Category: Cyber Security

Home / Cyber Security
Nov82019

ISO 27001 and SOC 2 – The Comparisons

ISO 27001 and SOC 2 -The Comparisons

ISO 27001 is an international standard outlining the requirements for managing the security of assets such as financial information, intellectual property, employee and customer data, and third-party entrusted information. Created by the International Standards Organization, ISO 27001 also provides a guideline for Information Security Management Systems (ISMS), focusing on long-term data protection. An ISO 27001 certification signifies a significant investment in time and resources in security and provides a robust foundational building block for any organization’s security compliance program.

SOC (Service Organization Controls) is a set of standards developed by the AICPA for assessing and evaluating an organization’s control competencies. SOC for service organizations: Trust Services Criteria (also known as SOC 2 reports) are intended to meet the needs of a wide range of users who require detailed information and assurance about the controls relevant to the security, availability, and processing integrity of the systems used to process users’ data, and the confidentiality and privacy of the information processed by these systems. These reports can play a crucial role in organizational oversight, vendor management programs, internal corporate governance, risk management processes, and regulatory oversight.

There are two types of SOC 2 reports: Type 1 and Type 2.

A SOC 2 Type 1 audit provides a snapshot of the data protection measures present in an organization. The design of the controls is assessed and the implementation is confirmed, but consistent performance is not evaluated in a Type 1 report. If an organization is new to SOC 2, obtaining a SOC 2 Type 1 report is the first step.

A SOC 2 Type 2 audit addresses the operational effectiveness of controls over a specified period, such as six to twelve months. A SOC 2 Type 2 report sets a higher bar than a Type 1 report, as it not only assesses the design and implementation of control processes but also evaluates whether the controls were consistently performed during the specified period. This provides customers and business partners with greater confidence in the effectiveness of control processes.

These two security management frameworks have many similarities. Both are voluntary and designed to prove a company’s reliability in processing customer data while protecting the confidentiality, integrity, and availability of sensitive information. The frameworks share an equally respected and revered reputation, and customers view both as viable proof of your company’s ability to protect data. In short, having a SOC 2 Type 2 report or ISO 27001 certification will enhance your brand’s reputation and help attract new customers.

You don’t have to look hard to find logistical and operational similarities between SOC 2 and ISO 27001. The frameworks share many similar security requirements, making functional implementation and evidence collection time comparable. Both frameworks also require certified third-party validation assessments and periodic reassessments.

Jul212019

The relationship between ISAE 3402 and ISA 402

The relationship between:

ISAE 3402 and ISA 402

The ISAE 3402 standard states that reports made in accordance with ISAE 3402 already provide sufficient evidence under ISA 402, audit considerations relating to an entity using a service organization. In other words, ISA 402 focuses on the responsibility of the user organization to obtain adequate and appropriate control information when a user organization uses one or more service organizations. It is important to note that many financial reporting standards, as well as a number of supporting standards, also play a role in interpreting, understanding, and facilitating that standard itself, as is the case with the ISAE 3402 standard.

Jul212019

How Does a Service Organisation Prepare for ISAE 3402?

How Does a Service Organisation

Prepare for ISAE 3402?

The ISAE 3402 standard requires service organisations to take a proactive approach in meeting the requirements imposed by the service auditors (accountants). Therefore, service organisations can greatly benefit from conducting an ISAE ‘Readiness Assessment,’ which will help in understanding the reporting requirements.

These reporting requirements include:

  1. Preparing a description of the service organisation’s system.
  2. Preparing a written management statement of assertion, which will be included in the final ISAE 3402 report.

Additionally, an internal audit within the service organisation may be involved in the entire assurance process if the service organisation’s auditor deems their objectivity and professionalism acceptable. Thus, conducting an ISAE 3402 ‘Readiness Assessment’ will be crucial for service organisations in understanding the scope of the assignment as well as comprehending the reporting requirements for the ISAE 3402 standard.

Jul212019

What is a Data Breach and What Can My Organisation Do About It?

What is a Data Breach and

What Can My Organisation Do About It?


Nowadays, there is increasing news about data breaches. Entire documents and data from companies, as well as their stakeholders, are easily accessible. This can have many consequences for the stakeholders, but perhaps even more for the company.

The Dutch Data Protection Authority has defined a data breach as an incident involving access to or destruction, alteration, or unauthorized disclosure of personal data at an organisation without the intention of the organisation itself.

A data breach is an incident where information is stolen or extracted from a system without the knowledge or consent of the system’s owner. Both small businesses and large organisations can experience a data breach. Stolen data can include sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.

The consequences of a data breach can manifest as damage to the target company’s reputation due to a perceived ‘betrayal of trust’. Victims and their customers may also suffer financial losses if related data is part of the stolen information.

In this case, prevention is better than cure. Once data is exposed, it is difficult to remove. Moreover, removing the software is often not effective and is not done completely. Therefore, prevention is the best solution.

Every Company Can Address the Following Vulnerabilities:

  1. As previously mentioned, it is crucial to use the most recent operating and security systems.
  2. All programs should also be up-to-date. No errors can be allowed here.
  3. Never click on strange links in emails. Many spam emails come through websites. Always check whether it is a standard email with a link or an actual potential customer with questions.
  4. Get ISO 27001 certified. Information security is essential for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to organise information security.