StateRAMP provides a comprehensive security framework designed to improve cloud security for state and local governments. Learn the ins and outs of the StateRAMP compliance framework its relationship with FedRAMP and how StateRAMP could impact your business.

As cyberattack attempts carried out against state and local governments continue to become more prevalent, government agencies are in dire need of a way to modernize and systematize their cybersecurity practices — especially regarding cloud technologies. That’s where the State Risk and Authorization Management Program (StateRAMP) comes in.

According to Comparitech, various ransomware attacks cost the U.S. government close to $19 billion in 2020. And recent ransomware attacks on state-run facilities have highlighted the importance of increased and improved cybersecurity measures for state and local governments.

StateRAMP provides a comprehensive security framework designed to improve cloud security for state and local governments. It delivers a uniform approach to verifying that cloud service providers (CSPs) meet the standards and regulations needed to do business with state and local governments.

As I outline the details of the StateRAMP compliance framework and its relationship with the Federal Risk and Authorization Management Program (FedRAMP) you will see how, and if, this could impact your business.

The StateRAMP and CSP Relationship 

As mentioned above, StateRAMP was created to help state and local government agencies manage and verify the cybersecurity posture of third-party vendors that provide cloud technology solutions, also known as CSPs. This is important because CSPs have been replacing on-premise information technology (IT) solutions at a rapid rate over the past 10+ years.

CSPs offer government agencies cloud computing solutions and services like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), all of which are designed to improve an organization’s agility and scalability. Gaining advanced storage, computing, and analytics capabilities has become essential for many government agencies to increase collaboration and remote accessibility while gaining deeper insights into their data.

As government agencies adopt StateRAMP to enhance their cybersecurity posture, CSPs that respond to RFPs in those states will need to prove they are StateRAMP authorized. This will be a requirement for any CSP proposals to be considered by certain local government agencies.

StateRAMP’s Solution for State-based Cybersecurity    

The StateRAMP framework was created by the StateRAMP non-for-profit organization in response to the encroaching cyber threat crisis that stands to disrupt modern life in unprecedented ways. According to StateRAMP, the program’s purpose is to:

• Help state and local governments protect citizen data. 
• Save taxpayer and service provider dollars with a “verify once, serve many” model.  
• Lessen the burdens on government. 
• Promote education and best practices in cybersecurity among those it serves in industry and government communities.

Protecting Citizen Data 

In the recent onslaught of ransomware attacks, it is frequently citizen data that’s held hostage by threat actors who demand a payout. This data is often personal identifiable information (PII) that, if exposed, can allow hackers to commit identify theft or monetize the stolen data on the dark web.  

Because state and local government officials are elected to serve the needs of their citizens, keeping personal data safe is a major priority. 

Verify Once, Serve Many 

StateRAMP makes things easier for CSPs by allowing them to transfer their credentials and certifications across a set of uniform standards. The “verify once, serve many” model was designed so CSPs only need to have their cloud offering or product authorized once to confirm its cybersecurity standards are adequate. This authorization is then enough to be recognized by other government agencies that adopt StateRAMP.

Government employees and officials are able to join StateRAMP at no cost as the program is entirely vendor-funded. This ensures enhanced cybersecurity is accessible for all state and local government agencies, regardless of size or budget.

Lessening the Burden on Government 

Related to the last point, the StateRAMP model alleviates strain on state and local governments by removing the need for them to conduct redundant security assessments. In addition to being cost-efficient because StateRAMP removes the need for repetitive CSP security assessments, it saves countless hours and staffing needs that could be better utilized elsewhere.

For example, before StateRAMP, a government agency might have to review a dozen CSP vendors that responded to an RFP, even if they knew only a few of them would likely have acceptable cybersecurity standards in place. With StateRAMP, governments don’t have to waste valuable resources doing assessments for organizations that are severely lacking in cybersecurity maturity.

Promoting Cybersecurity Education and Best Practices 

In the constantly evolving landscape of cybersecurity and compliance, it can be tough to stay up to date on the latest developments and regulations. StateRAMP aims to be as transparent as possible about policies and procedures, making cybersecurity knowledge available for anyone who wants to learn. In fact, the StateRAMP website provides a wealth of documents, templates, and other resources related to StateRAMP compliance.

After all, StateRAMP was designed to ensure government agencies and CSPs truly understand the reasoning and mechanisms behind the StateRAMP framework.   

How Does StateRAMP Work? 

Much like FedRAMP was created to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services that store, process and transmit federal information, StateRAMP was designed to do the same for state and local government agencies.

StateRAMP’s Security Assessment Framework process is modeled after the National Institute of Standards and Technology (NIST) Risk Management Framework. Its primary requirements for CSPs seeking authorization include: 

• Compliance with the security standards listed in NIST Special Publication 800-53 Rev. 5. 
• A relationship with a Third-Party Assessment Organization (3PAO) that serves as a partner and educator throughout the entire process.
• Producing an in-depth security report in collaboration with a 3PAO that proves the organization has all the necessary controls in place and meets all requirements for authorization.  
• Participating in continuous monitoring to demonstrate that the organization continues to maintain StateRAMP compliance.  

To have a cloud offering or product become StateRAMP authorized, CSPs must work with their 3PAO to identify their impact level category based on the type of government data they handle, and the consequences that would result if a breach were to occur.

Each of the four categories corresponds with a defined set of security controls which align with familiar FedRAMP impact levels: 

• Category 1 – This is the baseline any CSP has to meet. It maps to systems that involve publicly available data. Category 1 aligns with the “low” impact level in FedRAMP. 
• Category 2 – This category covers data that is not available to the public, such as PII. Category 2 aligns with the “low” impact level in FedRAMP and contains some elements of the “moderate” impact level control baselines. Category 2 will continue to be developed and validated throughout this year.  
• Category 3 – This category involves confidential data and systems that are of high criticality to the continuity of government. Category 3 aligns with the “moderate” impact level in FedRAMP.
• Category 3+ – This category is reserved for FedRAMP High authorized systems for reciprocity with StateRAMP.  

StateRAMP also provides an official data classification tool that includes a brief survey to help government agencies determine what StateRAMP security category requirements they need to include in their RFPs. This tool can also help CSP better understand the StateRAMP security categories and what they entail.

Why Is StateRAMP Necessary?  

With so much overlap between StateRAMP and FedRAMP frameworks, you may be thinking, “Why doesn’t a CSP just seek FedRAMP authorization for their products and achieve the same security outcome?”  

It’s a fair question. FedRAMP built a reputation as a model security program over the past 10 years and has authorized hundreds of cloud products. Prior to this year, many CSPs that offered cloud solutions to state and local government agencies found themselves using FedRAMP security guidelines, but were still unable to achieve official FedRAMP authorization. This is because FedRAMP was specifically designed for federal agencies. This means organizations cannot obtain FedRAMP authorization without doing business with the federal government.

For this reason, a coalition of industry members decided to form the StateRAMP not-for-profit organization to bring FedRAMP’s standardized cloud security approach to state and local governments. As a growing number of states plan to join StateRAMP (the StateRAMP organization is in talks with hundreds of government officials across 35 states and counting), it would be wise for CSPs to start preparing for StateRAMP authorization sooner rather than later.

In addition to enhancing cybersecurity by providing a uniform approach to risk-based management, accomplishing StateRAMP authorization can help CSPs save time and resources by allowing them to re-use their security authorization across multiple government agencies. StateRAMP also increases transparency and trust between government agencies and CSPs, reducing the likelihood of any miscommunication, oversights, or errors that could affect potential contracts or working relationships.

Note: For CSPs that do business with both federal and state/local government and are already FedRAMP authorized, a reciprocity program is in process that will allow these organizations to take an accelerated path to StateRAMP authorization.

Get Started with StateRAMP  

In a time when the public and private sectors are realizing they must work together to keep out threat actors, StateRAMP is a significant milestone for transparency, standardization, and community in cybersecurity.  

If your organization requires StateRAMP authorization to do business with a state or local government agency, A-LIGN can help put you on the right track. Drawing from our extensive experience as a 3PAO for FedRAMP, A-LIGN is one of the only StateRAMP-registered assessors on the market today.

The HITRUST CSF pulls from many major pre-existing frameworks to provide a complete, certifiable security standard.  Learn about the many different cybersecurity frameworks that can be incorporated into your organization’s HITRUST assessment to help streamline your approach to compliance.  

Confusing.  Difficult.  Expensive.  Overwhelming.  Do you associate these words with the plethora of cybersecurity assessments available today?  Many organizations are unsure of where to start and what assessments or audits will best prove to their customer that they take data security seriously.   

While there are a variety of different audit options for any organization, the HITRUST CSF provides comprehensive, scalable, flexible and prescriptive solutions for organizations.  By pulling from many major pre-existing frameworks and working with organizations to better understand their needs, the HITRUST certification provides a complete, certifiable security standard.  Let’s first define HITRUST CSF and then take a look at the many frameworks that can be incorporated into the assessment.  You’ll see how beginning with HITRUST CSF will streamline your approach to compliance!  

What is HITRUST CSF?  

The certification provides an integrated, prescriptive framework that works primarily with the needs of the healthcare industry in order to comply with the necessary cybersecurity standards.  However, this framework is able to be scaled for various sizes and types of organizations in any industry and their control systems.     

It also allows for the tailoring and scaling of controls with HITRUST oversight to ensure that the integrity of the systems remain intact, and applications remain consistent.  With a comprehensive framework for organizations of any size, system, or regulatory requirement, the HITRUST certification allows for organizations to easily assess their current compliance while providing implementation requirements based on an organization’s risk factors.  

What are the types of HITRUST assessments?  

HITRUST has two methods to approach complying with the HITRUST CSF with each providing their own unique benefits, depending on the needs of an organization. They include the self-assessment, and a validated assessment, which leads to HITRUST certification. They each function on varying degrees of assurance based on the cost, effort level, and time required. The benefits of any type of HITRUST CSF Assessment include:   

• Scalability for organizations of any size    
• Understand their current level of compliance with the CSF and areas of general risk  
• Stay up-to-date on the latest security risks  
• Save time on numerous compliance audits  

HITRUST self-assessment

 The HITRUST CSF is designed to be completed by an organization in order to minimize time and resources when demonstrating compliance with the CSF. The self-assessment can also be used as a stepping stone to a validated assessment. The benefits include:  

• Low to medium level of effort needed to complete  
• Can be quickly completed  
• Lower investment in terms of budget and time  

However, one of the drawbacks of a self-assessment report is that it provides the lowest level of assurance, as no validation comes from the self-assessment: it simply results in a HITRUST issued CSF Self-Assessment report.  

Validated or certified assessments  

A validated assessment is a more rigorous assessment process, with an increase in assurance level performed by a CSF third-party assessor firm to validate the information gathered by the organization. One of the benefits of receiving a CSF Validated Assessment includes providing an increased assurance level to the relying entity.  

The process is more rigorous due to testing conducted and authorized by an external CSF assessor at the organization. A validated assessment requires a medium to high level of effort for completion, due to the rigorous testing procedures. Upon completion, HITRUST reviews the complete assessment and issues a validated report as the outcome if the organization has failed to receive a rating of ‘3’ or higher on any of the controls. If an organization received at least a ‘3’ on HITRUST’s scale and has shown a high level of maturity they will receive a certified assessment.  

The benefits of receiving a CSF certified assessment include:  

• A report that is good for two years, with an interim assessment completed at the one-year mark  
• The most complete assurance level certified by HITRUST  
• Results in an official certification to provide to clients, partners, etc.  

A certified assessment is only earned once an organization successfully demonstrates that they are able to meet all of the controls in the CSF required for certification at the appropriate level based on organizational needs.  

The HITRUST framework & cybersecurity assessment integrations 

HITRUST did a great job of mapping CSF requirements to existing standards for other cybersecurity assessments.  Once an organization earns HITRUST certification, they may have already covered all of the requirements for a variety of other frameworks.  If your organization uses a firm (like A-LIGN) to conduct your audits, you avoid hiring multiple auditors to earn other cybersecurity certifications.   

The external assessor firm has the ability to conduct multiple audits at once, de-duplicating tasks.  For example, if you use an external assessor firm that handles multiple security frameworks, and are working toward your HITRUST CSF, your auditor can also complete all of the tasks for SOC 2, NIST 800-53, ISO 27001, FedRAMP, PCI DSS, and many more.  Starting with the HITRUST certification and treating the assessments as one data collection process, rather than one-off assessments will save your organization a great deal of resources, time and budget.    

HITRUST & SOC 2  

SOC 2 reports describe the internal controls at a service organization, based on the American Institute of Certified Public Accountants (AICPA)’s Trust Service Criteria:  

• Security (Common Criteria)  
• Availability  
• Processing Integrity  
• Confidentiality  
• Privacy  

SOC 2 reports provide users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report.  The SOC 2 is widely used by service organizations that provide services to other business entities.  

HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria.  This allows licensed CPA firms, who are also CSF assessor firms to issue a SOC 2 plus HITRUST report that includes both the SOC 2 criteria and HITRUST CSF.  This makes HITRUST and SOC 2 complimentary services through this converged reporting model.   

HITRUST & PCI DSS  

PCI DSS is a payment card industry standard used to protect payment card data. Founded by the five major card brands, Visa, MasterCard, American Express, Discover and JCB, PCI DSS defines controls to enhance credit and debit card security.  

HITRUST used the PCI DSS methodology in the creation of the HITRUST healthcare standard. To correctly map the two frameworks, HITRUST received input from their board of directors, who are industry experts from major healthcare organizations, to tailor the framework to the industry’s needs.  The tailoring of this framework resulted in numerous factor overlaps between the two certifications, making PCI DSS easily attainable once HITRUST CSF is achieved.    

HITRUST & ISO 27001/ NIST 800-53  

HITRUST recognizes the complex, global nature of the healthcare industry and the need for an industry-specific approach to information protection. Because of this, ISO/IEC 27001 and NIST SP 800-53 were chosen as the foundations upon which the HITRUST CSF was built upon due to both being an international standard for information security.  

ISO 27001 differs from the HITRUST CSF, as ISO 27001 is not control-compliance based, but is instead a management/process model for the Information Management System that is assessed. One of the key differences between NIST 800-53 and the HITRUST CSF is that NIST 800-53 does not address the specific needs within the healthcare industry.  While ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.  The HITRUST certification covers many more factors than ISO 27001 and NIST 800-53, making both certifications easily attainable under HITRUST CSF.  

HITRUST & FedRAMP  

The Federal Risk and Authorization Management Program (FedRAMP) serves to increase confidence in the security of cloud service providers (CSPs) utilized by the federal government.   

 FedRAMP certification is incredibly valuable for vendors working with the U.S. government.  If you are working with the state level and not truly working with the federal government, you can easily map FedRAMP requirements to the HITRUST CSF framework.  Organizations that are interested in pursuing FedRAMP certification could consider adding it to their HITRUST assessment to benchmark whether they are prepared and to mature their controls as needed but should note that adding FedRAMP to a HITRUST assessment is not the equivalent of achieving FedRAMP certification.  

HITRUST & GDPR  

The General Data Protection Regulation (GDPR) aims to enhance the protection of personal data of European Union (EU) residents. The GDPR not only impacts organizations within the EU, but also any organization that processes the personal data of EU residents.  Failure to comply with the Articles outlined within the GDPR may not only present a reputational risk for organizations, but also the potential for the following enforcement actions:  

• Restricted access to data  
• EU Commission-directed data protection audits  
• Fined 4% of annual worldwide revenue  

HITRUST has mapped the EU’s GDPR into the HITRUST CSF comprehensive privacy controls.  By doing this, HITRUST helps its customers identify and lessen gaps and risks in their existing programs, ultimately helping them grow their cybersecurity compliance.   

HITRUST & CCPA  

The California Consumer Privacy Act of 2018 (CCPA) allows consumers to have more control over the personal information that businesses oftentimes collect.  California consumers now have the following privacy rights:  

• The right to know what information is being collected and how it will be used  
• The right to delete personal information collected (with a few exceptions)  
• The right to opt-out of the sale of the personal information  
• The right to non-discrimination for evoking these rights  

The HITRUST certification includes comprehensive privacy controls and maps back to CCPA, similar to how the HISTRUT certification maps back to GDPR.  The HITRUST certification will help organizations identify and mitigate gaps in their current compliance programs, allowing them to meet the growing regulatory requirements and customer expectations regarding their data usage.  

Getting started  

While there are a variety of different audit options for any organization, the HITRUST CSF provides scalable, prescriptive solutions for organizations of any type. By pulling from major pre-existing frameworks and working with organizations to better understand their needs, the HITRUST CSF provides a complete, certifiable security and privacy standard.  Are you ready to get started?  The best way to set yourself up for success when it comes to a HITRUST assessment is to make the time and resource investment upfront.  After all, proper planning equals HITRUST success.  Before diving in, review our expert list of do’s and don’ts when getting started with your HITRUST certification.   

There is no one-size-fits-all solution for security so the best way to lessen the threat surface is to implement a zero trust architecture.  To determine if pursuing a zero trust architecture is the right move for your organization, you need to understand its purpose, benefits and challenges. 

Traditional attempts to protect the perimeter have shown that they are no match for today’s increasingly sophisticated threat actors. After all, humans are still the weakest link; it’s far too easy for someone to fall victim to a phishing attack, granting access to an internal network.   

While zero trust has been an intimidating topic for many organizations due to the well-known challenges associated with implementing such an approach into an existing organization’s frequently complex network, the benefits shouldn’t be overlooked. Even the Federal Government is recognizing the importance of this approach as indicated in the recent Executive Order on Cybersecurity from President Biden which states, “The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model…”.   

To determine if pursuing a zero trust architecture is the right move for your organization, you need to understand its purpose, benefits and challenges.   

What is Zero Trust?  

Zero trust is a collection of concepts and ideas that are designed with the principle of least privilege for information systems. Basically, it’s about restricting access to resources to only the people who need them.   

Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are. For example, if a user needs to read the details from a document to do a portion of their job, they will only be granted privileges to  read  the document; they will not be able to edit or modify that document in any way.   

This restriction around privileges is done intentionally. After all, a zero trust architecture uses zero trust principles to manage workflow and is designed to assume that an internal network is already infected with various threats. This is a unique mental hurdle for many organizations since most people just assume that an internal network is protected.   

So how do you start implementing a zero trust architecture into your own network?   

The Gold Standard of Zero Trust: NIST 800-207  

Organizations looking to implement a zero trust architecture need to first identify the framework they want to follow. The NIST Special Publication 800-207 Zero Trust Architecture is widely referred to as the “gold standard” of zero trust. It is, perhaps, the most thorough framework an organization can follow to implement a true zero trust architecture. 

According to NIST 800-207, “zero trust (ZT) is the term for “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”   

The transition to a zero trust architecture is a significant task that cannot be achieved by simply updating or implementing new network security solutions. For that reason, many organizations pursue zero trust architecture in phases, oftentimes having components of zero trust incorporated in the organization’s infrastructure paired with perimeter-based security solutions.   

The Benefits of Zero Trust   

The greatest benefit of a zero trust architecture is obviously security. But there are three distinct components within network security that are worth highlighting.   

1. Lessening the Threat Surface   

Implementing a zero trust architecture is similar to implementing a brick wall against a traditional attack. This approach requires constant authentication, measurement, and verification to ensure the users who are granted access are who they say they are, and that they don’t abuse the access they’ve been given.   

2. Visibility and Accountability   

If organizations follow proper guidance, they should have logging and monitoring in place to know when anomalies happen. Though this is not a unique element to zero trust, limiting user access and accurately logging and monitoring activities allows organizations to gain greater visibility into user activities.   

3. Securing the Remote Workforce   

Clearly, the rapid shift to a remote workforce was both unprecedented and unexpected. Also unexpected was the speed with which new security concerns arose as a result of the increased presence of a distributed workforce, where employees began accessing the organization’s internal network from wherever they chose to work. 

 Consider, for example, if a user’s laptop was infected and they connected to the organization’s internal network through the virtual private network (VPN). With a zero trust architecture, it wouldn’t be as easy for the infected machine to infect the network because even the internal network is not automatically treated as an implicitly trusted network.   

Based on this short list, it may seem like a no-brainer to implement a zero trust architecture into your organization, but there are some challenges to consider.    

The Challenges of Zero Trust 

The challenges around implementing zero trust architecture largely revolve around user experience and expertise.  

Productivity and Performance   

When it comes to productivity and performance, a zero trust architecture can unintentionally impact a user’s ability to get their job done. It can be tricky to find the delicate balance between locking down your assets as tight as possible and making employees unproductive.   After all, humans are the weakest link when it comes to network security. Limiting each user’s ability to interact with organizational data and information according to least privilege principles makes sense, until it prevents them from getting their job done in a timely and efficient manner.   

Implementation Expertise   

One of the biggest challenges organizations encounter with implementing a zero trust architecture is the amount of time and deep security knowledge required to implement it, especially for an already established organization.   

A deep understanding of how an organization’s network operates and how the business runs is just the beginning. To effectively implement a zero trust architecture an organization must think ten steps ahead. For example, you’d need to think about the architecture in use today, how it can be modified while in use, and what long-term changes would need to take place.   

Troubleshooting  

Part of implementation planning is troubleshooting. Before a zero trust architecture is even implemented, the security team needs to consider all the possible scenarios that could require troubleshooting.   

What if something stops working when zero trust is implemented? Who has enough functional knowledge of every component within an organization’s network to effectively troubleshoot something if or when something stops working?   

Ultimately, this highly specialized skillset requires someone who is technically aware and geared toward managing and troubleshooting a zero trust environment.   

What Zero Trust Steps Can you Take Today  

Organizations have become increasingly complex making traditional network security solutions less effective on their own. This, coupled with the increasing sophistication of threat actors, illustrates a very real need to explore an approach that lessens the threat surface.   

I strongly believe it’s time for organizations to start having zero trust conversations and think about what it would look like to begin the migration process.   

To do so most effectively, leverage an existing methodology or framework, like NIST 800-207, as a blueprint for pursuing your zero trust mission. Create a checklist and a Q&A test plan to ensure you understand what the implementation could look like.   

And remember, hacks happen from gaps that are often overlooked. Whatever framework you decide to pursue for your zero trust mission, follow it completely.   

President Biden’s Executive Order serves as an official and intentional first step to modernize cybersecurity defenses, especially as it relates to federal networks, and creating a more definitive response from the U.S. when incidents occur.  Here are a few opportunities and challenges we see ahead! 

On May 12, 2021, President Joe Biden signed an Executive Order that introduced efforts to improve the nation’s cybersecurity. The Executive Order serves as an official and intentional first step to modernize cybersecurity defenses, especially as it relates to federal networks, and creating a more definitive response from the U.S. when incidents occur.  

I see a lot of good that can come from the Executive Order, as well as a few challenges.  

The Opportunities Ahead  

Many organizations today struggle to do a fully effective job when it comes to implementing proper cyber defenses. Despite best efforts, organizations invest in security and compliance solutions in an arbitrary way and then fall victim to a variety of cybersecurity threats. In most cases, the tools put in place work, but the organizations using them aren’t always following frameworks or security best practices — including proper and regular security training.  

This is one area where I think the cybersecurity Executive Order is doing organizations a great service: increasing awareness. Awareness encourages questions that lead to greater security education. In fact, the Executive Order is starting conversations around the steps organizations need to follow to ensure they have proper cybersecurity defenses in place.  

I believe there are three things organizations can do right away to start better protecting themselves.  

1. Adopt and Commit to a Cybersecurity Methodology and Framework 

Organizations need to realize the importance and value of starting at square one. You need to ensure you have an acceptable cybersecurity framework and methodology in place so you know what to do when you encounter a threat, and how to measure the success of your cybersecurity approach. Consider leveraging an established and accepted framework, from NIST, and commit to following the guidance it provides.  

Worth noting: When you commit to “follow the process,”  don’t give in to the temptation to take shortcuts. Shortcuts can lead to significant gaps.  

2. Increase Cybersecurity Awareness Across the Organization 

Raising awareness within your organization about the importance of security best practices is one of the easiest things organizations can do. In fact, similar to how organizations require employees to repeat basic HR training every year, I believe we’ll see something similar around cybersecurity awareness training. Even a gentle reminder of some of the simple things you can do every day, like avoiding simple passwords and using two-factor authentication, can go a long way.  

Worth noting: Making cybersecurity awareness training more commonplace can have a big impact on the threat surface of an organization. No amount of tools will stop an attack if someone uses a simple password or repeats it across services. Supply chain attacks, for example, often start with weak configuration points. Even if employees claim to know everything you share with them about basic cybersecurity principles, a refresher is always helpful. 

3. Test, Test, and Test Again 

As I mentioned earlier, it doesn’t matter if you have the best cybersecurity solutions money can buy; if it’s not implemented correctly and not tested regularly, you can’t be confident that it will provide protection as intended.  

Using penetration testing and phishing exercises, for example, can help you understand how effective your defenses are based on the chosen framework, essentially measuring your security posture as it relates to your implementation of the framework. A secondary benefit to testing is that you test people and processes, too. This increases cybersecurity awareness within your organization because you can determine when employees need a refresher on basic security defenses and best practices.  

Worth noting: Though some organizations may face strict requirements to conduct testing regularly (like those found in FedRAMP or PCI), I encourage organizations to conduct testing at least once a year. Pen tests are a great option to pursue annually because they can help you identify where gaps exist. This test will provide a report of exploitable vulnerabilities a threat actor may take advantage of to gain access to systems and data.  

The Challenges  

Overall, the Executive Order’s intent is admirable, but the list of technology requirements is pretty significant. Yes, every step in this Executive Order will serve to harden the systems in question, and each of these additional frameworks will move us in a more secure direction. But it is impossible to tell if the problems we’ve been experiencing result from fundamentally broken systems or a failure to adopt technologies and frameworks that would have otherwise provided adequate security. If we pile on more technology requirements that do not get adopted down the supply chain, we are no better off than where we started.   

To that point, a senior Biden administration official said that the Executive Order “reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security.”  

I think this is short-sighted. To survive in today’s threat landscape, organizations need a healthy combination of incident response and prevention. The assumption is that it’s not a matter of if a cybersecurity incident will occur, but when. As a result, organizations need to have a plan when there is an incident, and they also need to ensure they’re taking the proper steps for prevention.  

Additionally, the creation of the Cybersecurity Safety Review Board is another great idea, in theory. Review boards historically provide significant value, but only when they are hyper-focused. Without being efficient and targeted, it’s too easy to get distracted. There is so much to discuss and explore within cybersecurity that for this to really work, it needs to be highly structured. We may even see it evolve to include different groups or divisions to dedicate the right amount of time and attention to various events within specific industries.  

There is also a big question mark around cybersecurity legislation going forward. Will it be updated annually? Will updates be more structured or broader? Quite frankly, new exploits and vulnerabilities are discovered every day. There is so much evolution in the cybersecurity space in the matter of a week that waiting for updates every year will be too slow.  

Regardless of what legislation looks like in the coming months and years, I think organizations must realize it’s their responsibility to learn how to evolve in a structured and intentional way.  

Key Takeaways  

The Executive Order is absolutely a step in the right direction. It is increasing awareness around the importance of cybersecurity education and the steps organizations can follow to better control their cybersecurity efforts. After all, the hacks we’ve been seeing are not going to stop; it’s unfortunately our new reality. There is a lot that can — and must — be done, but trying to do it all at once won’t be beneficial to anyone. For enhancements to cybersecurity to be most effective, every effort needs to be focused and structured.

A-LIGN created a list of the do’s and don’ts to better prepare you for the HITRUST assessment. 

Most organizations would agree that HITRUST sets the standard for safeguarding information for organizations worldwide. Originally founded to help healthcare organizations better manage information security systems and protect their data, the release of CSF 9.2 in 2019 allowed the HITRUST CSF certification to be used to support compliance reporting against other widely-recognized privacy and security standards and requirements.

Needless to say, pursuing a HITRUST Assessment can be daunting. Though some organizations can become HITRUST certified in just a few months, the readiness process requires a significant investment in both time and resources. To be truly ready for a HITRUST assessment means there are no shortcuts. It comes down to this: proper planning equals HITRUST success.  

To help organizations successfully get started with HITRUST, A-LIGN created a list of the do’s and don’ts to better understand where additional attention is needed and how to prepare for the assessment. To more easily navigate this list, we’ve broken it down into three sections: internal factors, external factors, and the process. 

Internal factors 

Get executive sponsorship & support  

Regardless of the reason you’re pursuing HITRUST, whether it’s a contractual obligation, competitive advantage, or to increase overall security posture, you want to ensure you have executive buy-in. Having the sponsorship and support of the Executive team ensures the proper tone is set as you embark on the process to prepare for the assessment. This also translates to ensuring you have the resources and budget to get started.  

You don’t want to find yourself in a position where you need to convince the team to support the efforts after you’ve already started or to try to find the resources and budget later on.  

Summary:

DO ensure you have a strong commitment from management. 

DON’T pursue unless you have a committed C-level sponsor for the activity. 

Leverage experience & training  

It might seem obvious, but you can’t do an assessment for a framework you don’t understand. Spend some time before you get started to ensure you understand what HITRUST is and what it requires. This will also help you properly budget the time and resources needed. 

Specific areas you need to ensure you’re familiar with include: 

• The goals and purpose of HITRUST 
• How long the certification is good for 
• How to understand the Scoring Rubric 
• The HITRUST assessment methodology  

Summary:

DO contact a HITRUST External Assessor Firm or HITRUST staff personnel to educate and inform key stakeholders. In addition, you may want to train one or more key employees in the HITRUST Academy Certified CSF Practitioner (CCSFP) course.  

DON’T begin the Validated Assessment Certification process without experience or training in the HITRUST CSF, the Scoring Rubric, and the HITRUST assessment methodology. 

Involve internal stakeholders  

Preparing for a HITRUST assessment is not just a job for the IT department or the security compliance team. It requires involvement from almost every department within an organization to some degree, including HR, finance, legal, privacy, and even engineers and developers.  

To ensure everyone understands their roles in the process, be prepared to communicate those needs to each department properly and explain why they are uniquely qualified to assist in providing the necessary information.  

Summary:

DO involve cross-functional teams including HR, training, finance, facilities, maintenance, and more to ensure collaboration and understanding. 

DON’T assume that IT and security teams will be the only ones involved in implementing and assessing the HITRUST risk management framework. 

External factors 

Select the right assessor firm 

Engaging with an external assessor is a critical part of the process to get ready for your HITRUST assessment. In fact, the earlier you start to engage with the assessor firm, the better. Since you will be working with them closely for a long time, it’s helpful to fully understand what the assessment process will look like and what will be required.  

But the most important part of engaging with an assessor firm is to find the right assessor firm. You want to ensure they understand your industry and your business and that they are the right culture fit. For example, you do not want to hire a firm that doesn’t have experience in a number of security frameworks and proven success in HITRUST. 

When looking for the right HITRUST assessor firm for your organization, consider the following:  

• Confirm they are licensed and accredited 
• Ask how many HITRUST assessments they have successfully completed 
• Ensure they are appropriately staffed and qualified 
• Determine if they use technology to expedite the audit process  
• Verify they respond within 24 hours 
• Review the quality of their work 
• Review their services offered  
• Ask to speak with customer references 

Summary:

DO take the time to properly vet an assessor firm to ensure they have the necessary experience with the HITRUST CSF Assurance Program and the technical expertise to understand your industry and business. 

DON’T rush the selection of a trusted partner for Readiness and Validated Assessments. While many firms offer HITRUST services, some do not submit Validated Assessments to HITRUST regularly and may be unaware of important changes to the framework and certification process. 

Purchase an annual MyCSF subscription 

Perhaps the second most important thing to do, behind hiring the right assessor firm, is selecting and purchasing the CSF subscription that best fits your company.  

Sometimes, organizations that have gone through previous assessments, like SOC 2 or ISO, for example, believe that HITRUST will be a simple process. However, HITRUST requires a very different approach to documentation and leverages a scoring rubric that is a different concept than other assessments.  

Obtaining a MyCSF subscription provides access to tools and information that will allow you to manage and perform risk assessments more easily while supporting Corrective Action Plan (CAP) management. A subscription also provides organizations with advanced analytics for managing risk posture and benchmarking data, in addition to authoritative source reporting, including a fully customizable view of the HITRUST CSF.  

Summary:

DO get an annual subscription to MyCSF. On average, an organization going through a HITRUST Validated Assessment for the first time takes between nine and 24 months to get certified. 

DON’T underestimate the time it takes to complete a HITRUST certification. HITRUST certification takes several months to complete and submit.  

The process 

Properly scope the HITRUST process 

It can be easy to assume you have all the pieces you need to move forward with your assessment. But you don’t want to discover mid-way through an assessment that you forgot to include something important. After all, HITRUST has a 90-day maturation period that requires new controls to be implemented for 90 days before testing. So, if you implement a new control at any point during the assessment, it will reset your testing time frame. 

Invest the time early on to complete a thorough scope of the HITRUST process so you understand every piece that will be required. Proper scoping with your assessor firm from the beginning will set you up for success. 

Summary:

DO engage with a HITRUST External Assessor Firm for assistance with scope definition and related exclusions. Note that HITRUST does not certify processes, locations, people, or mobile applications — only implemented systems. Someone must also define other organizational, geographical and regulatory factors if your organization is required to report on additional security and or privacy frameworks, such as SOC 2, ISO 27001, PCI-DSS, NIST 800-171, GDPR, etc. 

DON’T define the scope of a first-time HITRUST Validated Assessment on your own. Changing scope late in the assessment process can result in long delays or months of remediation and rework, so it’s important to define the scope accurately from the beginning. 

Start with a readiness assessment  

Working with your assessor firm to leverage a readiness assessment can help identify gaps and provide tangible recommendations to remediate those gaps. This is all about preparation; it is invaluable to learn to recognize the areas where you may experience setbacks or delays and work to fix them before they impact the overall assessment.  

Summary:

DO have a HITRUST-approved External Assessor Firm guide you through a comprehensive Readiness Assessment to learn about the assessment process, review and discuss requirements, identify gaps, provide remediation recommendations, and adequately prepare for a Validated Assessment. 

DON’T assume that other compliance audits, such as SOC 2, ISO 27001, or PCI DSS, will adequately prepare you for a HITRUST Validated Assessment. 

Continuously monitor & improve 

HITRUST is not a one-and-done certification. Though the certification is good for two years, it’s a continuous improvement and monitoring assessment. Therefore, during your interim year, spend the time working through CAPs to show HITRUST you’re doing remediations so you can maintain your certification.

It can also be helpful to build a calendar to ensure you can clearly map out the requirements for your certifications. This, coupled with an internal governance committee, can help the organization understand how to move through the calendar year and meet the various requirements for certification. 

Summary:

DO dedicate resources to ongoing efforts. For example, develop a compliance calendar to monitor controls and ensure continuous improvement with no control degradation. 

DON’T view HITRUST as a “one and done” certification. 

Prepare for HITRUST today 

The best way to set yourself up for success when it comes to a HITRUST assessment is to make the time and resource investment upfront. Hire an external assessor firm that understands your business and industry and has proven HITRUST certification success. Spend time with your assessor to ensure you understand everything you’ll need for your HITRUST assessment with a thorough scoping effort. And create a calendar that helps you understand the requirements for each of your certification efforts.  

After all, proper planning equals HITRUST success.  

Download our HITRUST checklist now!

A-LIGN’s SVP of Marketing, Brian Gladstein, has been sharing ideas and best practices for getting the word out about your cybersecurity assessment. As the final post in this series, Brian discusses sharing your cybersecurity assessment with your professional community and how to promote your commitment to their security.

Recently I’ve been sharing ideas and best practices for getting the word out about your cybersecurity assessment, and how your SOC 2 report, ISO 27001/27701 assessment, or FedRAMP certification can demonstrate to customers and business partners the commitment you make to their security. If you’ve been following along, you first learned how to announce your cybersecurity assessment with a press release.  Then, we talked about how to best feature this assessment on your website and next we dove into how to win more deals by arming sales with your assessment.  If you haven’t been following along, take a few minutes to check these articles out!

As my final post in this series, I would like to share with you one more method – perhaps the most rewarding method because it’s the most personal. It’s time to talk about sharing your cybersecurity assessment with your professional community.

Why should I share our assessment with my professional community?

At first you might think, why would I do that?  What you may not realize is that not everyone has been through the cybersecurity audit process.  Many members of your community may be new to the idea, unsure of where to start and feeling a bit overwhelmed. Audits can be intimidating. Chances are, you learned a lot during this process – and others starting down the path will no doubt benefit from the wisdom you’ve acquired.

As security professionals, we are all eager to learn, improve and do better.  Since you’ve successfully navigated an assessment, you now have something to contribute to not only your community but conversations occurring on social platforms, like LinkedIn or Twitter.

I’d go so far as to say: it’s your obligation to contribute and teach others what you’ve learned. That’s what we do in cyber.

Talk about your security program, without actually talking about your security program.

I’ve been in the cybersecurity industry for a long time and, as a marketer always trying to get customers to provide a testimonial or participate in a case study, one hard reality about the security industry is that people are extremely hesitant to talk about their security program publicly. It’s understandable because of the inherent risks associated with sharing too much information. Why give an advantage to the adversary? If you disclose, for example, what products you use, you might open yourself up to an attack from a hacker who has an exploit for that particular product. It can be scary stuff.

This overarching concern sometimes does a disservice to the cybersecurity community because people may not share important lessons learned that can actually make a difference. That’s where your assessment opens a door.

Your assessment gives you a way to talk about your security program without actually talking about your security program.  Use your cybersecurity assessment to publicly discuss controls, best practices, policies, incident response, problems you’ve solved, and more.  In the context of the report, you find a rich supply of information and a way to discuss it that doesn’t require the disclosure of sensitive information or how you are operating your security apparatus.

You get to share important lessons learned in a safe way – it’s a win/win for everyone.

Cybersecurity professionals: Detectives, problem solvers, heroes

Listen, attackers need to work together. We are stronger when we do.

The bad guys are working together – there’s an entire dark economy out there that of malware, exploits and botnets that can be assembled to execute attack after attack. Smart defenders know that to protect against these coordinated, complex threats, we need to do the same thing on our end.

By nature, security professionals want to share their intel, knowledge and best practices with each other – it’s what we do!  As a cybersecurity professional, you are a detective, a problem solver, a hero. Get out there and tell your story.  Your community needs to know and we will all be better for it!

Four practical ways to share your cybersecurity assessment

There are a number of ways to share your security assessment with your community.  Here are four that come to mind:

1. Speak to other professionals, one on one. Discuss what you learned during your assessment, where your gaps were and how you addressed the gaps.  Answer questions that people are asking individually. You’ll quickly learn what to say and what not to say so you keep sensitive information to yourself, while still passing on your knowledge.
2. Give a talk at a local chapter meeting of ISACA, (ISC)², OWASP, or any other regional security meetup. It’s a safe setting where people gather to learn directly from each other and hey, it’s what members are there for.  Lay out some of the core elements of your security program and how you and your auditor worked together to provide assurance.
3. Microblog on social media. LinkedIn and Twitter are great places to drop little pieces of your story and lessons learned. You’ll help others and build your own reputation while creating buzz for your company.
4. Apply for speaking engagements and ‘calls for papers’at larger conferences. You may have a story that lots of people want to hear, and events like Blackhat and the RSA Conference are great venues for just that.  Don’t feel comfortable taking the stage alone?  Find a trusted vendor and they will almost certainly help you create slides, tell your story, and network with people at the event.

As a cybersecurity professional, you are on the front lines protecting information, protecting our families, protecting our businesses. Your assessment report demonstrates that you are doing the right things, and there are thousands of people out there who can benefit from your knowledge.  Get out there and tell your story. And as always, if you need help, give me a shout!

When researching regulations and requirements in the healthcare industry, many organizations come across both HITRUST and HIPAA. As a result, they may ask themselves: “What are the differences between HITRUST vs HIPAA and which should I choose?”

It’s not an apples-to-apples comparison. Here’s why:  

• HIPAA is a U.S. law that includes a set of safeguards that covered entities and business associates must follow to protect health information.   
• HITRUST is a certifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. HITRUST has also been mapped against over 40 other standards such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA),  Federal Information Security Modernization Act (FISMA), PCI DSS, and ISO 27001) that could be added to the scope of the HITRUST certification.   

Trying to determine if HITRUST or HIPAA is better for your organization is actually the wrong question. Instead, ask yourself, “What is the best method for demonstrating HIPAA compliance within my organization?”  

Let’s look a little closer at HITRUST vs HIPAA and why you might choose the HITRUST CSF as a means to achieve HIPAA compliance.    

What is HIPAA?   

HIPAA is a U.S. federal statute signed into law by President Clinton in 1996. In addition to giving workers the ability to carry forward health insurance coverage between jobs, HIPAA defines requirements that covered entities (i.e., health plan providers, healthcare providers, and healthcare clearinghouses) and their business associates must follow to protect patient information.  

These information security and privacy requirements are defined according to three rules:  

• The HIPAA Privacy Rule: Sets national standards for when patients’ protected health information (PHI) may be used and disclosed.   
• The HIPAA Security Rule: Outlines measures that covered entities and business associates must take to protect patients’ electronic protected health information (ePHI).  
• The HIPAA Breach Notification Rule: Requires that covered entities notify affected individuals, the U.S. Department of Health and Human Services (HHS), and the media in the event of an information breach.  

Important updates to HIPAA  

Recently there have been several important updates related to HIPAA that are worth noting. One is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was signed into law on February 17, 2009 by President Obama. The HITECH Act encourages the use of electronic health records (EHR) by providing financial incentives for healthcare organizations that can prove they have implemented EHR. The HITECH Act also allows for more severe penalties to be levied against covered entities and their business associates for HIPAA noncompliance.   

Another important update to HIPAA, the HIPAA Safe Harbor Bill, was signed into law on January 5, 2021 by President Trump. This law amends the HITECH Act so that the HHS and the Office of Civil Rights (OCR) must recognize and encourage security best practices for HIPAA compliance. Specifically, HIPAA Safe Harbor reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove they’ve had “recognized security practices” in place for at least one year.  

How can an organization prove HIPAA compliance?   

Though HIPAA requires organizations to conduct annual self-audits, it does not provide an official framework or methodology for verifying compliance with the law.   

So how can an organization prove HIPAA compliance? There are two primary frameworks we recommend for organizations that handle PHI to maintain compliance with HIPAA regulations:  

• A Systems and Organization Controls (SOC) 2 examination + HIPAA - This allows an organization to examine the necessary safeguards in order to validate HIPAA compliance. The organization going through the examination develops management’s controls to address the proper safeguards. A SOC 2+HIPAA examination can only be performed by a Certified Public Accounting (CPA) firm.   
•  HITRUST CSF - This is a comprehensive security and privacy framework that can be used to certify HIPAA compliance, as well as other standards and regulatory requirements. Unlike SOC 2, the HITRUST CSF necessitates the prescriptive controls that must be in place to achieve HIPAA compliance based on the organization’s risk factors. In addition, the HITRUST CSF certification is the only official certification that proves HIPAA compliance.   

What is HITRUST and HITRUST CSF?   

HITRUST was founded in 2007 to help healthcare organizations better manage information security systems and protect their data. HITRUST is perhaps most well known for developing the HITRUST CSF, described above, which is used by thousands of organizations around the world to efficiently manage regulatory compliance and risk management.   

The HITRUST CSF was originally tailored for the health industry, but with the release of CSF 9.2 in January of 2019, it transitioned to better align with other existing international privacy frameworks by adopting a more industry-agnostic approach. Prior to 2019, every HITRUST CSF examination included HIPAA compliance by default, but now it is an optional regulatory factor that must be selected as part of an assessment.   

Regardless, HITRUST CSF remains one of the premier security frameworks used to demonstrate HIPAA compliance. HITRUST has even released official documentation demonstrating that the HITRUST CSF meets all the requirements outlined in the HIPAA Safe Harbor Law.   

The HITRUST CSF “assess once, report many” approach also allows organizations to choose the frameworks and controls they want to initially be tested against and add more in the future if they choose.   

Why choose HITRUST for HIPAA compliance?  

When not contractually obligated to use the HITRUST CSF, some organizations opt for SOC 2+HIPAA or a self-assessment because of the higher cost and somewhat significant time and resource requirements of HITRUST CSF.   

However, there are benefits to leaning on HITRUST CSF for HIPAA compliance. Because of its strict and prescriptive nature, the HITRUST CSF has established itself as a gold standard for organizations to demonstrate they have the necessary controls in place for data protection.   

Additionally, leveraging HITRUST CSF includes other benefits, such as:  

• Extended duration: Organizations have a two-year certification with the HITRUST CSF, compared to SOC 2 validation which requires annual completion.   
• Social proof: The HITRUST CSF has developed a widespread positive reputation for compliance.  
• Options to easily adopt additional regulatory standards due to the fact that it is comprehensive, scalable and flexible: The HITRUST CSF has mapped controls to more than 40 standards across various industries worldwide and, with a dedicated research team that is specifically tasked with mapping security frameworks, can quickly get up to speed on any new laws and regulations.  

As a growing number of privacy laws continue to roll out internationally, HITRUST CSF will likely continue to expand and map to new legislation. In fact, the HITRUST research team mapped the General Data Protection Regulation (GDPR) within six months, and HITRUST has applied to become the premier certification body for GDPR. This is also why organizations in industries such as travel and hospitality, utilities, energy, etc., are adopting HITRUST.  

HITRUST vs. HIPAA: Asking the right question  

As mentioned before, asking if the HITRUST CSF or HIPAA is better for your organization isn’t the right question. The more appropriate question is, “What is the best option for demonstrating HIPAA compliance within my organization?”   

HITRUST CSF is one reliable way to achieve HIPAA compliance. In fact, it is the only way to become officially certified in HIPAA compliance. For this reason, the HITRUST CSF is often utilized and sometimes required by organizations in the healthcare industry.   

If you’re preparing your organization to be HIPAA compliant, HITRUST CSF certification may be a valuable investment. 

Download our HITRUST checklist now!

Download our HIPAA checklist now!

ISO 27701 is the first certification for privacy. By combining ISO 27701 and ISO 27001, organizations can build trust, prepare for privacy regulations, and more.

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issue many guidelines and frameworks for organizations. These can range from cybersecurity readiness to business continuity standards and beyond. 

In 2019, ISO expanded ISO/IEC 27001:2013 (ISO 27001), a popular and longstanding cybersecurity framework, with ISO/IEC 27701:2019 (ISO 27701), a new standard focused on creating a Privacy Information Management System (PIMS). The standard has generated excitement in the compliance world, as it is the first certification for privacy. In other words, ISO 27701 represents the first way an organization can actually become certified by a third party in privacy best controls, rather than compliant with standards and regulations.  

However, ISO 27701 is not a standalone standard. Rather, the original ISO 27001 cybersecurity framework serves as a foundational chassis, and organizations can add on additional ISO standards, such as ISO 27701, that work well for the specifics of their business.  

Organizations may wonder: what are the benefits of combining ISO 27701 and ISO 27001?

We will walk through four key benefits of adding the new ISO 27701 standard onto the core ISO 27001 framework. 

1. Builds Trust with External Stakeholders 

Today, much of our personal lives and our work happen on the internet, whether through applications, websites, or other form factors. Everyone is concerned about their personally identifiable information (PII), and no one wants it to fall into the wrong hands.  Each year there are data breaches that raise new security and privacy concerns. Consent, transparency, and security are more important than ever. 

As privacy concerns continue to grow amongst regulators and consumers alike, organizations are increasingly interested in improving their privacy policies and offering proof that they take privacy seriously. While there are many cybersecurity frameworks covering data privacy, none of them provide a dedicated privacy certification. Organizations can demonstrate compliance, however, they don’t get an official certification from a governing body. 

ISO 27701 is the first certification for privacy. 

For organizations, having a certification for privacy can help build trust with partners, vendors, customers, and other stakeholders. Having ISO 27701, in combination with the internationally-respected ISO 27001 framework, demonstrates your organization’s commitment to privacy. Organizations that hold an ISO 27701 certification must undergo surveillance audits each year, so your external stakeholders can feel confident that your organization is executing against best practices in accordance with ISO standards with a formal PIMS in place. 

Organizations are recognizing the value of ISO 27701 and ISO 27001. For example, Microsoft accepts ISO 27701 and ISO 27001 as a replacement to their own Supplier Security and Privacy Assurance (SSPA) program requirements. This demonstrates Microsoft’s strong trust in ISO’s frameworks and in ISO 27701’s privacy controls and data protection measures in particular. 

2. Strategically Certify Parts of Your Business 

Data moves through organizations in different ways depending on multiple factors. No two organizations are quite the same, and in some situations, the same organization can be both the controller and the processor of PII simultaneously.  

Some of the factors influencing an organization’s status as a controller and/or processor can include: 

• Industry (or industries) served 
• Business model, such as software-as-a-service (SaaS) 
• Regional or international presence 
• Partnerships and subcontractor relationships 
• And more 

However, because an organization may be both a controller and a processor of data at the same time, their data may not be subject to the same controls, depending on how it intersects with specific business activities. 

ISO 27701 is beneficial because it can be applied only to specific portions of an organization. In other words, an organization can carve out compliance as a controller or a processor of data—it does not have to get a blanket certification for the entire business. This is helpful for organizations with complex business models, where different sets of data may or may not require the same controls, include PII, etc. 

This feature differentiates ISO 27701 from regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which apply to the entire organization. In these laws and regulations, the organization as a whole must be compliant, regardless of the type of data or the organization’s role in generating, storing, or working with the data. ISO 27701 also differs from other standards, such as ISO 27018, which is an unaccredited standard and only applies to privacy in a public cloud — a much narrower range of applications. 

Together, ISO 27001 and ISO 27701 enable organizations to strategically certify the portions of their business that require the strictest privacy protection. 

3. Supports Several Privacy Laws and Regulations 

As noted, privacy is a growing concern for regulators and consumers alike. The rise of new privacy laws and regulations has forced organizations to think differently about their privacy programs.  

In fact, our recent 2021 Compliance Survey Report found that 48% percent of organizations claimed privacy regulations generated extra work. This rise is also making organizations more aware of the controls they need: 35% said they needed a higher level of cybersecurity controls. 

ISO 27701 maps against several key privacy regulations, which enables companies to more easily and strategically meet key regulations.  

For example: 

• ISO 27701 and the GDPR: ISO 27701’s privacy controls can help an organization demonstrate compliance with certain aspects of the GDPR, though it does not equate with GDPR certification. However, ISO 27701 does map to this landmark regulation in several ways. For example, the GDPR includes certain Articles that can be mapped back to the roles, responsibilities, and controls put forth in ISO 27701.  
• ISO 27701 and CCPA: Driven by the state of California in the U.S., the CCPA includes articles and language very similar to GDPR, which has become the gold standard on which many up-and-coming privacy regulations are based. ISO 27701 doesn’t specifically map directly to the CCPA. However, due to the law’s similarities to the GDPR, ISO 27701 can help organizations comply with the controls and requirements of CCPA. 

For organizations working to comply with GDPR, CCPA, or other privacy regulations and laws, ISO 27701 and ISO 27001 provide the scaffolding to build a strong compliance program. Again, it is not a replacement for any of these privacy laws and regulations, and it does not guarantee compliance. However, it can help your organization build an information security management system (ISMS) and a PIMS that can meet some of the requirements of the GDPR, CCPA, and others.  

4. Integrates with Your Existing Audit 

Many organizations are completing numerous audits every year — in fact, our 2021 Compliance Benchmark Survey also found that 85% of respondents conduct more than one audit each year. With a busy slate, the last thing anyone wants is more audits and assessments. 

Because ISO 27701 only exists in tandem with ISO 27001, the standard does not add significantly to the auditing process. Organizations with ISO 27001 in place can simply integrate ISO 27701 into their existing ISO audit and assessment.

For organizations looking to complete the core ISO 27001 framework for the first time, adding ISO 27701 is not a huge undertaking. It can be worked into the overall process of creating an ISMS, collecting the necessary evidence, and assigning responsibilities to key personnel. 

5. Grows with Your Organization 

As organizations grow, the type of data processed may expand and can result in additional compliance obligations. For example, fast-growing organizations may: 

• Expand to new geographic areas 
• Bring on new partners, vendors, or subcontractors 
• Drive business in new industries or sectors (some of which may include PII and be highly regulated, such as healthcare) 
• Work with distributed teams across countries 
• And more 

Meeting cybersecurity and privacy requirements is an ongoing process that can be made easier by building a framework that can be expanded as regulatory requirements continue to evolve.  

Having a PIMS in place is an excellent way to ensure your organization has a defined management system that can adapt to new cybersecurity and privacy obligations. As new workstreams start-up, regulations come into play, and data enters the company, you will already have the framework needed to handle everything smoothly. Together, ISO 27701 and 27001 create that framework to handle increasingly complex compliance requirements.  

ISO 27701 and ISO 27001: Better Together 

ISO 27701 and ISO 27001 represent a powerful package with many benefits to organizations. With the underlying framework of ISO 27001 creating a strong ISMS and ISO 27701 ensuring a certifiable commitment to privacy controls, organizations can clearly demonstrate their maturity relative to cybersecurity and privacy. This can give peace of mind to stakeholders such as customers and vendors. Enhance your privacy by combining ISO 27701 and ISO 27001, and continue your compliance journey. 

Get started by downloading our ISO 27001 checklist.

Your sales team is one of the most powerful tools you have to get the word out about your cybersecurity assessment.  A-LIGN’s SVP of Marketing, Brian Gladstein, describes how to arm them with your audit report and teach them how to use it so they can win more frequently and close more deals. 

In this post, I’ll continue to explore ways of getting the word out about your cybersecurity assessment – SOC 2, ISO 27001, HITRUST, FedRAMP, or any of the others – once that report has been delivered. Third-party cybersecurity assurance is fundamental in ensuring that businesses can trust each other when it comes to sensitive data or private information. So if you aren’t including your final report as part of your sales and marketing efforts, it’s almost as if you never completed it in the first place. 

So far we’ve talked about announcing your assessment with a press release and featuring your audit report on your website. Those are both very important steps, but they don’t necessarily deliver your report to a prospect at exactly the time it’s needed – nor are they able to relate the audit to the specific nature of the business partner sitting across the table from you. For that, you need to turn to one of the most powerful tools you have in your arsenal – your sales team. 

Your sellers are on the phone and in email, having one-on-one conversations with customers every day. They shape the discussion and frame the competition. They provide compelling answers to specific questions with finesse. If your cybersecurity assessment is a weapon, your sales team is the army that can most effectively wield it. 

Don’t “Throw It Over the Wall” 

Sales people are generally creatures of habit. They look for signals of success in the relationships they maintain and rely on proven patterns to drive opportunities forward and ultimately close deals. That can make it difficult to introduce something new to your sales team, especially if they don’t instinctively know how to use it and where it fits.  

I’ve spent most of my career as a marketer working closely with sales, and I’ve learned over and over again (sometimes painfully) that the best way to ensure your new materials are ignored is to “throw it over the wall” to sales. So don’t do that. 

Instead, you need to work hand-in-hand with your counterparts in sales. Understand the process they go through and how they use various tools at their disposal to overcome challenges and objections. What you will likely find is that there are a few places where your assessment can easily fit into their process. I’ll get into the most likely candidates below – but the point is that by understanding their needs, and fitting into their workflow, you can make it easy for them. 

Work With Sellers to Understand What They Need 

In most sales teams you’ll find a few individuals who love to experiment and try new things. It can be hard to change the behavior of a full team, but if you lock arms with these scrappy sellers and get a couple successful examples under your belt, the rest of the team will look to duplicate those patterns and it’ll make adoption much easier. 

Generally, it won’t be difficult to figure out who these team members are – just ask around. Once you do, grab some time with them, explain how a cybersecurity assessment can be used to put your competition at a disadvantage, and explore how they might use the report. Here are some questions to ask: 

• Do customers ever require us to fill out a security questionnaire? 
• When in the sales process do we normally position our technical strengths? 
• At a typical customer, what roles care about security the most? 
• Which competitors haven’t gone through their audit process – and how do we use our report against them? 

Build Your Sales Enablement Plan and Materials 

A productive conversation with those key sales reps should help you put together everything you need for enabling the rest of the team, including: 

• Specific language that describes the report and its benefits that the sales team can use in emails, messages, and phone calls 
• Where in the sales process a rep would most likely introduce the report 
• An understanding of why the sales rep will benefit – for example, closing deals faster or winning more against a key competitor 

From there, you’ll want to prepare your materials. The following items are a good example of what you might need, but obviously your plan will depend on the specific needs of your organization. 

Messaging & Sales Tool: Capture all the relevant information into a single tool that sales can use. Include messaging that articulates how reps should describe the report, as well as ways to handle questions or objections that may come up. Include links to where they can download the report when needed, and your own contact information for when they need additional help.  

Presentation Slide: Most sales teams have a standard presentation deck they use when meeting with customers. Prepare a slide to include in the presentation that displays your report and includes high-level information about the nature of the report and who your independent auditor is. Be sure to articulate the benefits to the customer – materials like this should always speak directly to what the customer cares about.  

Sales Process: Help your sales team understand when and how to introduce your audit report by incorporating appropriate steps into their sales process. It’s not a bad idea to describe this in the sales tool you create (above). Most sales teams manage their process through a CRM that allows reps to access documents and trigger processes they need at exactly the right time on a customer-by-customer basis. If you have a Sales Operations team they should be able to help here. 

Proposal Template: Finally, include a reference to your audit report in your standard proposal template. This single document tends to be the culmination of all your strong selling points combined with the actual financial proposal that goes out to the customer. It’s a great place to provide a succinct statement on how you take your customers’ security seriously. 

Train the Team and Roll It Out 

Take a few minutes in a weekly sales call to train the team. Show them where all the resources are, walk through the messaging and the process, and ask that pioneering sales rep who helped you understand the dynamics of the organization in the first place to help bridge the gap. 

Once the team has been trained, check in with them every so often to see how it’s going. Make adjustments where needed and celebrate any wins in a public way to reinforce the value that your cybersecurity assessment provides.  

Working with sales teams and playing a role in winning business can be exhilarating. I always love talking about this, and any other aspect of marketing your audit report. Contact us if you’d like to chat more!