3000 vs. ISO 27001

ISAE 3402 vs. ISAE 3000 vs. ISO 27001

There is often confusion surrounding ISAE 3402, ISAE 3000, and ISO 27001. Many clients ask which standard is best and what the benefits are. This varies per organization, and this article explains the standards and describes their advantages.

ISAE 3402

The ISAE 3402 standard refers to the reporting standards for initial controls for financial reporting purposes. This means that this standard assesses the effectiveness of the systems to support the security and integrity of the underlying data.ISAE 3402 is suitable for services with business process objectives that go beyond just the core focus on technology and security.

Benefits:

  • Internationally recognized
  • Improved risk management
  • Fewer audits by accountants
  • Portrays a ‘in control’ image to clients
  • Supports professionalization

ISAE 3000

The ISAE 3000 standard is the framework for managing and reporting on new technological risks and associated control practices. This relates to the security of an organization, confidentiality of the organization, processing integrity, and customer privacy.The ISAE 3000 standard attempts to combine the best of both worlds. It is a combination of the increased assurance of operational effectiveness from the ISAE standards and the refined focus on cybersecurity, as exemplified by the ISO 27001 standard.

Benefits:

  • Internationally recognized
  • Robust standard for information security
  • Recognized by accountants
  • Supports organizational professionalization

ISO 27001

The design and implementation of an Information Security Management System (ISMS) are established in the ISO 27001 standard. ISO 27001 can be used to implement information security. The latest ISO 27001 standard was published in 2017. This standard is based on the HLS structure. (See the article on the HLS structure here)

ISO 27001 is globally recognized and supported as one of the best standards for information security. It is the actual ‘best practice’ approach to managing information security within an organization.

Implementation of ISO 9001

Implementation of ISO 9001

The ISO/IEC 9001 standard is the international standard for quality management. The ISO 9001 standard focuses on two key aspects: meeting customer requirements and increasing customer satisfaction. To achieve this, the ISO 9001 standard outlines specific aspects that are elaborated into requirements.

Phase 1

An ISO 9001 implementation begins in the first phase with determining the scope. This scope encompasses the quality management system aimed at meeting customer requirements and improving customer satisfaction.

Deliverable: ISO 9001 scope

Phase 2

In the second phase, the organization must establish a general quality management policy. The general section describes, at a minimum, the characteristics of the organization, the characteristics of the organization’s services and/or products, the inputs and expected outputs, as well as the necessary resources for processes – responsibilities and authorities.

Regarding the policy, the following is included:

  1. A description of the risk framework. Different risk frameworks can be chosen, such as COSO 2013 or ISO 31000. The risk framework should be described from the perspective of quality control.
  2. How the organization deals with any laws, regulations, requirements, and guidelines that the organization itself imposes on quality.
  3. The policy must demonstrably align with the current risk management framework that has been implemented (alignment with COSO 2013). It should also include how the organization approaches the implementation and control of the quality management system and the methods and controls needed to ensure that procedures are carried out effectively.
  4. Which processes have been determined for the evaluation and improvement of the quality management system.
  5. The organization’s management or directors must approve the policy.

Deliverable: Policy document

Phase 3

In Phase three, a risk analysis is performed in the area of quality management. Based on the risks identified in Phase three, processes and procedures are described. Subsequently, the procedures and processes are implemented within the organization, and finally, the quality management manual is prepared and made available to all employees of the organization.

Deliverable: Risk analysis & quality management manual

Phase 4

After the manual has been described, a pre-audit or walkthrough is conducted in the fourth phase, during which all control measures and ISO 9001 procedures are tested, and potential problem areas are identified for the final audit.

Phase 5

In the fifth phase, improvements to control measures and the quality management system are implemented based on the pre-audit findings, and solutions are realized for the identified problem areas.

Phase 6

In the sixth and final phase, the ISO 9001 audit is conducted by a certifying body, and the ISO 9001 certificate is obtained.

ISO 27001 and Ransomware

ISO 27001 and Ransomware

In recent times, an increasing number of companies have been affected by ransomware. Another term for ransomware is “hostage software.” REvil is a well-known group that employs this tactic, rendering thousands of companies unable to access their files. But how can a company prevent a ransomware attack?

The so-called “hostage software” is aptly named. A ransomware attack can “hold hostage” a company’s computers and files. All files are temporarily encrypted and can only be retrieved upon payment, often in cryptocurrency, as it is untraceable. Ransomware can infiltrate documents through actions such as clicking on a malicious link or due to outdated security measures. This is why it is crucial to keep software within the company up-to-date.

Preventing Ransomware

In this case, prevention is better than cure. As easy as it is to install, ransomware can be challenging to remove. Furthermore, removing the software is often ineffective and incomplete. Therefore, prevention is the best solution.

Every company can address the following vulnerabilities:

  1. As mentioned earlier, it is essential to use the latest operating and security systems.
  2. All programs should also be up-to-date to avoid potential vulnerabilities.
  3. Never click on suspicious links in emails. Many spam emails often contain malicious links. Always verify if an email is legitimate or from a potential client with inquiries.
  4. Obtain ISO 27001 certification. Information security is crucial for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to implement information security measures.

Securance has over 10 years of experience in implementing risk management structures, information security, and process improvement. Information security should always provide added value, making the organization more manageable, and ISO 27001 offers opportunities for attracting new clients.