At the end of last year, the Federal Risk and Authorization Management Program (FedRAMP) released a draft of their FedRAMP Revision 5 (Rev 5) baselines. Since the inception of the program in 2011, FedRAMP has used NIST (National Institute of Standards and Technology) standards and guidelines to offer standardized security requirements for cloud service providers (CSPs). As such, the forthcoming FedRAMP Rev 5 is based on NIST 800-53 Rev 5, which was released in September 2020.

Read on to discover how FedRAMP Rev 5 compares to Rev 4, next steps for the program, and other relevant FedRAMP updates.

FedRAMP Rev 4 vs. Rev 5: Introducing a threat-based methodology

The most noteworthy difference between FedRAMP Rev 4 and Rev 5 is that FedRAMP has introduced a threat-based methodology to determine which controls to add on to the established NIST 800-53 Rev 5 baselines.

Specifically, FedRAMP evaluated each NIST 800-53 Rev 5 control on its ability to protect, detect, and/or respond according to the methods outlined in the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework v8.2. MITRE ATT&CK is a carefully curated, regularly updated knowledge base covering cyber threat behavior.

Benefits of FedRAMP’s new threat-based approach include:

• Enhanced security against the top threats to federal information systems
• Identification of notable gaps and duplication in security efforts
• Streamlining of the overall FedRAMP authorization process
• Increased potential for reuse of authorization packages across government agencies

Control differences in FedRAMP Rev 4 vs. Rev 5

When NIST 800-53 Rev 5 was released, NIST called it “not just a minor update but rather a complete renovation.” I’ve previously written about how this special publication introduced new control categories with a focus on outcome-based controls as well as a greater emphasis on privacy. Consequently, FedRAMP Rev 5 also provides a “proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.” 

In past revisions of FedRAMP, the number of controls required has been significant, especially for Moderate and High impact levels. However, the new threat-based methodology has minimized the amount of controls added by FedRAMP. Listed below are the number of additional controls that the FedRAMP Program Management Office (PMO) and Joint Advisory Board (JAB) have proposed in addition to the current FedRAMP baselines:

• Low Baseline — 1 additional control
• Moderate Baseline — 17 additional controls
• High Baseline — 22 additional controls

Ultimately, the strategic control selection put forward for FedRAMP Rev 5 will enable a more efficient security authorization process for all parties involved.

Next steps for FedRAMP Rev 5

The draft of the FedRAMP Rev 5 baselines is open for public comment until April 1, 2022. You can provide feedback on the proposed baselines by annotating this document and emailing it to [email protected] before the deadline.

After feedback has been collected from government entities and the federal security community, FedRAMP will review all public comments and update the Rev 5 baselines accordingly. Once these final changes have been made, FedRAMP Rev 5 will be officially published alongside related documentation, guidance, and an estimated compliance timeline.

When FedRAMP Rev 5 is released, it will include Open Security Controls Assessment Language (OSCAL) versions of the updated baselines. FedRAMP uses OSCAL to automate a large portion of security package review. CSPs and third-party assessment organizations (3PAOs) may also use OSCAL to carry out their own self-tests prior to submission. This technology ultimately results in a faster and more accurate validation and authorization process.

Additional FedRAMP updates

FedRAMP announced two important updates at the beginning of this year that I’d also like to highlight. First, the program released an updated Readiness Assessment Report (RAR) Guide and templates that are designed to provide more detailed guidance for 3PAOs in assessing CSPs. After completing a RAR, a 3PAO will attest to an organization’s readiness for the official authorization process. The new guide and templates are designed to reduce complexity and redundancy in the process, as well as provide clearer instructions based on feedback from 3PAOs and CSPs.

The second relevant piece of FedRAMP news is the publication of an updated CSP Authorization Playbook to give CSPs a more comprehensive understanding of what the authorization process entails. This updated playbook exists across two volumes: Volume I details how to prepare for FedRAMP, various paths to authorization, and items to consider prior to getting started. Volume II focuses on the development of a high-quality security package to reduce the need for revisions during the review process, including tips for delivering a coherent, digestible package.

Taking the fast track to FedRAMP

All of the new FedRAMP updates indicate that the program is taking feedback from the federal security community seriously and is actively working to make the authorization process faster and more efficient for everyone involved. That being said, it can be difficult to adapt to change, especially if you are not deeply familiar with the federal compliance space. As a result of this change, I recommend you review the Revision 5 updated controls and guidance to begin implementing any gaps identified.

Is your organization getting ready to pursue FedRAMP Authorization to Operate (ATO) status now or in the future? A-LIGN is an accredited 3PAO and one of the top FedRAMP assessors in the world based on our in-depth knowledge of federal compliance and hands-on experience helping CSPs get ready to do business with the U.S. government. Visit our website to learn more about our FedRAMP services.

Are you feeling safe about your organization’s personal data because of standard security policies and procedures you have in place? Don’t be fooled by a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation from the top levels down.

The cost of a data breach increased 10% in the past 12 months, the highest increase in the last seven years, according to IBM’s Security Services 2021 Cost of a Data Breach Report. With remote work greatly increasing out of necessity due to the COVID-19 pandemic, cybersecurity is more important than ever. IBM’s report found that remote work directly contributed to a $1.07 million increase in breaches. While security policies and procedures are important in protecting your data, your organization should consider one largely overlooked area of weakness- human error. Examples of human error risk factors include:

• Administrator system misconfiguration
• Not updating systems appropriately
• Not managing system patches
• Default password usage
• Default user ID usage
• Lost devices
• Misplaced devices
• Unlocked devices
• Incorrect disclosure procedures

Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error. Let’s dive into 15 ways your organization can better protect itself against human error and ultimately prevent data breaches.

Security Training & Human Resources

1. Education from the Top Down

It’s no accident that I noted education as the first tip. Individuals in management may think that because they have a seasoned IT security director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to their organization is important in preventing risks.

The development of policies and procedures to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is necessary in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.

2. Hire Security-Savvy Employees

Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization while trying to implement security controls. When recruiting individuals, management should keep in mind that those they hire will play a paramount role in ensuring the security processes and procedures put in place will be followed.

In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.

3. Develop an Exit Strategy

It’s crucial to create an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.

Limiting Access to Data

4. The Less Data, the Better

Since cyber criminals can only steal information that the organization has access to, one of the major ways to minimize risk is to limit data availability:

• Don’t collect information that isn’t relevant to your business.
• Reduce the number of places where data is physically stored.
• Purge data early and often.

You prevent data breaches by minimizing the amount of data your organization stores on-premises or in the cloud.

5. Zero Trust

Restrict access of resources to only the people who need them. Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are.

For example, if a user needs to read the details from a document to do a portion of their job, they will only be granted privileges to read the document; they will not be able to edit or modify that document in any way.   

This restriction around privileges is done intentionally. After all, a zero-trust architecture uses zero trust principles to manage workflow and is designed to assume that an internal network is already infected with various threats. This is a unique mental hurdle for many organizations since most people just assume that an internal network is protected.   

6. Purge Your Data Properly

It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.

Too often, employees think that they are getting rid of all their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.

The Impact of Remote Work

7. Monitor Your BYOD Programs

BYOD or Bring Your Own Device, is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations allow this type of program so that employees are able to use technology that they have a better understanding of.  This reduces training time and increases productivity. Oftentimes, BYOD occurs unintentionally as more of the workforce operates remotely and has daily access to their own devices.

However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.

In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.

By implementing strong BYOD policies that require employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:

• Password and device-encryption requirements
• Update and patch requirements
• Lost or misplaced device notification for emergency response and remote data-wiping
• Utilization of tracking software
• Establishment of secure app workflows
• Anti-malware software
• Jailbreak prevention
• Sandboxing
• Device partitioning

The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.

8. Secure Your Networks

Employees are constantly on mobile devices, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”

Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.

IT’s Role in Security

9. Update Software with All Patches and Updates

Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions. Security and IT teams should not only be aware of the latest software but execute on all patches and updates.

10. Develop “Appropriate Usage” Guidelines for Company Technology

Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.

11. Hold Outside Vendors to the Same Standards

By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations, or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach.

Service providers will likely face an increased burden in 2022 to furnish additional attestation and certification documents to comply with each customer’s own vendor risk management programs. Some customers will request standard documentation — like the ISO 22701 certification or a SOC 2 attestation — while others may layer on custom requirements for vendors based on the specifics of their relationship and business. Service providers can also expect to spend more time reporting back to customers as they implement new processes for ongoing oversight of vendors.  

At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.

Preparedness & Disaster Recovery

12. Prepare for the Worst

Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen. While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.

A-LIGN’s Ransomware Preparedness Assessment service review the risk, security preparedness and existing controls utilizing the NIST cybersecurity framework. This assessment allows A-LIGN’s expert to identify any gaps in your organization’s cybersecurity plan, uncover cybersecurity vulnerability through penetration testing and social engineering and ensures you know how to respond if an attack occurs.

13. Test Out Your Disaster Management Plan

Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it becomes a reality.

14. Audit Your Organization Regularly

By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.

15. Notify Early and Appropriately

If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.

The sooner that your team is able to respond to an incident, the greater the chance you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.

Taking Steps Toward a Fully Secure Organization

I have found that most organizations begin with a combination of VPN and multi-factor authentication, or they adopt a zero-trust architecture, but that is only the start. Every organization needs to understand its own architecture in order to identify its threat surface. Penetration testing can also help to identify and highlight some of these risks.

Ultimately, it comes down to the importance of knowing where your assets reside, and implementing the appropriate security training, policies and procedures needed to protect them.

You may have heard that achieving Authority to Operate (ATO) under the Federal Risk and Authorization Management Program (FedRAMP) is a complicated and time-consuming undertaking. This is likely based on the experience many cloud service providers (CSPs) have when they dive into FedRAMP headfirst without taking the time to plan and prepare for what is undeniably a rigorous endeavor.

Keep in mind that the objective of FedRAMP is to ensure that CSPs are providing secure products so the Federal Government can deliver its services more safely and effectively. It’s understandable that the process is rigorous, but organizations that take the time to prepare will have a smoother experience than those that don’t.

There are some common mistakes and misconceptions that are worth addressing to help your CSP business plan for a less stressful, more efficient path, to FedRAMP ATO status. The information in this article is based on the assumption that your organization is pursuing agency authorization rather than Joint Authorization Board (JAB) authorization, as this is the route the majority of CSPs take. With that in mind, here are some of the common pitfalls and some suggestions to facilitate the process.

Pitfall #1: Assuming FedRAMP Will Be a Quick and Easy Process

Even if your organization has been through other cybersecurity compliance audits in the past, and you feel confident in your current security posture, that doesn’t mean you will be able to breeze through FedRAMP. Accept that there are many gaps that will need to be filled because FedRAMP security standards are much more prescriptive compared to a more general security assessment, like SOC 2.

That said, you should absolutely view past audit and assessment experiences as steppingstones that can help assist your FedRAMP journey. For example, our client AchieveIt noted that because they had been though a SOC 2 Type II assessment, they understood much of the language and baseline requirements for FedRAMP, and had solid basic policies and procedures in place.

The company also had a robust security policy that was built out to follow certain ISO standards. While it did require modifications and enhancements for FedRAMP, having that existing security policy helped them have more informed conversations with their agency sponsor and the FedRAMP Program Management Office (PMO).

You’re not expected to be a FedRAMP expert, so my top tip for wrapping your head around the process is to ask a lot of questions — of everyone. This includes your third-party assessment organization (3PAO), your advisor, your agency, the PMO office, and your own staff. I also highly recommend looking through FedRAMP’s official library of training resources and their FAQ.

Pitfall #2: Overlooking the Benefits of Control Inheritance

In the world of cybersecurity compliance, it often pays to work smarter versus harder. Let me be clear that this doesn’t mean you should look for shortcuts or ways to “hack” FedRAMP. This will inevitably disrupt the process and everything will end up taking longer than necessary. However, there are some established techniques that can be used to expedite FedRAMP (and even lower associated costs).

For CSPs, inheriting as many security controls as possible from your underlying infrastructure provider can help reduce some of the preparation work for your FedRAMP authorization. That’s why it’s ideal to have your product hosted on a platform (IaaS or PaaS) that is FedRAMP authorized. Most of the major IaaS/PaaS providers have a FedRAMP authorization at either a Moderate or High Impact level. For example, a SaaS provider hosted on Azure or AWS won’t have to spend as much time and resources on control implementation and testing activities for those inherited controls.

When a CSP does not use a FedRAMP-authorized service and opts to manage their own servers and operating systems, control inheritance is not an option. Such an organization must include their infrastructure and platform within their authorization boundary.

While leveraging FedRAMP-authorized services may not be an option for every organization architecturally, I recommend moving in that direction wherever possible. It’s worth checking to see if there are any tools in your stack that are FedRAMP-authorized, since most organizations have this information publicly available. With the recent emphasis on supply chain risk management 3^rd party or external services and systems are an area of concern for FedRAMP to ensure Federal data and metadata are protected at all times.

Pitfall #3: Underestimating the Power of Automation  

The FedRAMP PMO and JAB have been working with the General Services Administration’s (GSA) Technology Transformation Services (TTS) arm to automate many security authorization processes. Because automation has become a key tenet of FedRAMP’s efforts to make processes more efficient and reduce the burden on CSPs, I advise you to investigate all available options.

A cutting-edge compliance management platform can help your organization automate and streamline tedious and unnecessarily laborious tasks. For example, an end-to-end platform such as A-SCEND, can centralize evidence collection across all audits and assessments so you don’t need to upload the same documents multiple times.

To that point, FedRAMP has been working with the National Institute of Standards and Technology (NIST) for several years to develop the Open Security Controls Assessment Language (OSCAL), “a standard that can be applied to the publication, implementation, and assessment of security controls”. OSCAL can help decrease the amount of time it takes to review security packages, as well as allow CSPs and 3PAOs to carry out their own self-tests prior to submission.

I suggest that you read this recent announcement regarding OSCAL validation rules to learn more about how this open source language increases opportunities for automation and accelerates handoff between key players through the FedRAMP ATO process.

Key Takeaways

While there’s no denying that the road to FedRAMP ATO can be complex and, at times, confusing, don’t fall victim to the myth that this process is inherently painful or overwhelming. Like virtually all areas of compliance, it comes down to having the right people, processes, and technology in place to facilitate transparency, accountability, and efficiency across the entire journey.

Is your organization pursuing FedRAMP Ready and/or a FedRAMP Authorized status? As a top accredited 3PAO for FedRAMP, A-LIGN has the knowledge and skills necessary to perform these security assessments.

Do you ever feel a bit confused by some of the language used in the world of compliance? You’re not alone. For those outside of the industry, it can be difficult to tell which words and phrases are essentially synonymous, and which seem similar but actually have completely different definitions. What’s the difference between accreditation vs. compliance? Or certification vs. attestation? How do you explain controls versus requirements to stakeholders in your organization?

Read on for answers to those questions and more as we demystify some of the most frequently confused and conflated terms in compliance.

Certification vs. Authorization vs. Accreditation vs. Compliance

Certification

A certification is the document that many people picture when they think about the end result of verifying compliance. Because certification is issued by a third-party entity, it enhances trust in an organization’s compliance with certain rules or standards. At A-LIGN, we can help organizations earn the most requested certifications, including ISO 27001, ISO 27701, ISO 22301, HITRUST, CMMC (when it is released), and others.

The forthcoming Cybersecurity Maturity Model Certification (CMMC) program will be an example of a certification to prove that organizations have adequate controls and processes in place to protect federal information.    

Authorization

The concept of authorization exists primarily within the federal compliance space. Authorization means that an organization has been given the green light to do business with a federal agency. Due to the sensitive nature of government-related information, the assessment and authorization process entails a comprehensive evaluation of information system policies, security components, various documentation, and additional safeguards.

With FISMA (RMF), FedRAMP and StateRAMP, the assessment will culminate in an official authorization package that provides the authorizing government agency or agencies with all the information they need to make a risk-based decision. If the level of risk is determined to be acceptable, the organization will be granted an authorization to operate, typically through and Authority to Operate (ATO) letter signed by the agency’s Authorization Official (AO).

Compliance

Sometimes, a certification for a compliance standard does not exist, as is the case with SOC 1 and SOC 2. Though you will often see the term “SOC 2 certification” that statement isn’t really accurate. With SOC 2, an organization undergoes an assessment resulting in an attestation report which proves compliance. In an attestation report the third-party assessor ​​documents a conclusion about the reliability of a written statement, to which the organization they are assessing is held responsible.

In some cases, such as NIST 800-171 or NIST 800-53 frameworks like FISMA (when used for internal compliance purposes), self-attestation of compliance is the only option. For increased reliability, you can leverage an independent third-party assessment organization such as A-LIGN to help guide you through the self-assessment process.

Compliance is the overarching concept to which all of the terms discussed below are related and simply means that your management system fully adheres to, or is compliant with, the requirements of a given standard or regulation. Oftentimes, an organization asserting that they are compliant with a standard is not enough — their prospects, customers, or partners may want to see official proof that their compliance has been tested and confirmed by an independent third-party. For example, a SOC 2 report can be shared as proof of compliance after a non-disclosure agreement has been signed by both parties. A SOC 3 report is meant to be shared publicly and placed on your organization’s website.

Accreditation

In the context of compliance, accreditation refers to the status of a certification body (CB) that has been thoroughly tested and vetted so they may provide a high level of assurance in the certifications they award. In other words, accreditation means that an organization is qualified to perform certain compliance assessment services.

For example, A-LIGN is an ISO 27001 and ISO 22301 official certification body that is accredited through the ANSI-ASQ National Accreditation Board (ANAB). This means when an organization receives an ISO certification through us, they can call it an “accredited certification.” When a CB has not been approved by a national accreditation authority, the “unaccredited certifications” they issue may not be accepted under some circumstances, such as contractual requirements. This can mean that an organization must re-do the work to earn an accredited certification.

Audit vs. Assessment

Often used interchangeably in conversation, there is a difference between cybersecurity compliance audits and assessments. An auditessentially captures a snapshot of compliance at a certain point in time and is an evaluation of IT and security performance against certain controls, specifications, or guidelines. An assessment, on the other hand, provides a higher-level overview of cybersecurity maturity, and often includes an audit as part of the final stage of the process.

By taking a deeper look at all the factors that impact the area being assessed, an assessment can help an organization understand the areas they need to focus on improving. Because security posture and effectiveness can drift between audits, we find organizations that conduct internal self-assessments on a regular basis will move through an external assessment or audit more smoothly and efficiently.

It’s worth nothing that in the federal compliance space, the term audit is typically not used — assessment is the preferred nomenclature. The official NIST glossary defines audit as:

“(The) independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.”

NIST defines assessment as:

“The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.”

Policy vs. Procedure

It’s important to make the distinction between these two interconnected concepts that come up frequently in compliance. Policies are the overarching principles that guide how you make decisions and operate on a day-to-day basis. A policy can be thought of as a framework that expresses the why behind certain tactics and objectives. Keep in mind that policies aren’t set in stone and carry a degree of flexibility, meaning they can and should be updated as the company evolves and expands.

Procedures describe, in detail, the steps that should be taken in specific situations. They have a defined beginning and end, and are often repeated to achieve certain outcomes. Procedures are more about the how related to a certain area of compliance. For a more detailed look at how policies and procedures work together, check out What Are the Top Policies and Procedures Needed for a SOC 2 Audit?

Requirements vs. Controls

When learning about the details of a given compliance audit or assessment, you may see the terms “requirement” and “control” used in similar contexts and wonder what the difference is. Both terms are used to describe certain processes, procedures, or activities that an organization may have to perform to manage cybersecurity risk.

The key difference here is that requirements are mandatory (e.g., a regulation, law, contractual commitment, or policy) while controls are typically not. Controls are the procedures and preventive measures that an organization executes to address an identified risk. By mapping controls to specific requirements, organizations can identify similarities across various control sets and requirements and design strategies to streamline their efforts, saving time and resources. A Master Audit Plan (MAP) is a valuable tool for pinpointing areas of overlap across frameworks so you can map controls more efficiently.

In federal compliance, the control is the risk-reducing mechanism and the requirement is the requisite value for that control (e.g., data retention). A given control’s requirement can change depending on the compliance standard. For example, FISMA has a data retention requirement of at least three years while the HIPAA requirement is a minimum of six years.

Building Trusting Relationships Through Compliance Marketing

As you continue to learn more about compliance and the nuances of different concepts and topics, we suggest you leverage a strategic compliance partner to guide you to success. More than 2,500 global organizations trust A-LIGN to assist them in managing and reducing cybersecurity risks.

We deliver a unique single-provider approach as a:

• Licensed SOC 1 and SOC 2 Auditor
• Accredited ISO 22301, ISO 27701, and ISO 27001 Certification Body
• HITRUST CSF Assessor Firm
• Accredited FedRAMP 3PAO
• Candidate CMMC C3PAO
• PCI Qualified Security Assessor Company

If you are in need of a strategic compliance partner capable of addressing every step of your audit or assessment across the scope of each major framework, A-LIGN is here to help.

Download the Ultimate Cybersecurity Guide

In the past year, we’ve seen new privacy legislation introduced throughout the world. At the same time, the number of data breaches grew significantly from 2020 to 2021. In 2022 and beyond, we expect more of the same. Cybersecurity and privacy concerns are increasingly becoming top of mind for companies across all industries. These concerns are exacerbated by new threats to remote-first workforces and the looming threat of downtime, financial loss, and reputational damage that can occur from a cybersecurity incident.

Companies have long sought to mitigate their own risk through certifications like ISO 27001, compliance with regulations like GDPR, or by conducting risk assessments and penetration tests to strengthen their cybersecurity posture. But now, we’re seeing a shift in the ecosystem.

For service and technology providers, a growing number of customers are demanding providers step up their security efforts and participate in vendor risk management programs to ensure cybersecurity and data privacy efforts extend to the provider’s network of partners and other third-party vendors as well.

What is a Vendor Risk Management Program?

Vendor risk management (VRM) programs present a formal way for companies to evaluate and measure risks associated with using third-party services and IT suppliers. It’s a way for companies to ensure that linking their systems with a provider’s does not expose them to any threats that would negatively impact business performance or cause disruption. It’s also a way for partners to ensure that service providers aren’t opening the door to any new threats when onboarding and working with new customers.

Vendors are now an extension of internal teams and must be evaluated as such. Risks to a vendor’s business can create a butterfly effect for partners and result in major damage to a network of customers. As a result of this shift, partners are holding each other accountable and to a higher standard.

This new standard has led to a significant rise in the number of vendor risk management programs being implemented. It’s a sign of the times: More companies are becoming aware of the threat landscape and more deliberate in how they manage their own vendor risks. Plus, with the rise of globalization and cloud services, reliance on third-party vendors to execute major components of a business’s operations is more critical than ever.

The Rise of Vendor Risk Management Programs

What prompted this rise in awareness? Beyond the rise in cybersecurity incidents (and rise in reporting of such incidents across news outlets), three things brought cybersecurity and privacy to the top of everyone’s mind this past year:

• An increase in privacy-related legislation
• The prolonged shift to remote work
• A rise in turnover driven by “The Great Resignation”

1. Privacy Legislation

Data privacy has been a top priority for regulators over the past few years. From the introduction of GDPR in the European Union to LGPD in Brazil, and many state-by-state laws within the U.S., the consequences for improper protection of customer data are at an all-time high. Organizations that store and use customer data are at risk of paying hefty regulatory fines if that information is not properly protected. Therefore, when evaluating vendors, especially those who will also have access to customer data, it’s become even more important to select partners who have sufficient data protections in place. After all, if a data leak or breach were to occur as a result of poor security practices through a partner, the responsibility would fall on your organization’s shoulders as the primary provider.

2. Shift to Remote Work

Remote work presented an interesting challenge for security professionals. It forced security teams to place an increased emphasis on educating employees about threats — like phishing scams and accessing private networks in public spaces.

But it also presented an opportunity for many cybersecurity professionals to reassess how their networks are accessed (and by whom) and which services are most essential to conducting business. As those services are evaluated, so too are the security threats associated with them.

3. Turnover and “The Great Resignation”

Employee turnover proved to be another area that forced security professionals to re-evaluate their systems and processes. “The Great Resignation” ushered in a wave of turnover that left companies with gaps in institutional knowledge at various levels and a lack of resources to execute on pre-existing strategies. Experiencing turnover within their own organizations brought awareness to many companies about how similar employee turnover at their vendor organizations could trickle down and impact business continuity, and thus the security of a vendor’s link to their own internal systems.

What Does This Mean for Service Providers?

These factors have created somewhat of a perfect storm, alerting companies to the risks of working with third parties and creating more urgency to implement systems that address and mitigate that risk. As a result, service providers will likely face an increased burden in 2022 to furnish additional attestation and certification documents to comply with each customer’s own vendor risk management programs. Some customers will request standard documentation — like the ISO 22701 certification or a SOC 2 attestation — while others may layer on custom requirements for vendors based on the specifics of their relationship and business. Service providers can also expect to spend more time reporting back to customers as they implement new processes for ongoing oversight of vendors.

With custom risk management and reporting requirements for each customer, the administrative oversight of simply doing business can become much more burdensome on service providers. To ease that burden, rely on experts like A-LIGN to ensure you are up to date with the necessary audits, attestations, and data privacy best practices.

SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats.

For organizations seeking a SOC 1, SOC 2, or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation.

With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3.  We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment.

SOC 1 Report

A SOC 1 report follows the guidance outlined in the Statement on Standards for Attestation Agreements, which focuses on the internal controls that have an impact on the financially relevant systems and reporting. The main goal of a SOC 1 report is to ensure the controls identified by the organization are in place and/or operating effectively to appropriately address the risk of inaccurately reporting financials.

SOC 2 Report

A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. The security of your environment is based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants (AICPA) and consist of five categories:

• Common Criteria/Security (required)
• Availability (optional)
• Processing Integrity (optional)
• Confidentiality (optional)
• Privacy (optional)

SOC 3 Report

A SOC 3 report is coupled with a SOC 2 report and is a scaled-down version of the SOC 2 report. The report is intended for a broader public audience including prospective customers and stakeholders. The SOC 2 report provides greater detail regarding the organization’s controls and operations. A SOC 3 report is effectively a summary of the SOC 2 report that provides less technical information, making it suitable for an organization to share publicly on its website or to hand out to prospective customers.

Readiness Assessment

A readiness assessment measures your organization’s level of preparedness for a Type 1 or Type 2 assessment. Used for internal purposes, this assessment provides your organization with a greater understanding of the demands of a SOC audit. The deliverables include a listing of your current controls, as well as identification of recommendations that should be implemented to enhance your environment prior to the full assessment.

We recommend completing our SOC Readiness Checklist before undergoing a readiness assessment to see how close your organization is to reaching its requirements for a SOC audit. Regardless of your results, you will have a clear understanding of if you are ready to move forward with a SOC examination or if you should continue to prepare.

A readiness assessment allows you to save time and resources by truly being prepared for your SOC examination. While you cannot technically “fail” a SOC examination, your report opinion can be noted as “modified” or “qualified”, which may result in a negative perception by your executive team and stakeholders.

SOC Type 1 Report

With a SOC Type 1 report, your organization’s controls are assessed at a specific point in time. This report acts as a snapshot of your environment to determine and demonstrate if the controls are suitably designed and in place. For example, we will take a sample terminated employee and confirm that their access was properly revoked and documented via a ticketing system.

A Type 1 report has the following characteristics:

• Description of your organization’s system as a whole
• Assesses the design of your organization’s internal controls
• Tests a specific point in time

A Type 1 report does not provide an evaluation of how effective your controls are over an extended period of time because it’s only looking at the controls as they exist at that given date.

SOC Type 2 Report

For a SOC Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. Unlike Type 1, a Type 2 report acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively. For instance, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via the ticketing system during the agreed-upon review period.

A Type 2 report has the following characteristics:

• Description of your organization’s system as a whole
• Assesses the design of your organization’s controls, as well as their operating effectiveness
• Focuses on a period of time in which the controls are operating
• Features detailed descriptions of the auditor’s tests and test results of the controls

Since a Type 2 report is more granular and comprehensive than a Type 1 report, it often provides your clients with a higher level of assurance. In today’s cybersecurity landscape, it’s commonplace for vendors, partners or customers to request that your organization earn a SOC 2 report as the cost of doing business.

Evaluate Your Compliance

As a licensed SOC 1 and SOC 2 auditing firm with more than 20 years of experience, and as one of the top SOC 2 report issuers in the world, A-LIGN has the people, process, and platform you need to help your organization reach any of your compliance needs.

In the past few years, many businesses have shifted to a hybrid or fully remote environment. While this has become a necessity for many, there are security risks to consider with taking a business remote. Organizations may lack visibility into the security of home networks and must be extra cautious with Bring-Your-Own-Device (BYOD) practices, which are just two examples of areas that require increased security needs.

It’s no wonder that information security is top of mind for many leaders at organizations that have shifted to remote work. As such, it’s more important than ever to ensure you have an ISO 27001 certification that confirms your information security management practices are up to snuff and your company is able to protect important information and data.

If you already received an ISO/IEC 27001 certification, but recently made changes to the physical environment in which employees work, you may be wondering if you need to update that certification. The short answer? Yes.

Below, we’re answering some commonly asked questions about this process.

If my organization is now remote, do we need a new ISO 27001 certificate?

Yes. Organizations that switched to a remote work environment need to update ISO 27001 certificates to reflect any locations or operations that are new or no longer relevant to their business.

How do I get an updated certification?

At A-LIGN (an accredited ISO 27001 certification body), we’ve made this process as simple as possible. If your organization has recently gone remote, you’ll need to submit an updated  application letter to our team. This letter should outline the scope and all locations relevant to your business and the relevant activities performed at each of those locations.

We will then review the updated application letter and confirm that all activities listed are still within the scope of your certification. The experts at A-LIGN will look for any relevant changes to your business and confirm if any of your operations — for example, products or software developed — have shifted. We’ll review and confirm any physical environment changes as well.

Pro tip: Even if you are classified as a fully remote company you will still need an address on file to identify your company moving forward. A P.O. Box is fine for this identifier.

What about hybrid workplaces?

Although we’re specifically talking about companies that are fully remote, this process also applies for businesses who have undergone headcount changes, switched to a hybrid environment, or added or removed certain office locations. This is also relevant for companies who have updated the location of their headquarters — something we’ve seen many organizations do during the COVID-19 pandemic as leases have expired and less expensive cities beckon.

Will the audit process change for remote companies?

The ISO 27001 certification process itself will look a bit different for remote companies. Typically, audits include a physical walkthrough of relevant locations, where auditors can assess the operations in-person. This obviously hasn’t been easy to achieve throughout the pandemic; in fact, our experts conducted audits remotely to protect the safety and well-being of our employees and yours.

Regardless of how the audit takes place, remote businesses are still beholden to all of the control domains within the ISO  27001 standard. Many remote customers have asked us about Annex A.11, specifically. Some of the controls within this section reference the physical and environmental security of a business, with a goal to prevent unauthorized access or damage to information processing facilities (think: physical security perimeters around buildings and data centers, entry controls, access credentials, etc.). While those specific controls won’t be relevant for a fully remote business, Annex A.11 at large will still be part of the audit process. Remote businesses are still beholden to all other controls listed within this Annex, such as equipment maintenance and protection.

Receive an ISO 27001 Certification

A-LIGN is an experienced certification body that has helped many organizations update their ISO 27001 certificate to reflect remote and hybrid work environments during this ongoing global pandemic. Our goal is to help you ensure that the integrity of your Information Security Management System remains intact, regardless of where your employees choose to work.

Get started by downloading our ISO 27001 checklist.

In the world of cybersecurity, there are two widely popular cybersecurity assessments that verify an organization’s ability to protect information and mitigate risk: SOC 2 (System and Organization Controls) and ISO/IEC 27001:2013 (International Organization of Standardization/ International Electrotechnical Commission).

For many organizations, it can be difficult to separate the nuanced differences between the two and decide which is the most beneficial to pursue. While both have their distinct differences, it’s important to note first and foremost that both of these are hugely beneficial to any business.

Watch on-demand webinar: Elevate Your Security Posture with SOC 2 & ISO 27001.

ISO 27001 and SOC 2 both demonstrate a level of commitment to cybersecurity practices that is essential to monitor and prevent risk (and the detrimental impacts of security breaches) within any organization. Both a SOC 2 report and ISO 27001 certification are extremely attractive to prospective customers. In fact, more and more customers are requiring that vendors become ISO 27001 certified or obtain a SOC 2 report as part of the due diligence process.

While both of these assessments provide a similar end result, there are a few differences in the assessments themselves. Check out the four main differences below to evaluate which assessment is right for your business.

1. Certification vs. attestation

A certification is what many people picture when they think about the end result of a compliance audit. Since certifications are issued by a third-party entity, it enhances trust in an organization’s compliance with certain rules or standards. ISO 27001 certifications are issued by certification bodies with the accreditation body and IAF seal. ISO 27001 certifications can easily be verified in the vendor management process by the issuing certification body.

Though you will often see the term “SOC 2 certification” that statement isn’t really accurate. A SOC 2 is an audit resulting in an attestation report which proves compliance. In an attestation report the third-party assessor ​​documents a conclusion about the reliability of a written statement, to which the organization they are assessing is held responsible. 

2. ISMS vs. Trust Services Criteria

Certification vs attestation is not the only difference between the two assessments. The structure of each is also different at its core, though there is a lot of overlap in the security controls themselves.

ISO 27001 focuses on the development and maintenance of an Information Security Management System (ISMS). This is an overarching method of managing data protection practices. In order to achieve an ISO 27001 certification, organizations are required to implement all of the clauses 4-10 and 114 controls within the framework (that are relevant to the particular organization) to the scope of their ISMS. The end result is a pass or fail of the audit. You would need to successfully implement, maintain and continually improve the management system in order to achieve an ISO 27001 certification.

SOC 2 is structured around five Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy. For a SOC 2 audit, organizations can pick and choose which criteria they’d like to have evaluated (though the Security criteria is mandatory for all organizations). Instead of a pass/fail audit like ISO 27001, the organization’s auditors conclude an opinion based on the design and effectiveness of the operation of controls in place for each chosen Trust Services Criteria.

Companies are provided with a comprehensive SOC 2 report, which can be more than 100 pages in length. The report details how well an organization meets the control requirements within the evaluated criteria groups, based on the opinion of the expert who conducts the audit. It’s significantly more detailed than the one-page letter that proves an ISO 27001 certification, which can be very attractive to customers who want a higher level of detail and assurance about their partner’s cybersecurity posture.

One other key difference between ISO 27001 and SOC 2 is that SOC 2 offers two different levels of attestation reports. A SOC 2 Type 1 report attests to an organization’s security posture at a single point in time, whereas a Type 2 report attests to the design and effectiveness of controls over a defined period of time (usually between 3-12 months). Organizations can choose to pursue one or both of these reports.

3. Global reach

ISO 27001 is an international standard that is used as the principal cybersecurity standard throughout the world. SOC 2, on the other hand, was designed by the American Institute of Certified Public Accountants (AICPA). As such, it’s particularly favored in the U.S. and most large or well-known U.S.-based customers will require their vendors to supply a completed SOC 2 audit. Although SOC 2 is an American-born standard, it’s gaining traction in places like Europe — especially as more European companies look to do business with U.S.-based companies.

When evaluating which assessment is right for your business, consider your current customer base and your plans to expand globally in the future. And keep in mind that it’s not a matter of one or the other. Many organizations pursue both paths, as compliance with one standard positions your company well to successfully comply with or complete the other.

4. Certifying bodies and renewal timelines

SOC 2 and ISO 27001 both require an independent third-party to attest to an organization’s ability to meet the requirements within the guidelines. For SOC 2, this attestation is carried out by a licensed CPA firm. Both a Type 1 and Type 2 SOC 2 report are considered valid within the industry for 12 months from the report date. ISO 27001 certifications must be carried out by an accredited ISO 27001 certification body. ISO 27001 certificates are valid for a three-year period with annual surveillance audits. 

Benefits of pursuing both SOC 2 and ISO 27001 

While both assessments have their own unique set of benefits, conducting both SOC 2 and ISO 27001 assessments can help organizations demonstrate a commitment to cybersecurity risk management and provide assurance to their customers and stakeholders that they have implemented effective controls to protect their data. 

SOC 2 audits ensure secure data management and privacy protection, while ISO 27001 certification showcases a commitment to data protection. 

By combining the two frameworks, organizations can also help organizations identify gaps in their cybersecurity management and develop a comprehensive approach to managing risks. Ultimately, conducting both SOC 2 and ISO 27001 assessments has great value and can help organizations build trust, differentiate themselves from competition, and win new business. 

ISO 27001 or SOC 2 with A‑LIGN

Some companies — like A-LIGN — hold the ability to carry out both audits. A-LIGN is an accredited ISO 27001 certification body, a licensed CPA firm and the top issuer of SOC 2 reports in the world. In addition to providing the final certificate or attestation for ISO 27001 and SOC 2, A-LIGN also provides readiness assessments and pre-assessments to ensure your organization is ready to pursue either audit. These assessments simulate the assessment process to determine whether your organization has any gaps that may need remediation, or opportunities to improve processes, before a final audit takes place.

Learn how HITRUST v9.6 enhances the controls, such as NIST 800-53 and CMMC, while helping assessors more easily identify the controls that need tested. A-LIGN’s Healthcare and Financial Services Knowledge Leader, Blaise Wabo, explains why you should select v9.6 when pursuing a HITRUST certification.

Since 2007, the HITRUST CSF has been recognized as a well-rounded and certifiable security framework for organizations of all sizes and industries. With the new CSF v9.6 update, HITRUST continues to demonstrate its value for any organization by enhancing several areas of the controls and MyCSF portal so assessors can more easily identify what controls need to be tested and can locate the most updated frameworks.

Let’s look closer at what HITRUST v9.6 includes and what enhancements were made to the CSF and MyCSF portal.

Going Back to the Beginning

The HIPAA Safe Harbor Bill, signed into law on January 5, 2021, by former President Trump, changed the cybersecurity industry in a big way. If your organization processes Electronic Protected Health Information (ePHI), or Personally Identifiable Information (PII), you could be the target of a cybersecurity breach and therefore, an OCR audit. If this situation occurs, the HIPAA Safe Harbor Bill covers you and acts as a layer of security for your organization if you have a cybersecurity program in place.

HITRUST CSF is one of the most reliable ways to demonstrate HIPAA compliance. For this reason, the HITRUST CSF is often utilized, and sometimes required, by organizations in the healthcare industry.

What is the HITRUST CSF?

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA, PCI DSS, GDPR, and more into one comprehensive system, the HITRUST CSF streamlines the audit process by assessing once and reporting against many framework requirements. Because of this benefit, and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.

What enhancements were made to HITRUST CSF v9.6?

According to the HITRUST advisory, three enhancements were made in v9.6 to the CSF controls, all of which help to update the framework with the newest compliance standards.

1. Even though HITRUST is based on the NIST 800-53 framework, it has never been an assessment option to select as a regulatory factor. By adding NIST 800-53 revision 4 as a selectable compliance factor, HITRUST is updating the mapping.

HITRUST is also changing language and further defining the illustrative procedures to provide guidance to the assessment firm on how to test against the updated requirement statements. Note that if an organization selects the i1 assessment, they would have to use the latest version of the CSF i.e. v9.6.

2. With the release of HITRUST i1, a scoping exercise to determine controls is no longer needed. All organizations evaluated against the i1 standards, will be measured on the same static control list.

3. HITRUST also made minor updates throughout the controls and standards to correct grammar, modify wording and correct mapping issues.

What enhancements were made to the MyCSF portal?

An additional three enhancements were made in v9.6 to the MyCSF portal, all of which aim to further streamline the assessment process for auditors.

1. CMMC Compliance Factor

With the CMMC certification still coming to fruition, the standard path and control verbiage will be evolving. Every time CMMC makes an update to the standard, HITRUST will highlight the outdated versions with an orange flag to show the line item is no longer valid. Only the most recent version of CMMC will not have the flag.

2. Illustrative Procedure Enhancements

In the past, the ‘Illustrative Procedure for Policy’ description has been in a long, paragraph format. HITRUST has shortened the format to a more concise numbered list, making the information easier to understand by assessors. HITRUST has also broken ‘Illustrated Procedure for Implemented’ into a numbered list and added guidance to the assessor firm on how to score the control. For example, if three items fall under a section, each would be assigned a weighted value of 33.33% for coverage. If all items were met, the assessor would score the client 100% in this control.

3. Sampling Badge

The requirement view within MyCSF now contains a badge for items that require the assessor to select a sample of items to test. The assessor will no longer need to read a long paragraph to learn if the sample testing is required, but rather have a visual indicator to quickly understand what testing is needed.

The A-LIGN Difference

We encourage all covered entities and business associates pursuing a HITRUST CSF assessment to select HITRUST v9.6 if they would like to add NIST 800-53 as a regulatory factor, or if they would like to perform a HITRUST i1 Assessment vs. an r2 Assessment. A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification. Our diligent audit process helps you prepare for the HITRUST assessment, and our team of HITRUST experts is here to answer any questions you might have through every step of the assessment.

Download our HITRUST checklist now!