For any organization that stores, interprets and manages sensitive data, complying with cybersecurity requirements is of utmost importance. The most comprehensive way to test the strength and effectiveness of these systems is through a compliance assessment. Beginning this process, however, is no easy feat. There are several steps an organization should take to ensure their audit preparation procedures to meet industry standards.
What are the steps to ISO certification? Our assessors have completed assessments against several International Organization for Standardization (ISO) standards, and can provide your organization on insights on the process for achieving ISO certification. “5 Steps to ISO Certification”
Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.
What is the HITRUST CSF?
The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.
Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.
Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.
CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.
Incorporation with the California Consumer Privacy Act
One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).
Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.
Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.
Other Important Updates to CSF v9.3
Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:
- The Federal Risk and Authorization Management Program (FedRAMP)
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
- Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- South Carolina’s Bill 4655, the Insurance Data Security Act
Who Should Migrate to CSF v9.3
If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.
By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.
The A-LIGN Difference
A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.
Cybersecurity examinations are an important undertaking for your organization, its health and projected future. With no shortage of firms and examination types to choose from, preparing to undergo an audit or assessment can feel like a massive undertaking. Is the firm cutting corners reliable? Is the accessor able to deliver on their lofty promises? And how can you tell if they’re providing quality work?
ISO 27000 Family – Information Security Management Systems
The ISO 27000 family of standards is related to an organization’s information security management systems, or ISMS. This international standard helps organizations by providing a clear set of requirements that can be used to manage the security of the business’ assets. An ISMS is a systematic approach used to manage the overall information security program to ensure that it remains effective.
One of the benefits of ISO 27001 certification is that it assesses the entire scope of information security, including the technical controls as well as management’s oversight of information security. This all-encompassing approach secures people, processes, and technologies to minimize risk.
Organizations can achieve certification against ISO 27001 to demonstrate the maturity of the company’s information security environment. This standard provides a methodology for the establishment, implementation, operation, management, and maintenance of information security within an organization.
There are seven mandatory clauses including objectives for organizations seeking conformance to the ISO 27001 standard:
- Context of the organization
- Performance Evaluation
Additionally, there are 14 discretionary controls defined in the Annex:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Benefits of ISO 27001 Certification
ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes, and build a culture of information security. The framework also helps organizations in reducing security incidents and meeting additional compliance requirements.
In addition, the standard helps organizations implement controls that are relevant to its unique risks and assets, instead of providing generalized guidance that isn’t applicable to the organization. This holistic, tailored approach makes the ISO 27001 standard functional for organizations of any size, in any industry.
How to Achieve ISO 27001 Certification
Certification should be conducted by an ISO 27001 accredited certification body. Certification will include the following audit activities:
- Pre-Assessment: Although not required to achieve certification, for organizations who have not undergone the ISO 27001 process before, the pre-assessment is conducted for organizations who need additional assistance in becoming ISO 27001 compliant. A-LIGN simulates the certification process by performing a review of the company’s scope, policies, procedures, and processes to identify any gaps that may need remediation prior to certification.
- Stage 1 Audit: A-LIGN reviews the organization’s scope, policies, procedures, and processes to confirm conformance with the documentation requirements of ISO 27001.
- Stage 2 Audit: Once organizations have completed stage 1, the stage 2 tests the conformance of the information security management system with ISO 27001 and the company’s internal policies and procedures. This includes interviews, inspections of documented evidence, and observations of organizational processes.
- Surveillance Audit: To ensure that the organization’s ISMS continues to conform to ISO 27001 standards, surveillance audits are performed for two years following certification.
ISO 27001 certifications are valid for three years.
ISO 27017, or Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services, provides guidance based upon ISO 27002 for the cloud services industry.
The standard provides guidance specific to cloud-service providers on 37 of the controls in ISO 27002, but also features seven new controls:
- Shared roles and responsibilities within a cloud computing environment
- Removal of cloud service customer assets
- Segregation in virtual computing environments
- Virtual machine hardening
- Administrator’s operation security
- Monitoring of cloud services
- Alignment of security management for virtual and physical networks
This standard is relevant to organizations who provide cloud-based services, and for any organization that stores information in the cloud.
Benefits of ISO 27017
Any cloud provider that is entrusted with sensitive customer data could potentially benefit from ISO 27017. The standard assists organizations by providing guidance unique to the cloud environment, and addresses pain points for many cloud providers such as the delineation of roles and responsibilities within a cloud computing environment.
This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27017 standard allows for organizations to reduce the risk inherent to cloud-service organizations, and the potential cost of a breach.
How to leverage certification for ISO 27017
Because ISO 27017 is not a management standard, organizations cannot be certified strictly against the ISO 27017 controls. However, A-LIGN can assist organizations by adding the additional ISO 27017 controls to the scope of an ISO 27001 certification audit to ensure that companies can demonstrate conformance to the ISO 27017 standard.
ISO 27018, or Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors, is a standard designed for cloud computing organizations who are responsible for handling personally identifiable information.
ISO 27018 provides the following controls to supplement those set within ISO 27001 and ISO 27002:
- Customer and end-user control rights
- Restriction on disclosure to or access of third parties to PII
- Treatment of media containing PII
Benefits of ISO 27018
There is a need for organizations who handle PII to ensure this information is secured. This standard creates an additional level of customer confidence in ensuring that standards are in place to protect the information, allowing both the customer and end-user to be assured that their information is safe.
This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27018 standard allows for organizations to minimize the risk inherent to cloud-service organizations, and the potential cost of a breach.
How to leverage certification for ISO 27018
Again, because ISO 27018 is not a management standard, organizations cannot be certified strictly against the ISO 27018 controls. However, A-LIGN can assist organizations by adding the additional ISO 27018 controls to the scope of an ISO 27001 certification audit to ensure companies can demonstrate conformance to the ISO 27018 standard.
Choosing the Right ISO Standard
The ISO 27000 family of standards provides options for organizations to implement the controls that are relevant to their business needs, their customer needs, and their end-user needs. As an accredited certification body, A-LIGN can conduct the certification audits to demonstrate conformance with ISO 27001, ISO 27017 and ISO 27018.
Connect with one of A-LIGN’s ISO 27001 auditors by contacting firstname.lastname@example.org or 1-888-702-5446.
Author: Gene Geiger, CPA, CISSP, CCSK, QSA, PCIP, ISO 27k LA, and Partner at A-LIGN.
Becoming ISO 27001 certified is a rigorous process for most organizations but the work should not stop after receiving the sought after certification. We want to ensure that your organization does not fall victim to these common pitfalls so that your information security management system (ISMS) continues to operate as designed and subsequent audits flow smoothly. Take a look at the four most common problems to help your company stay on track after certification.
Failing to Schedule the Internal Audit and Management Review
The completion of the internal audit and management review are critical to the success of the ISMS. A-LIGN reviews these activities during each audit activity and looks to ensure the quality-level and completeness are in line with the requirements. These activities build on each other as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.
You should ensure that the internal audit is scheduled well in advance of the surveillance audit, so the management review and continuous improvement activities have time to be performed. We start the surveillance audit approximately nine months after initial certification is received, so a typical timeline would be to start the internal audit six to seven months after certification.
Changes in Key Personnel
Many times the ISMS is implemented by an individual who fields many of the questions during an audit and has overall responsibility for the ISMS. If that person leaves the company, the ISMS can fall apart. In order to help prevent this, we recommend that all companies designate a back-up person who has a general understanding of the ISMS. If your primary ISMS manager moves into a different position or to another company, ensure that the designated backup steps in to ensure that the ISMS continues to function.
Failing to be Vigilant
It is common for organizations to breathe a sigh of relief upon receiving the initial certification, but at times they may go too far into “relaxation mode.” ISO 27001 defines the ongoing processes that should be in place throughout the year, not just during the audit. The management controls, including periodic meetings, documented approvals for decision, meeting minutes of oversite committees, etc., must be maintained to evidence that the ISMS continues to function. This is also true of controls defined in the statement of applicability.
Companies should ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function as designed after certification is received.
Not Considering Environmental Changes
ISO 27001 requires that any changes in the environment be considered through the risk assessment process and any new or modified controls flow in to the statement of applicability. It also requires that A-LIGN be notified and a new certificate issued if there are changes to the scope or statement of applicability. When changes are considered in the environment that may impact the scope of certification, it is important to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.
These top pitfalls are all easily remedied through management oversight and following the controls as defined in your ISMS. Establishing a long-term ISMS framework can help to create an ongoing culture of security in your organization and help to ensure smooth surveillance audit cycles.
Have questions about ISO 27001?
Contact our ISO 27001 professionals at email@example.com or call 888-702-5446.
As a reminder a new version of ISO 27001 has been issued and the deadline for updating your company’s ISO 27001 program from 2005 to 2013 is quickly approaching. There are some significant changes to ISO 27001 in the newest 2013 edition. Utilizing the guidelines in ISO 27001:2013 will improve the standardization and operations of the information security program in your organization.
For more details on changes in the 2013 standard please refer to our guide: 8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013
- New Implementations – The deadline for new implementation has expired as ISO/IEC 27001:2005 is no longer allowed as of October 1, 2014
- Transition (Including Surveillance Reviews) – Can be performed (2005 to the 2013 standard) until October 1, 2015
- Complete Transition – After October 1, 2015 all new certifications are required to use the 2013 standard
- Realignment of the management system requirements to clauses 4 through 10
- Risk assessment focus to risk owners
- Controls Annex realignment and additional controls
Key Implementation Steps
- Review current process and management system documentation
- Update Statement of Applicability (SoA) based on the new framework
- Update documentation
- Ensure internal audits and management review are being planned and performed
We can answer any of your questions regarding the new version of ISO 27001.
Please contact us by phone at 888-702-5446 or by email at firstname.lastname@example.org.